virus detection, inconsistent
Hya,
Situation When I used to clamav to check some external HD, clamav found "Win.Trojan.Agent-905394". However, TrendMicro and Symantec engines do not report any infection. It look like that some sort of trojan horse, but no further information on web. The files infected are active printer driver. So it is not easy to get rid of them, without affection functionality. I have no idea how to resolve this inconsistency. Most probably, linux machines are immune. www.virustotal.com also Question Is this file harmful? (for several other windows ones) closing remark I appreciate any feedback. |
Hi...
It's highly possible that this is a false positive with clamav and that you can safely disregard the warning. What were the results of the virustotal scan? Regards... |
Also: are not the printer-driver files protected from modification by ordinary mortals such as yourself?
(You are "just an ordinary mortal," not "a big wheel," on your system, right?) If so, then it is very likely that the message is a false-positive. It should not be possible for anyone to tamper with global system files. |
sometimes ClamAV has the new definitions a day or two BEFORE trend and norton and mcafee do
also in the past i have had clam find things that both Norton and McAfee missed and NOT just the things they ARE PAID $$$$ TO MIS so i take it this is a network printer with Microsoft AND Linux machines using it while it is nearly impossible to have had the linux os's mess with it the MS windows systems on the shared printer are easy and a wireless printer on a windows domain is "VERY low hanging fruit" and a VERY NICE target and a easy in for a war drive |
Quote:
Code:
sudo freshclam Can you name the file exactly? Can you post the link to the virustotal scan result? On Windows hosts, you can also use ClamWin for scanning from that environment, and compare results. :) |
Hya
Thanks for your posts. The windows machine is not connected to network. It controls some laboratory machine. (So, it is old, and unable to upgrade.) Actual files infected and virus are: symmpi.sys: Trojan.Rootkit-3070 write.exe: Win.Trojan.Agent-866396 When these files are scanned at www.virustotal.com, only clamav reports problem. No other ones. I will keep my eyes open. cheers |
clearly windows files.
on an external hd? are you sure this is the "active printer driver"? active on your linux installation, or active on some other, windows installation? if you have a windows machine running, i think it's better to check for viruses locally, not remotely - or am i misunderstanding? are you using clamav on that windows machine without network connection? what is this external hd??? ultimately, you have to find out where clamav's virus definitions come from, and check for the ID "Win.Trojan.Agent-905394". that will give you answers. |
Hya
My log reads that freshclam goes every hour. The machine infected is a standalone windows. All programs run with admin prev. cheers |
so you are using clamav for windows, and scanning an external hard drive, clamav told you that the currently running printer driver on that hard drive might be a trojan???
aren't you maybe talking about the printers setup.exe or some such? |
Quote:
|
Hya,
Probably, my explanation was insufficient. I took a disk drive from stand alone windows machine. I connected the drive to linux machine via USB, so it is recognized as an external drive. The disk serves as drive C on the windows machine. Clamav detects several files, which are printer driver related. It is a long story hiding behind. Somebody introduced a malware to the machine by using an infected USB stick. (This malware is detected by all virus programs.) After removing that malware, I checked entire system as described above. Then I ran into this inconsistency problem. cheers |
ok, i understand better now.
Quote:
|
Hya,
Thank you for your suggestions. Currently, the windows one is running. At next reboot, I will try all suggestions. cheers |
Hya,
I checked these disks with clamav this week. Alas, drivers were clean. ?!? I will leave them as is. Thanks cheers |
Quote:
|
All times are GMT -5. The time now is 10:26 PM. |