ClamAV errors scanning Microsoft

biohazardUPDATE: as of 4APR14 the false positives have been fixed.


Since Microsoft DOS and its autoexec.bat file were replaced by a murky at best Windows startup, it has been impossible to be certain if any Microsoft installation is clean of viruses as of our knowledge at any moment. When it was possible to control the start up sequence, it was possible to run a full virus scan first, from a known clean disk, however with the Windows startup for all practical purposes the computer operator does not have control of which programs load first, and as such any virus infecting the system can have control before a virus scan is run, thus nullifying the results.

The only practical way around this problem is to scan the Microsoft partition of the disk from a known clean system, preferably one not susceptible to viruses that run under Microsoft. We do this by running clamscan from Linux during nightly maintenance.

The problem is that occasionally ClamAV gives seriously false positives. At this time we are seeing 12 viruses “detected”, identically, on each of our lab computers. Installing a clean Windows 7 from DVD and merely updating with Microsoft Update gives the exact same results. As such, the files provided by Microsoft, and not modified by any outside event, are being reported as “infected”. Had it only been on the lab computers which had been used, I could conclude that it was a fast spreading virus, but it is also on the Microsoft install DVD. I remember the file nvstor.sys was inaccurately being reported as infected last year also, and eventually the virus database was corrected.

Here is a list of the affected files as of today (3/28), where the Microsoft Windows 7 “C:\” drive is mounted as “/d”:


/d/Windows/System32/drivers/nvstor.sys: Win.Worm.Autorun-4414 FOUND
/d/Windows/System32/drivers/sisraid4.sys: Win.Worm.Autorun-4415 FOUND
/d/Windows/System32/drivers/ws2ifsl.sys: Win.Trojan.6878514 FOUND
/d/Windows/System32/DriverStore/FileRepository/nvraid.inf_x86_neutral_0276fc3b3ea60d41/nvstor.sys: Win.Worm.Autorun-4414 FOUND
/d/Windows/System32/DriverStore/FileRepository/nvraid.inf_x86_neutral_dd659ed032d28a14/nvstor.sys: Win.Worm.Autorun-4414 FOUND
/d/Windows/System32/DriverStore/FileRepository/sisraid4.inf_x86_neutral_65ab84e9830f6f4b/sisraid4.sys: Win.Worm.Autorun-4415 FOUND
/d/Windows/winsxs/Backup/x86_microsoft-windows-w..rastructure-ws2ifsl_31bf3856ad364e35_6.1.7600.16385_none_4f5cf6f829213bb2_ws2ifsl.sys_2d588da9: Win.Trojan.6878514 FOUND
/d/Windows/winsxs/x86_microsoft-windows-w..rastructure-ws2ifsl_31bf3856ad364e35_6.1.7600.16385_none_4f5cf6f829213bb2/ws2ifsl.sys: Win.Trojan.6878514 FOUND
/d/Windows/winsxs/x86_nvraid.inf_31bf3856ad364e35_6.1.7601.17514_none_3be22d131d40bd72/nvstor.sys: Win.Worm.Autorun-4414 FOUND
/d/Windows/winsxs/x86_nvraid.inf_31bf3856ad364e35_6.1.7601.17577_none_3ba44e691d6eb11d/nvstor.sys: Win.Worm.Autorun-4414 FOUND
/d/Windows/winsxs/x86_nvraid.inf_31bf3856ad364e35_6.1.7601.21680_none_3c1c1942369abb77/nvstor.sys: Win.Worm.Autorun-4414 FOUND
/d/Windows/winsxs/x86_sisraid4.inf_31bf3856ad364e35_6.1.7600.16385_none_2818a03f1981d8b1/sisraid4.sys: Win.Worm.Autorun-4415 FOUND

I tried filing a report with http://www.clamav.net/lang/en/sendvirus/submit-fp/ but so far no improvement. Does anyone have an idea how to resolve this? Surely the original files on the Microsoft DVD are not Win.Worm.Autorun-4414 &4415.

2 comments to this article

  1. kubulai

    on April 6, 2014 at 12:43 pm -

    With the update 3 APRIL 2014 the problem finally stopped. No change to the Windows files, the clamav signature files (or something) finally got updated.

    ——-START FRESH CLAM UPDATE 20140403-021512 ——-
    ===
    ClamAV update process started at Thu Apr 3 02:15:12 2014
    main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
    daily.cld is up to date (version: 18735, sigs: 866569, f-level: 63, builder: neo)
    bytecode.cld is up to date (version: 236, sigs: 43, f-level: 63, builder: dgoddard)
    ===
    ——-START VIRUS SCAN ON MICROSOFT PARTITION 20140403-021516 ——-
    ===

    ———– SCAN SUMMARY ———–
    Known viruses: 3285437
    Engine version: 0.98.1
    Scanned directories: 19205
    Scanned files: 109162
    Infected files: 0
    Data scanned: 16743.07 MB
    Data read: 29978.99 MB (ratio 0.56:1)
    Time: 4048.022 sec (67 m 28 s)
    ===

  2. kubulai

    on March 28, 2014 at 11:32 am -

    Note: removing these files renders the system unusable

Leave a Reply