Clamav on TRK generates false positives
Tuesday, February 8, 2011

Journalists from the German Linux Magazin reported us that TRK was generating dangerous false positives when using virusscan in combination with ClamAV, the default TRK virusscan scan engine.

I immediately responded by asking logfiles and there I found out the false positive came from a combination of using Clamav 0.96.1 together with signature files between 2011-02-04 and 2011-02-07

Luckily, updating to version 0.96.5 fixes the problem. Users who now run virusscan under TRK, will get their Clamav installation updated to 0.96.5 AUTOMATICALLY, thanks to the update mechanism built into TRK virusscan!

So the bug is fixed for TRK. 
Please update any offline version you might be using updated between 2011-02-04 and 2011-02-07.

I filed a bug on Clamav.net and the original article from Linux Magazin can be found here

Below is a small part of the clamscan logfile with the false positive:

/hda1/WINXP/Driver Cache/i386/sp3.cab: Trojan.GenericFF-1 FOUND
/hda1/WINXP/explorer.exe: Trojan.GenericFF-1 FOUND
/hda1/WINXP/Sti_Trace.log: Empty file
/hda1/WINXP/system32/dhcpmon.dll: Trojan.GenericFF-1 FOUND
/hda1/WINXP/system32/pdh.dll: Trojan.GenericFF-1 FOUND
/hda1/WINXP/system32/snmpapi.dll: Trojan.GenericFF-1 FOUND
/hda1/WINXP/system32/unimdmat.dll: Trojan.GenericFF-1 FOUND

...and a screenshot of virusscan in false action under TRK

 

      
No comments yet

Add/Edit Comment 
Name *
eMail  Will not be published!
Homepage  Will not be published!
Security Code Security Code
Enter Security Code  Case INSENSITIVE
Comment *
 Notify on follow-up  (E-mail address required)
Note that your comment after submission has to be approved.
Thanks for your understanding.
Note: If you are a registered user, on login these form fields
will be pre-filled with your information.