One of the scans that ClamAV does on PE files is icon scanning which is used as part of a heuristic to identify possible impersonation programs. These warning messages means that the PE file being scanned has declared that it has icons in it but ClamAV cannot properly parse these icons (either icons are not there, icons are misplaced, or the icon entry is garbage). For example, the last above message states that of the 12 icons that the PE file has declared it has, ClamAV could not properly parse 12 of the icons. (Note that the multiple warning messages may be due to a PE file having multiple icon groups.)
However, whether or not this file is malicious is debatable. The fact that the icons are missing is suspicious but is not an complete means to convict a file as malicious (hence a warning and not a detection or heuristic). The reasons a PE file could be missing icons could be it is truncated, it is poorly made, it is potential AV evasion, or that ClamAV cannot parse it (unidentified icon format). A more detailed assessment of the PE file would be needed to make an accurate conclusion on the maliciousness of the file. If you want, you can submit the sample to http://www.clamav.net/lang/en/sendvirus/. In regards to responding to the warning, it ultimately depends on how much you trust the file. Just take note that there aren't any legitimate PE files that are missing icons that they declared. Additionally, a PE file without icons can still be properly run for the most part. Regards, Kevin On Sat, Aug 9, 2014 at 2:45 PM, Tom <t...@foscore.com> wrote: > When I run clamscan (clamav-0.98.4-1.el6.rf.x86_64), I get this output: > > LibClamAV Warning: cli_scanicon: found 3 invalid icon entries of 3 total > LibClamAV Warning: cli_scanicon: found 3 invalid icon entries of 3 total > LibClamAV Warning: cli_scanicon: found 12 invalid icon entries of 12 total > > Are these infected files? If so, how can I get rid of them? If not, how do > I deal with these warnings? Thanks in advance... > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
