UPDATE: as of 4APR14 the false positives have been fixed.
Since Microsoft DOS and its autoexec.bat file were replaced by a murky at best Windows startup, it has been impossible to be certain if any Microsoft installation is clean of viruses as of our knowledge at any moment. When it was possible to control the start up sequence, it was possible to run a full virus scan first, from a known clean disk, however with the Windows startup for all practical purposes the computer operator does not have control of which programs load first, and as such any virus infecting the system can have control before a virus scan is run, thus nullifying the results.
The only practical way around this problem is to scan the Microsoft partition of the disk from a known clean system, preferably one not susceptible to viruses that run under Microsoft. We do this by running clamscan from Linux during nightly maintenance.
The problem is that occasionally ClamAV gives seriously false positives. At this time we are seeing 12 viruses “detected”, identically, on each of our lab computers. Installing a clean Windows 7 from DVD and merely updating with Microsoft Update gives the exact same results. As such, the files provided by Microsoft, and not modified by any outside event, are being reported as “infected”. Had it only been on the lab computers which had been used, I could conclude that it was a fast spreading virus, but it is also on the Microsoft install DVD. I remember the file nvstor.sys was inaccurately being reported as infected last year also, and eventually the virus database was corrected.
Here is a list of the affected files as of today (3/28), where the Microsoft Windows 7 “C:\” drive is mounted as “/d”:
I tried filing a report with http://www.clamav.net/lang/en/sendvirus/submit-fp/ but so far no improvement. Does anyone have an idea how to resolve this? Surely the original files on the Microsoft DVD are not Win.Worm.Autorun-4414 &4415.