Jason_Haar at trimble
Sep 4, 2011, 6:57 PM
potential FP on Trojan.Rootkit-3041?
We picked up an infected machine, and ran ClamAV over it. ClamAV picked
up iastor.sys as Trojan.Rootkit-3041
However according to virustotal.com, only ClamAV claims this is infected
- so I'm wary of it.
However... the machine it was got from WAS infected with other viruses,
and windows\system32 contains THREE copies of iastor.sys: "iastor.sys",
"iaStor.sys" and "IaStor.sys" - which have two different sizes (but both
were detected as Trojan.Rootkit-3041 by ClamAV and nothing else)
So, that smells really suspicious to me - but I'm surprised no other AV
picks it. It isn't impossible ClamAV is ahead of everyone else on this
particular virus, so I thought I'd check here
Update: a week has past since I saved this email to my Drafts - as I
initially decided to report it as a FP via the clamav.net website
instead. Anyway, a week has past and clamav just declared a different
box as being infected - this time iastor.sys is Trojan.Rootkit-3054.
Again, nothing else picks it as a virus on virustotal.com, AND clamav
says copies of this file under "WINDOWS/dell/iastor/iastor.sys" and
"Drivers/DELL/SATA_RAID/driver_only/iastor.sys" are also infected -
which I find very hard to believe a virus would bother looking for.
Has anyone else been seeing FPs with iastor.sys?
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net