Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware found using ClamAV but not by Malwarebytes Anti-Malware


  • Please log in to reply
11 replies to this topic

#1 RAPHelp

RAPHelp

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 22 February 2017 - 03:48 PM

Situation: Am the webmaster for a nonprofit website written using WordPress (but am not the original developer). The hosting company was chosen (before I was involved) because it was cheap.
Periodically, they scan for viruses and malware using ClamAV.
Last week they reported that 79 files had malware.

To verify that the files were truly "infected", I downloaded (using FTP) the files and ran Malwarebytes Anti-Malware and Avast against those files but found NOTHING.

When I informed host support, the response was: "The viruses or malware which infect the website files are different from the ones which infect a computer/laptop."

Is this truly the case? Should I use ClamWin to verify (my PC is a Windows 10, 64 byte machine)?



BC AdBot (Login to Remove)

 


#2 Al1000

Al1000

  • Global Moderator
  • 8,054 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:01:16 AM

Posted 22 February 2017 - 04:10 PM

Hi,

I would trust Malwarebytes over ClamAV.

ClamAV was originally designed as an email scanner, and is notorious for false positives when used to scan operating systems.

For peace of mind, you could upload the files in question to https://www.virustotal.com/. Every time I have done so with a file that ClamAV has alerted me to, it's been a false positive.

(EDIT: Please refer to quietman7's post #4)

Edited by Al1000, 22 February 2017 - 05:41 PM.


#3 RAPHelp

RAPHelp
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 22 February 2017 - 04:43 PM

Thank you Al1000 - used TotalVirus to scan a few files but the result for each file was a 0 – suspect that's what's causing the false positives from ClamAV.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 PM

Posted 22 February 2017 - 05:03 PM

Anti-virus (ClamAV) and anti-malware programs (Malwarebytes) each perform different tasks as it relates to computer security and threat detection. Essentially, they look for and remove different types of malicious threats.

In simplistic terms, Anti-virus programs use massive databases with different scanning engines and detection methods to scan for infectious malware which includes viruses, worms, Trojans, rootkis and bots.
Anti-malware programs use smaller databases and generally tend to focus more on adware, spyware, unwanted toolbars, browser hijackers, potentially unwanted programs and potentially unsafe applications.
Anti-virus and Anti-malware solutions with anti-exploitation features protect against zero-day malware, drive-by downloads, exploits and Exploit Kits.

With that said...the above does not mean ClamAV did not detect a lot of false positives, especially since VirusTotal seems to confirm this.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 RAPHelp

RAPHelp
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 22 February 2017 - 05:36 PM

Thank you quietman7



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 PM

Posted 22 February 2017 - 05:38 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 RAPHelp

RAPHelp
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 23 February 2017 - 01:10 AM

Anyone have any idea if the host support's statement is true?

And if host support is "blowing smoke"– how to answer the statement?



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 PM

Posted 23 February 2017 - 08:22 AM

This statement?

"The viruses or malware which infect the website files are different from the ones which infect a computer/laptop."


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 sjpritch25

sjpritch25

  • Security Colleague
  • 909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:09:16 PM

Posted 23 February 2017 - 02:54 PM

Thank you Al1000 - used TotalVirus to scan a few files but the result for each file was a 0 – suspect that's what's causing the false positives from ClamAV.

 

Malwarebytes isn't designed to detect malware via right-click and scan.  I'm not saying that it wouldn't detect some malware, but generally speaking malwarebytes uses behaviour and heuristics to detect most malware.  For instance, Malwarebytes might not detect a file until you try double-clicking on it.   I hope this explains it some more.  


Microsoft MVP Consumer Security--2007-2010

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 PM

Posted 23 February 2017 - 05:08 PM

Hi sjpritch25 and welcome back to BC...it's been a while since our paths crossed. :)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 sjpritch25

sjpritch25

  • Security Colleague
  • 909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:09:16 PM

Posted 23 February 2017 - 05:43 PM

Hi sjpritch25 and welcome back to BC...it's been a while since our paths crossed. :)

Yes, its been awhile. I"m getting the bug back to start helping out again.  Its been a long time since the days you trained me back at CC.   Its amazing how long ago that was.  


Microsoft MVP Consumer Security--2007-2010

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 PM

Posted 24 February 2017 - 07:12 AM

Well we are glad to have you back with us.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users