Hi Chris, The signature "Win.Virus.Expiro-7396684-0" was dropped from daily.cvd 12/14/2019 after FPs were found in the wild. You may be using two different versions of the official clamav virus signatures between the two systems, resulting in different alerts.
Thanks, demonduck On Thu, Dec 19, 2019 at 9:36 AM Chris Showers via clamav-users < [email protected]> wrote: > Hello, > > A scan of a PC I was given to disinfect reports the following when using > clamav 0.102.1 portable in Windows: > > [code] > PS C:\Users\UserName\Desktop\clamav-0.102.1-win-x64-portable> > .\clamscan.exe --remove C:\Windows\System32\msiexec.exe > > C:\Windows\System32\msiexec.exe: Win.Virus.Expiro-7396684-0 FOUND > ERROR: Can't remove file 'C:\Windows\System32\msiexec.exe'. > > ----------- SCAN SUMMARY ----------- > Known viruses: 6587211 > Engine version: 0.102.1 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Not removed: 1 > Data scanned: 0.06 MB > Data read: 0.06 MB (ratio 1.00:1) > Time: 9.615 sec (0 m 9 s) > [/code] > > Seeing as Windows reported "can't remove", I figured the file was in > memory or some such thing and that running the scan with the drive mounted > using a live Linux disc would certainly work. However, Linux reports that > there is no virus in the file: > > [code] > root@ubuntu:/media# clamscan sda4/Windows/System32/msiexec.exe > sda4/Windows/System32/msiexec.exe: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 6616229 > Engine version: 0.102.1 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.06 MB > Data read: 0.06 MB (ratio 1.00:1) > Time: 7.705 sec (0 m 7 s) > [/code] > > Looking at that file in Windows and mounted in Linux, they are the same > size and hash to the same value. How can this be? > > Thanks for any help you can provide! > > > _______________________________________________ > > clamav-users mailing list > [email protected] > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
