virus detection, inconsistent
 

Hya,

Situation
When I used to clamav to check some external HD, clamav found "Win.Trojan.Agent-905394".
However, TrendMicro and Symantec engines do not report any infection.

It look like that some sort of trojan horse, but no further information on web.

The files infected are active printer driver. So it is not easy to get rid of them, without affection functionality.

I have no idea how to resolve this inconsistency. Most probably, linux machines are immune. www.virustotal.com also

Question
Is this file harmful? (for several other windows ones)

closing remark
I appreciate any feedback.

Hi...

It's highly possible that this is a false positive with clamav and that you can safely disregard the warning. What were the results of the virustotal scan?

Regards...

Also: are not the printer-driver files protected from modification by ordinary mortals such as yourself?

(You are "just an ordinary mortal," not "a big wheel," on your system, right?)

If so, then it is very likely that the message is a false-positive. It should not be possible for anyone to tamper with global system files.

sometimes ClamAV has the new definitions a day or two BEFORE trend and norton and mcafee do

also in the past i have had clam find things that both Norton and McAfee missed
and NOT just the things they ARE PAID $$$$ TO MIS


so i take it this is a network printer with Microsoft AND Linux machines using it

while it is nearly impossible to have had the linux os's mess with it
the MS windows systems on the shared printer are easy
and a wireless printer on a windows domain is "VERY low hanging fruit" and a VERY NICE target
and a easy in for a war drive

Have you run
prior to (re-)scan?

Can you name the file exactly?
Can you post the link to the virustotal scan result?
On Windows hosts, you can also use ClamWin for scanning from that environment,
and compare results. :)

Hya

Thanks for your posts.

The windows machine is not connected to network. It controls some laboratory machine. (So, it is old, and unable to upgrade.)

Actual files infected and virus are:
symmpi.sys: Trojan.Rootkit-3070
write.exe: Win.Trojan.Agent-866396

When these files are scanned at www.virustotal.com, only clamav reports problem. No other ones.

I will keep my eyes open.

cheers

clearly windows files.
on an external hd?
are you sure this is the "active printer driver"?
active on your linux installation, or active on some other, windows installation?
if you have a windows machine running, i think it's better to check for viruses locally, not remotely - or am i misunderstanding?
are you using clamav on that windows machine without network connection?
what is this external hd???

ultimately, you have to find out where clamav's virus definitions come from, and check for the ID "Win.Trojan.Agent-905394". that will give you answers.

Hya

My log reads that freshclam goes every hour.

The machine infected is a standalone windows. All programs run with admin prev.

cheers

so you are using clamav for windows, and scanning an external hard drive, clamav told you that the currently running printer driver on that hard drive might be a trojan???
aren't you maybe talking about the printers setup.exe or some such?

In that case I would ignore it as a false positive.

Hya,

Probably, my explanation was insufficient.

I took a disk drive from stand alone windows machine. I connected the drive to linux machine via USB, so it is recognized as an external drive.
The disk serves as drive C on the windows machine.
Clamav detects several files, which are printer driver related.

It is a long story hiding behind.
Somebody introduced a malware to the machine by using an infected USB stick. (This malware is detected by all virus programs.)
After removing that malware, I checked entire system as described above. Then I ran into this inconsistency problem.

cheers

ok, i understand better now.
it shouldn't be too hard to securely delete those files, uninstall the printer driver, then reinstall from a secure source, then rescan?

Hya,

Thank you for your suggestions.

Currently, the windows one is running. At next reboot, I will try all suggestions.

cheers

Hya,

I checked these disks with clamav this week.

Alas, drivers were clean. ?!?

I will leave them as is.

Thanks

cheers

Well, it's your machine, handle it how you see fit. But, I was a vendor / tech support for MS on the MS network for MS employees and partners. And I can tell you that in situations like this their internal policy is to not trust *any* virus scanner or repair tool; not even their own. By policy, any machine with any trace of any class of malware on it *must* be flattened and reimaged before being reconnected to the network and no data is allowed to be recovered from the infected drive. And they were serious enough about it that it was a terminable offence.