Mailing List Archive

false positives
Hello.

I know this looks like a nightmare or lack of sleep (or even something
else), but I have to write it. Sorry ;-)

I'm observing false positives, but unfortunately - they are not caused by
some specific input files (mails). It is something non-deterministic.
For example, I send some file by email 20 times and clamav
detects a virus in only two of them.
The probability of detecting a virus in a clean file rises with the
overall rate of detected viruses (when some virus is popular and detected
often, the probability of detecting it in the clean file is higher) AND
with a size of clean file (FPs occur more often in bigger files).

I have first observed this with SaneSecurity SCAM database - when some pdf
spam was very popular, I got that spam detected in clean files quite often
(lets say, at 10% rate).
I have disabled that database and the problem was almost gone. Almost.

What is interesting - scanning the given email or file with clamscan or
clamdscan does not show the problem - it is always clean.

My setup is sendmail with clamav-milter on 4 machines (freebsd 6.2 and 4.9,
problem seen on 6.2) and remote clamd on 2 other (freebsd 6.2).
clamav-0.91.2 (from ports). Actually, problem has been seen about two months
ago, so version could be a bit lower (up to date in those days).

My first guess is that during scanning of a clean file some signal from another
thread/server scanning the real virus in the same time is somehow received
and misinterpreted as a virus in a clean file.

Any ideas how to track this down?

Jacek

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: false positives [ In reply to ]
On Wed, 3 Oct 2007 16:16:32 +0200
Jacek Zapala <jacek@it.pl> wrote:

> My setup is sendmail with clamav-milter on 4 machines (freebsd 6.2 and 4.9,
> problem seen on 6.2) and remote clamd on 2 other (freebsd 6.2).
> clamav-0.91.2 (from ports). Actually, problem has been seen about two months
> ago, so version could be a bit lower (up to date in those days).
>
> My first guess is that during scanning of a clean file some signal from
> another thread/server scanning the real virus in the same time is somehow
> received and misinterpreted as a virus in a clean file.
>
> Any ideas how to track this down?

Please post the output of clamconf

--
oo ..... Tomasz Kojm <tkojm@clamav.net>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Sat Oct 6 01:24:49 CEST 2007
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: false positives [ In reply to ]
* Tomasz Kojm (tkojm@clamav.net) [071006 01:24] wrote:
> On Wed, 3 Oct 2007 16:16:32 +0200
> Jacek Zapala <jacek@it.pl> wrote:
>
> > My setup is sendmail with clamav-milter on 4 machines (freebsd 6.2 and 4.9,
> > problem seen on 6.2) and remote clamd on 2 other (freebsd 6.2).
> > clamav-0.91.2 (from ports). Actually, problem has been seen about two months
> > ago, so version could be a bit lower (up to date in those days).
> >
> > My first guess is that during scanning of a clean file some signal from
> > another thread/server scanning the real virus in the same time is somehow
> > received and misinterpreted as a virus in a clean file.
> >
> > Any ideas how to track this down?
>
> Please post the output of clamconf

/usr/local/etc/clamd.conf: clamd directives
-----------------
LogFile = "/var/log/clamav/clamd.log"
LogFileUnlock = no
LogFileMaxSize = 104857600
LogTime = yes
LogClean = no
LogVerbose = no
LogSyslog = yes
LogFacility = "LOG_MAIL"
PidFile = "/var/run/clamav/clamd.pid"
TemporaryDirectory not set
ScanPE = yes
ScanELF = yes
DetectBrokenExecutables = no
ScanMail = yes
MailFollowURLs = no
MailMaxRecursion = 64
PhishingSignatures = yes
PhishingScanURLs = yes
PhishingAlwaysBlockCloak = no
PhishingAlwaysBlockSSLMismatch = no
PhishingRestrictedScan = yes
DetectPUA = no
AlgorithmicDetection = yes
ScanHTML = yes
ScanOLE2 = yes
ScanPDF = no
ScanArchive = yes
ArchiveMaxFileSize = 204800
ArchiveMaxRecursion = 8
ArchiveMaxFiles = 30
ArchiveMaxCompressionRatio = 250
ArchiveLimitMemoryUsage = no
ArchiveBlockEncrypted = no
ArchiveBlockMax = no
DatabaseDirectory = "/var/db/clamav"
TCPAddr = "aa.bb.cc.dd"
TCPSocket = 3310
LocalSocket not set
MaxConnectionQueueLength = 120
StreamMaxLength = 31457280
StreamMinPort = 1024
StreamMaxPort = 2048
MaxThreads = 30
ReadTimeout = 120
IdleTimeout = 30
MaxDirectoryRecursion = 10
FollowDirectorySymlinks = no
FollowFileSymlinks = no
ExitOnOOM = no
Foreground = no
Debug = no
LeaveTemporaryFiles = no
FixStaleSocket = yes
User = "clamav"
AllowSupplementaryGroups = yes
SelfCheck = 1800
VirusEvent not set
NodalCoreAcceleration = no
ClamukoScanOnAccess not set
ClamukoScanOnOpen not set
ClamukoScanOnClose not set
ClamukoScanOnExec not set
ClamukoIncludePath not set
ClamukoExcludePath not set
ClamukoMaxFileSize = 5242880

/usr/local/etc/freshclam.conf: freshclam directives
-----------------
LogVerbose = yes
LogSyslog = no
LogFacility = "LOG_LOCAL6"
PidFile = "/var/run/clamav/freshclam.pid"
DatabaseDirectory = "/var/db/clamav"
Foreground = no
Debug = no
AllowSupplementaryGroups = yes
DatabaseOwner = "clamav"
Checks = 24
UpdateLogFile = "/var/log/clamav/freshclam.log"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "db.pl.clamav.net"
MaxAttempts = 3
ScriptedUpdates = yes
HTTPProxyServer = "w3cache.xxxxx"
HTTPProxyPort = 8080
HTTPProxyUsername not set
HTTPProxyPassword not set
HTTPUserAgent not set
NotifyClamd = "/usr/local/etc/clamd.conf"
OnUpdateExecute not set
OnErrorExecute not set
OnOutdatedExecute not set
LocalIPAddress not set
ConnectTimeout = 30
ReceiveTimeout = 30

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: False positives [ In reply to ]
Scott,

Please check out this link:

http://www.clamav.net/report/report-fp.html

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

On Feb 12, 2015, at 9:56 AM, W. Scott Lockwood <scott.lockwood@zethcon.com<mailto:scott.lockwood@zethcon.com>> wrote:

Greetings,

I've perused the FAQs at source forge, but couldn't find anything
addressing the topic of false positives. We have an application we develop
in house that is being incorrectly flagged by clamscan as
Trojan.SusPacked.BF-6.B.
Could someone point me in the right direction to ensure that we don't get
flagged with this in the future? I've had our development team verify that
the binaries are good, and fresh compiled versions from source also get
tagged this way.

Lastly, if this is the wrong place to ask, I apologize. I couldn't find
anything in the FAQ, and Google didn't turn up anything useful. Any help,
including, "Hey, go over there to XXX list and ask about this"
greatly appreciated.

--
W. Scott Lockwood III
630-748-3117
scott.lockwood@zethcon.com<mailto:scott.lockwood@zethcon.com>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
Re: False positives [ In reply to ]
Joel,
Thank you very much!

--
W. Scott Lockwood III
630-748-3117
scott.lockwood@zethcon.com

On Thu, Feb 12, 2015 at 2:03 PM, Joel Esler (jesler) <jesler@cisco.com>
wrote:

> Scott,
>
> Please check out this link:
>
> http://www.clamav.net/report/report-fp.html
>
> --
> Joel Esler
> Open Source Manager
> Threat Intelligence Team Lead
> Talos
>
> On Feb 12, 2015, at 9:56 AM, W. Scott Lockwood <scott.lockwood@zethcon.com
> <mailto:scott.lockwood@zethcon.com>> wrote:
>
> Greetings,
>
> I've perused the FAQs at source forge, but couldn't find anything
> addressing the topic of false positives. We have an application we develop
> in house that is being incorrectly flagged by clamscan as
> Trojan.SusPacked.BF-6.B.
> Could someone point me in the right direction to ensure that we don't get
> flagged with this in the future? I've had our development team verify that
> the binaries are good, and fresh compiled versions from source also get
> tagged this way.
>
> Lastly, if this is the wrong place to ask, I apologize. I couldn't find
> anything in the FAQ, and Google didn't turn up anything useful. Any help,
> including, "Hey, go over there to XXX list and ask about this"
> greatly appreciated.
>
> --
> W. Scott Lockwood III
> 630-748-3117
> scott.lockwood@zethcon.com<mailto:scott.lockwood@zethcon.com>
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml