newkansan Posted March 5, 2011 Report Share Posted March 5, 2011 I wanted to report this. On a previous scan, there were numerous false positives, which when I set to allow, were automatically placed in the file exclusions list. Today I ran another scan and these same files were again quarantined. I allowed them all again, and now these files are listed twice in the file exclusions list. If it makes any difference, the first time these files were flagged, it was on a full scan. The second time, it was on a custom scan, which happened to scan the same areas these files reside. On a related note, I set our Exchange Server folder in the exclusions list (c:\program files\exchsrvr) so that no files would be scanned in this folder. However, one of the false positives on my most recent scan was a log file inside this folder (c:\program files\exchsrvr\MDBDATA\e000044f.log). This indicates that the exclusions are not being adhered to. I am running the full version in trial mode of ImmunetPlus3.0 with ClamAV on Windows Server 2003 Standard SP2. I have 10 days left on the trial. Do you need anything from me to help resolve this? Log files, screenshots etc? Link to comment Share on other sites More sharing options...
Guest Orlando Posted March 5, 2011 Report Share Posted March 5, 2011 Please read this guide to report a False Positive, it's the better way to correct this kind of problems. Orlando Link to comment Share on other sites More sharing options...
newkansan Posted March 6, 2011 Author Report Share Posted March 6, 2011 I'm not reporting a false positive, I'm reporting a bug (file exclusions being ignored). Link to comment Share on other sites More sharing options...
Guest Orlando Posted March 6, 2011 Report Share Posted March 6, 2011 Yes, I know, I think this bug is already reported, but if there are false positives we can fix it. Orlando Link to comment Share on other sites More sharing options...
newkansan Posted March 8, 2011 Author Report Share Posted March 8, 2011 The link to http://www.immunet.com/contact/index.html to report false positives does not have a submit form that I could find for false positives. FYI. I'll have to email the files unless there is a better way? edit: I just realized the "Register for our Newsletter" is a dropdown menu with other options, including submit a false positive. My apologies, I didn't realize that til after I posted. Most of the false positives are .zip files and no indication which file in the .zip is triggering the false positive. These are customer files that we may not have the freedom to submit. Suggestions? There are three files that are not .zip that I can submit. Link to comment Share on other sites More sharing options...
Guest Orlando Posted March 8, 2011 Report Share Posted March 8, 2011 Please, read this guide. You can also send to zip these three files with a program (default by Windows: click with right, send to, zip file). Orlando Link to comment Share on other sites More sharing options...
newkansan Posted March 8, 2011 Author Report Share Posted March 8, 2011 I submitted what I could. The rest are sensitive customer files that we cannot submit. I can describe to you, though, the general problem with these false positives. They are all .zip files with various .txt, .lib, .pdf, .bmp, etc files inside. Here is the strange part. When Immunet scans the .zip archives, it detects malware. When I manually unzip these files and have Immunet scan the unzipped versions, it detects no malware. Thanks for your help. Link to comment Share on other sites More sharing options...
Guest Orlando Posted March 8, 2011 Report Share Posted March 8, 2011 Are you sure if there aren't any files or subfolders hidden? Orlando Link to comment Share on other sites More sharing options...
newkansan Posted March 8, 2011 Author Report Share Posted March 8, 2011 My procedure is to isolate the .zip file that has been detected with malware, restore it from quarantine, delete the exceptions that were created, unzip the file to a folder called "test", then rescan the test folder which now contains the unzipped contents. If there are hidden files, the fact that I am scanning the parent folder should still allow the scanner to see them? Link to comment Share on other sites More sharing options...
Guest Orlando Posted March 8, 2011 Report Share Posted March 8, 2011 I'll contact you with a PM. Orlando Link to comment Share on other sites More sharing options...
BurtReynolds Posted March 9, 2011 Report Share Posted March 9, 2011 I am having the same problem with file exclusions. I am not receiving any false positives rather periodically Agent.exe will lock an mdb file that is needed by an application, causing the app to fail. Excluding a parent folder above the file did not exclude the mdb which was in a sub folder, unfortunately the mdb path is dynamic and I cannot exclude the exact folder it sits in directly. Sorry for the redundancy. Link to comment Share on other sites More sharing options...
Guest Orlando Posted March 9, 2011 Report Share Posted March 9, 2011 As Millard said here. It's possible the detection is still cached. So send and email to millard at immnet.com and he will guide you to fix problem. Orlando Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.