JS:ScriptSH-inf in clamwin\db\daily.cld F/P?

The file is too large for me to upload to VirusTotal at 4.5MB (on dial-up), and my other onboard scanners (A2, MBAM, SAS) don’t detect anything. I searched the file hash (MD5 03854561154B53B5218DAC5CEE391A3B) at VT and Google with no result.


http://i45.photobucket.com/albums/f66/jahnjahn/th_2009-09-04_192732.png

If you do a forum search for clamwin, recent posts as they had a problem before with their updates as they weren’t encrypting their signature updates. They were meant to have changed how they did the update (e.g. encrypt them).

Is this a Linux version of clamwin as the previous problem was for windows.

There are some that would say clamwin doesn’t bring much to the party to be putting up with the hassle.

Some months ago, when this problem raised, the one which correct the Clam problem was Alwil team, I mean, avast try to correct the detection of a bad (non-encrypted) Clam file.

This is what jsejtko said a while ago about it:

But, It seems that the fix has been removed, I get the alerts when I test this out also…

You will have to include the exclusion outlined in this thread:
http://forum.avast.com/index.php?topic=45231

-Scott-

I don’t know about fix removed as this is on a different file name to the others.

Hmmm… didn’t catch that ::slight_smile:

But using the ‘test’ portable installation, I get the alert that others used to get, I think…who knows…

Regardless, clam NEED to sort themselves out and encrypt their databases…::slight_smile:

Hello all, thank you for your replies. :slight_smile:

@ DavidR, yes, I’ve followed the numerous threads on this issue between Avast and ClamWin. For me, this is a new detection and I don’t understand why it has suddenly occurred. I have the Windows version of ClamWin and don’t believe there is a Linux, or other OS version. I am aware of the low detection rate of ClamAV/ClamWin, but it is still nice to have as a second on-demand A/V scanner. Also, in order to further the project, I sometimes upload undetected malware to ClamWin.

@ Tech, yes, since that time I have not had any Avast alerts on ClamWin.

@ Scott, yes, I have added the exclusion X 2 to Avast to avert the detection.

I have copied the detected file to a portable drive and will upload it to VT, etcetera, when I go to my beach house on Tuesday where I have a 7MB cable internet connection. I am interested to see which other scanner(s) will detect it.

Is anyone running Avast 5 Beta getting this same alert?

Hi Jahn,

Well, I don’t have the standard version installed, but I do have the portable version, and I have uploaded what avast! alerts on with me.

It is a different file with the same ‘infection’, one loaded into temp files so I am not sure about the relevance, still…
(I think it is what would be part of a .cld file - on mine they are .cvd…)

http://www.virustotal.com/analisis/54373a4ff1897ddb2f88b98984f689504ae7791a1e0e4d1edc0f4f0f91baeb4d-1252194773

Odd, if clamwin don’t encrypt their databases, why is only avast! (and Gdata) catching it…

-Scott-

Good point, and thanks for the VT link. :slight_smile: It would be great if these alerts have been eliminated in Avast 5. If my time permits, I will download Avast 5 to my beta testing machine to see.

The Vt link is only for that part of the file though, it would be interesting to see what detects your one, bearing in mind that one…

As for V5, I don’t think the virus database is fully complete yet anyway, so I am not sure whether it will be detected…

Yes, you are correct - I remember reading that in the Beta forum… :frowning:

Given the file type, I don’t know if this is also a packer supported by avast (and consequently GData) but possibly not the others. avast has one of the largest list of packers.

Or if it isn’t a supported packer scanning the raw data could give an FP, but worth sending to avast for investigation.

Thank you for your input, DavidR. I will send the file to Avast on Tuesday.

You’re welcome.

It’s still their fault not to encrypt their dbs, no matter what we do.

While I understand this, and realise that it is down to them, how come the others don’t catch it on VT? Is it because of what DavidR said above?

It’s because other products detection capabilities on script malware are not good enough?

OK, file sent to Avast. Also, this file got 4/41 at VirusTotal.

Hello,

it should be fixed with todays vps update. Please try it :slight_smile:

Regards

No more alerts on the temp files for me anymore, and I presume Jahn will have similar results with his file :smiley:

It’s a bit of a shame that you guys have to be the ones fixing it…

  • about a million, so true, avast script detections are simply amazing :slight_smile:

Thanks kubecj and jsejtko and Keep up the good work!

-Scott-