Discrepancy between Immunet and Virus Total (ClamAV)

[John Graham]

Hi,

This is the first time I am using Immunet (v7.5.0.20795). I chose it because of Cisco's reputation and because it uses ClamAV (also it's excellent reputation). I had ClamAV installed before but Immunet includes ClamAV so I have discontinued (uninstalled) it.

On my last download of some Rescue Discs (MediCat USB, and All in One – System Rescue Toolkit - see url links below for ref) purely as to see how well they performs, Immunet detected 4 files as malicious - see screenshots attached (for MediCat as example). Here's the quandry: There is a difference between VirusTotal and Immunet - specifically the ClamAV engine. In one ClamAv does not recognize the file yet Immunet and VirusTotal detected malicious content. In another, ClamAV did NOT detect any malicious content but yet Immunet detected a malicious content.

Can someone let me know what's going on and if there is a "quirk" in Immunet? I'd like to have some confidence in Immunet's behavior. I assume that the files have been uploaded to the Cloud Community as I have checked the share with community box (Cloud Notifications = On).

Ref links: https://www.geckoandfly.com/32030/bootable-windows-pe-recovery-repair/

MediCat USB: https://gbatemp.net/threads/medicat-usb-a-multiboot-linux-usb-for-pc-repair.361577/

All in One - System Rescue Toolkit (AiO_SRT): https://paul.is-a-geek.org/aio-srt/

Thanks in advance. (FYI: I use System Rescue CD, UBCD, Knoppix, Ubuntu 10.04 thru 16.04 Live purely for i386 compatibility - any other suggestions are welcome)

JG.

[Rob.T]

The behaviour your describing is normal for Clam AM and Immunet (and most other Av apps).Clam AV relies on a human writing and testing a virus definition.  Virus definitions usually match one virus def  to many files. Becaue of this one-to-many matching a poorly written virus definition might end up with a high false positiv rate (i.e. the virus definition detects a lot of benign files that don't have viruses in them as malicious).  Or even worse, the virus definition might not detect the origional malicious file it was written  for (i.e. false negative where a know malicious file is  not detected as malicious).  This process is  time consuming and usually as such lags days or weeks behind Immunet's cloud scanning engines which  can generate virus definitions in a completly automated fashion.   It's also worth noting that every virus definition added to clam av incurs a small prformance hit.   As such we try to limit  clam AV to high   score virus (as scored on the Common Vulnerability Scoring System (CVSS) ).