Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

False positive Win.Trojan.Bamital-1158 for explorer.exe ?

  

 
ClamAV users RSS feed   Index | Next | Previous | View Threaded


petermaffter at yahoo

Jun 29, 2013, 5:18 AM

Post #1 of 2 (474 views)
Permalink
False positive Win.Trojan.Bamital-1158 for explorer.exe ?
From time to time I am checking my Windows partitions when using Linux on the same machine.
Yesterday I got:
/windows/C/Windows/SysWOW64/explorer.exe: Win.Trojan.Bamital-1158 FOUND
/windows/C/Windows/winsxs/wow64_microsoft-windows-explorer_[...]_6.1.7601.17567_none_[...]/explorer.exe: Win.Trojan.Bamital-1158 FOUND


The clamscan call:
clamscan --max-recursion=300 --max-dir-recursion=300 --max-files=1000000 --max-filesize=4095M --max-scansize=4095M -r  --detect-pua=yes --log=reportclam


Both files are the same according to Linux diff.
clamscan is the only AV that finds these Trojans, I also tried VirusTotal and Metascan on the Web.
The other AVs that I use for Linux also do not find these 2.


This explorer.exe has a MD5:
md5sum explorer.exe
8b88ebbb05a0e56b7dcc708498c02b3e  explorer.exe


Is this a known false positive for clamscan?

Best regards
Pete
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


swebb at sourcefire

Jun 29, 2013, 6:54 AM

Post #2 of 2 (456 views)
Permalink
Re: False positive Win.Trojan.Bamital-1158 for explorer.exe ? [In reply to]
On Sat, Jun 29, 2013 at 8:45 AM, Peter Maffter <petermaffter [at] yahoo>wrote:

>
>
> > From time to time I am checking my Windows partitions when using Linux
> on the
> > same machine.
> > Yesterday I got:
> > /windows/C/Windows/SysWOW64/explorer.exe: Win.Trojan.Bamital-1158 FOUND
> >
> /windows/C/Windows/winsxs/wow64_microsoft-windows-explorer_[...]_6.1.7601.17567_none_[...]/explorer.exe:
> > Win.Trojan.Bamital-1158 FOUND
> >
> >
> > The clamscan call:
> > clamscan --max-recursion=300 --max-dir-recursion=300 --max-files=1000000
> > --max-filesize=4095M --max-scansize=4095M -r --detect-pua=yes
> --log=reportclam
> >
> >
> > Both files are the same according to Linux diff.
> > clamscan is the only AV that finds these Trojans, I also tried
> VirusTotal and
> > Metascan on the Web.
> > The other AVs that I use for Linux also do not find these 2.
> >
> >
> > This explorer.exe has a MD5:
> > md5sum explorer.exe
> > 8b88ebbb05a0e56b7dcc708498c02b3e explorer.exe
>
> I forgot:
> clamscan -V
> ClamAV 0.97.8/17435/Sat Jun 29 06:39:26 2013


Hey Peter,

Thank you for using ClamAV and letting us know of a potential FP. You can
submit your FP report through the official channel here:
http://www.clamav.net/lang/en/sendvirus/submit-fp/

If you have any questions, comments, or concerns, please let me know.

Thanks,

Shawn
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.