Blog for hpHosts, and whatever else I feel like writing about ....

Sunday 26 July 2009

F/P Central: ClamWin gone wild!

It seems ClamWin is on a roll as far as F/P's are concerned. I've got it set on a schedule to periodically scan my servers, and to my surprise, received the following via e-mail yesterday;

\Downloads\Extensions\vURL_Extension\vurl-1_1_0-setup.exe: Trojan.Delf-8426 FOUND
\AB_Extension_Pack\1_2_2\abep-1_2_2-setup.exe: Trojan.Delf-8426 FOUND
\Cookie_Info\1_1_3\cookieinfo-1_1_3-basic.exe: Trojan.Delf-8426 FOUND
\Cookie_Info\1_1_3\cookieinfo-1_1_3-full.exe: Trojan.Delf-8426 FOUND
\Cookie_Info\1_1_4\cookieinfo-1_1_4-basic.exe: Trojan.Delf-8426 FOUND
\Cookie_Info\1_1_4\cookieinfo-1_1_4-full.exe: Trojan.Delf-8426 FOUND
\Cookie_Info\1_1_5\cookieinfo-1_1_5-basic.exe: Trojan.Delf-8426 FOUND
\Cookie_Info\1_1_5\cookieinfo-1_1_5-full.exe: Trojan.Delf-8426 FOUND
\hpObserver\0_1_0\hpobserver0_1_0-basic.exe: Trojan.Delf-8426 FOUND
\hpObserver\0_1_1\hpobserver0_1_1-basic.exe: Trojan.Delf-8426 FOUND
\hpObserver\0_1_2\hpobserver0_1_2-basic.exe: Trojan.Delf-8426 FOUND
\PUI\1_1_7\puisetup.exe: Trojan.Delf-8426 FOUND
\PUI\1_1_7\puisetup_basic.exe: Trojan.Delf-8426 FOUND
\RF_Types\1_0_4\rft_setup.exe: Trojan.Delf-8426 FOUND
\RF_Types\1_0_4\rft_setup_basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_1_8\vurl_de-0_1_8-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_0\vurl_de-0_2_0-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_1\vurl_de-0_2_1-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_3\vurl_de-0_2_3-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_4\vurl_de-0_2_4-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_5\vurl_de-0_2_5-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_6\vurl_de-0_2_6-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_7\vurl_de-0_2_7-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_8\vurl_de-0_2_8-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_9\vurl_de-0_2_9-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_9\vurl_de-0_2_9-full.exe: Trojan.Delf-8426 FOUND
\vURL_Extension\vurl-1_1_0-setup.exe: Trojan.Delf-8426 FOUND


Evidently, highly concerned that an infection had wormed it's way onto my server, I checked the files dates, they hadn't changed - perhaps whatever it was, had infected the files, but left their dates as they were? Unusual but possible. I therefor downloaded myself a copy of the files, and checked them against my local (original) copy - no difference.

I'd already figured these were F/P's, but wanted to be 100% sure. Checking the files showed they were indeed all F/P's - evidently highly annoyed me. I tried submitting the file via the ClamWin F/P report form - no go, claimed the file wasn't password protected (yes it damn well was), so I tried e-mailing it - nope, got returned to me with a delivery report error due to the attachment. As a last ditch attempt, I forwarded it directly to the e-mail address that clamwin@clamwin.com forwards all e-mail to (didn't realise it did until I got the delivery report) - no error returned, no response - I figured it was being ignored.

Low and behold, ClamWin just updated itself a few minutes ago and surprise surprise, these F/P's are now fixed. Obviously this is a good thing, but I'm surprised it only picked on these files, and frustrated that not only did I not get a response from ClamWin, but that these F/P's are becoming increasingly common for ClamWin lately.

2 comments:

lordpake said...

Just correction, these are not ClamWin false positives.

These are Clam(AV) false positives. ClamWin is windows-port of that app, and uses their defs.

Reporting files to ClamWin is imho pointless, and they should be reported to ClamAV website.

All the few ClamWin devs can really do is just to relay them to ClamAV folks for correction.

I wish more more people would actually realize this difference, and frankly I don't think articles like this really help :)

-lordpake

MysteryFCM said...

I know ;o)

I reference ClamWin as it's ClamWin I use and others on Windows use.

The ClamWin file submission actually sends them to ClamAV, not ClamWin.