Mailing List Archive: [clamav-users] Expiro virus found in Windows but not when using Linux

Hello,

A scan of a PC I was given to disinfect reports the following when using
clamav 0.102.1 portable in Windows:

[code]
PS C:\Users\UserName\Desktop\clamav-0.102.1-win-x64-portable>
.\clamscan.exe --remove C:\Windows\System32\msiexec.exe

C:\Windows\System32\msiexec.exe: Win.Virus.Expiro-7396684-0 FOUND
ERROR: Can't remove file 'C:\Windows\System32\msiexec.exe'.

----------- SCAN SUMMARY -----------
Known viruses: 6587211
Engine version: 0.102.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Not removed: 1
Data scanned: 0.06 MB
Data read: 0.06 MB (ratio 1.00:1)
Time: 9.615 sec (0 m 9 s)
[/code]

Seeing as Windows reported "can't remove", I figured the file was in memory
or some such thing and that running the scan with the drive mounted using a
live Linux disc would certainly work. However, Linux reports that there is
no virus in the file:

[code]
root@ubuntu:/media# clamscan sda4/Windows/System32/msiexec.exe
sda4/Windows/System32/msiexec.exe: OK

----------- SCAN SUMMARY -----------
Known viruses: 6616229
Engine version: 0.102.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.06 MB
Data read: 0.06 MB (ratio 1.00:1)
Time: 7.705 sec (0 m 7 s)
[/code]

Looking at that file in Windows and mounted in Linux, they are the same
size and hash to the same value. How can this be?

Thanks for any help you can provide!

Hi Chris,

The signature "Win.Virus.Expiro-7396684-0" was dropped from daily.cvd
12/14/2019 after FPs were found in the wild. You may be using two different
versions of the official clamav virus signatures between the two systems,
resulting in different alerts.

Thanks,
demonduck

On Thu, Dec 19, 2019 at 9:36 AM Chris Showers via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hello,
>
> A scan of a PC I was given to disinfect reports the following when using
> clamav 0.102.1 portable in Windows:
>
> [code]
> PS C:\Users\UserName\Desktop\clamav-0.102.1-win-x64-portable>
> .\clamscan.exe --remove C:\Windows\System32\msiexec.exe
>
> C:\Windows\System32\msiexec.exe: Win.Virus.Expiro-7396684-0 FOUND
> ERROR: Can't remove file 'C:\Windows\System32\msiexec.exe'.
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 6587211
> Engine version: 0.102.1
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Not removed: 1
> Data scanned: 0.06 MB
> Data read: 0.06 MB (ratio 1.00:1)
> Time: 9.615 sec (0 m 9 s)
> [/code]
>
> Seeing as Windows reported "can't remove", I figured the file was in
> memory or some such thing and that running the scan with the drive mounted
> using a live Linux disc would certainly work. However, Linux reports that
> there is no virus in the file:
>
> [code]
> root@ubuntu:/media# clamscan sda4/Windows/System32/msiexec.exe
> sda4/Windows/System32/msiexec.exe: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 6616229
> Engine version: 0.102.1
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.06 MB
> Data read: 0.06 MB (ratio 1.00:1)
> Time: 7.705 sec (0 m 7 s)
> [/code]
>
> Looking at that file in Windows and mounted in Linux, they are the same
> size and hash to the same value. How can this be?
>
> Thanks for any help you can provide!
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>