Feb 15, 2016

Check your antivirus reports for false positives

The other night my email blew up because we use ClamWin on all of our servers. We do this because it has a decent detection rate, it can email out alerts, and it doesn't bog down the system with on-access scanning. We schedule it to scan once a week during off-peak hours.

Well the latest scans produced an epic ton of false positives. Pretty much any exe, or dll on the system was flagged as having been infected with Win.Trojan.Bancos-2115. I wasn't the only one that felt the impact of this. Apparently people who use Barracuda's felt it too because ClamAV is what Barracuda uses for virus detection engine.

Here's how my report log looked:

Well in my research over this false positive, I learned of a tool one can use to verify if the file is really infected or not. It's called VirusTotal!

From their page:
VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners. 

I selected a handful of the files reported and scanned them with VirusTotal and they all came out clean. Here is a report of another user from 2/11/2016 that apparently got hit with the Win.Trojan.Bancos-2115 false positive too. ClamWin was the only one that detected it. All other scanners reported that the file was clean:

I'm going to be using this tool quite a bit going forward I think!

Have you ever used VirusTotal? What do you like about it? Let us know in the comments!

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam