Hi Tom, On 08-05-12 02:52, TR Shaw wrote: > Pepijn > > Not sure what your issue is. First, virus names are not uniform. You should > not expect them to be. I /don't/ expect them to be. But I expect to be able to find some other information about them than a cryptic name and an MD5 hash /somewhere/. > As for you assertion that other AV's provide detailed info as to why they > detected I would say to you that you are being naive. I am asserting that in fact virus scanners I have used when I still used Windows provided databases with detailed information about the threats they detected and how they detected them (heuristics, etc.), either as part of the program, or online. Are you calling me a liar? > As for your statement about circular reference. VT supplies every sample > submitted to all AV vendors. Each vendor determines if they even wish to > process a submittal. In this case CalmAV did and, per Edwin's earlier > response, a MD5 signature was generated around a piece of the executable > sample. So if you are concerned about your app which you seem to be, you can > 1) use sigtool to examine your app to see where you might further want to > analyze to change, I think me changing a perfectly valid and legitimate file just to avoid a false positive from one virus scanner would be rather putting the cart before the horse. Especially if I have no idea if the situation will repeat itself later. For all I know it was *my* file that this signature was based on to begin with!
In addition, the executable is generated by an installer generator, so I have very little control over the details. > 2) submit a fp report to ClamAV, or I have, and I'm entirely confident that the situation will be resolved. I'm just trying to find out some more information about what exactly the supposed threat is that ClamAV thinks my program contains. That's not unreasonable, is it? > 3) since the sig is an md5 recompile your app with some slight changes such > as adding extra constants to change the md5 and you should be fine. I'm not sure if that would work. I already tried scanning an installer for an earlier version of the program, and it generated the same false positive. It would have been sufficiently different in every part I have control over to generate different MD5 hashes, but apparently that does not include the one that is confusing ClamAV. Kind regards, Pepijn Schmitz _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
