Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users
potential FP on Trojan.Rootkit-3041?

Index | Next | Previous | View Flat

Jason_Haar at trimble

Sep 4, 2011, 6:57 PM

Views: 674
potential FP on Trojan.Rootkit-3041?

Hi there

We picked up an infected machine, and ran ClamAV over it. ClamAV picked
up iastor.sys as Trojan.Rootkit-3041

However according to virustotal.com, only ClamAV claims this is infected
- so I'm wary of it.

However... the machine it was got from WAS infected with other viruses,
and windows\system32 contains THREE copies of iastor.sys: "iastor.sys",
"iaStor.sys" and "IaStor.sys" - which have two different sizes (but both
were detected as Trojan.Rootkit-3041 by ClamAV and nothing else)

So, that smells really suspicious to me - but I'm surprised no other AV
picks it. It isn't impossible ClamAV is ahead of everyone else on this
particular virus, so I thought I'd check here

Update: a week has past since I saved this email to my Drafts - as I
initially decided to report it as a FP via the clamav.net website
instead. Anyway, a week has past and clamav just declared a different
box as being infected - this time iastor.sys is Trojan.Rootkit-3054.
Again, nothing else picks it as a virus on virustotal.com, AND clamav
says copies of this file under "WINDOWS/dell/iastor/iastor.sys" and
"Drivers/DELL/SATA_RAID/driver_only/iastor.sys" are also infected -
which I find very hard to believe a virus would bother looking for.

Has anyone else been seeing FPs with iastor.sys?


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net

Subject User Time
potential FP on Trojan.Rootkit-3041? Jason_Haar at trimble Sep 4, 2011, 6:57 PM
    Re: potential FP on Trojan.Rootkit-3041? alvarnell at mac Sep 5, 2011, 12:20 AM
        Re: potential FP on Trojan.Rootkit-3041? Jason_Haar at trimble Sep 5, 2011, 12:55 AM

  Index | Next | Previous | View Flat

Interested in having your list archived? Contact Gossamer Threads
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.