Clam AV false positive on Italian Kaspersky installer. [Closed]

[fabiodanzetta]

Hi everyone, I downloaded the startup.exe file from the Italian site and found two things: 1) doing the scan with virustotal clamav detects it as Win.Virus.Sality-6812328-0. I guess it's a false positive. I don't always scan the files I download from the total virus but this time I did it out of curiosity and this was the result. I wanted to investigate further and other setups of other antivirus vendors have similar problems. Not all and not all with the same engines. Some are perfectly clean. What do you think? 2) Always the Italian startup.exe file is digitally signed but only with the sha1 algorithm without the presence of sha256 and above all without the signature timestamp. Can anyone explain why? Thank you all and sorry for my English.

[Flood and Flood's wife]

Hi everyone, I downloaded the startup.exe file from the Italian site and found two things: 1) doing the scan with virustotal clamav detects it as Win.Virus.Sality-6812328-0. I guess it's a false positive. I don't always scan the files I download from the total virus but this time I did it out of curiosity and this was the result. I wanted to investigate further and other setups of other antivirus vendors have similar problems. Not all and not all with the same engines. Some are perfectly clean. What do you think? 2) Always the Italian startup.exe file is digitally signed but only with the sha1 algorithm without the presence of sha256 and above all without the signature timestamp. Can anyone explain why? Thank you all and sorry for my English.

Hello fabiodanzetta, Welcome! Your English is fine! Do not worry. Please copy the site url, the download url & the Virustotal url (result) to a text file and upload the text file using the upload icon in your reply please? Thanks & regards:pray_tone3:

[fabiodanzetta]

Hi everyone, I downloaded the startup.exe file from the Italian site and found two things: 1) doing the scan with virustotal clamav detects it as Win.Virus.Sality-6812328-0. I guess it's a false positive. I don't always scan the files I download from the total virus but this time I did it out of curiosity and this was the result. I wanted to investigate further and other setups of other antivirus vendors have similar problems. Not all and not all with the same engines. Some are perfectly clean. What do you think? 2) Always the Italian startup.exe file is digitally signed but only with the sha1 algorithm without the presence of sha256 and above all without the signature timestamp. Can anyone explain why? Thank you all and sorry for my English.

Hello fabiodanzetta, Welcome! Your English is fine! Do not worry. Please copy the site url, the download url & the Virustotal url (result) to a text file and upload the text file using the upload icon in your reply please? Thanks & regards:pray_tone3:

Hi FLOOD, this is the link to the scan result: https://www.virustotal.com/gui/file/fd6a814dad07b5f289f01ce61664f492778fe0dbd801675d109b9eb029b17c21/detection and this is the file: https://products.s.kaspersky-labs.com/homeuser/kis2020/20.0.14.1085abc/italian-IT-0.2056.0/3232303839307c44454c7c31/startup.exe from this page: https://www.kaspersky.it/downloads/thank-you/internet-security .

[Berny]

clamav detects it as Win.Virus.Sality-6812328-0.

Also , please contact ClamAv Team :-)

[fabiodanzetta]

clamav detects it as Win.Virus.Sality-6812328-0.

Also , please contact ClamAv Team :-)

Hi, Berny, ok for the detection but for the second question about file signature? Ok, for the only sha1 but why without timestamp? Thanks again

[Berny]

Concerning the timestamp please contact the Technical Support https://center.kaspersky.com

[Flood and Flood's wife]

Hi everyone, I downloaded the startup.exe file from the Italian site and found two things: 1) doing the scan with virustotal clamav detects it as Win.Virus.Sality-6812328-0. I guess it's a false positive. I don't always scan the files I download from the total virus but this time I did it out of curiosity and this was the result. I wanted to investigate further and other setups of other antivirus vendors have similar problems. Not all and not all with the same engines. Some are perfectly clean. What do you think? 2) Always the Italian startup.exe file is digitally signed but only with the sha1 algorithm without the presence of sha256 and above all without the signature timestamp. Can anyone explain why? Thank you all and sorry for my English.

Hello fabiodanzetta, Welcome! Your English is fine! Do not worry. Please copy the site url, the download url & the Virustotal url (result) to a text file and upload the text file using the upload icon in your reply please? Thanks & regards:pray_tone3:

Hi FLOOD, this is the link to the scan result: https://www.virustotal.com/gui/file/fd6a814dad07b5f289f01ce61664f492778fe0dbd801675d109b9eb029b17c21/detection and this is the file: https://products.s.kaspersky-labs.com/homeuser/kis2020/20.0.14.1085abc/italian-IT-0.2056.0/3232303839307c44454c7c31/startup.exe from this page: https://www.kaspersky.it/downloads/thank-you/internet-security .

Hello fabiodanzetta Thank you so much for posting back! Good detection:spy_tone3::clap_tone3: I wonder how often it happens:thinking: Curiously, I've just scanned the .exe from https://www.kaspersky.it/downloads/thank-you/internet-security, detection is not repeated: https://www.virustotal.com/gui/url/bab3720b8b84650041d72235ec7d07a7ac925e5a14a51206a99b26308581510c/detection No engines detected this URL I've tried 3 different browsers, same result. (imo) if anyone contacts Clam it should be Kaspersky. 'Thanks again:pray_tone3:

[fabiodanzetta]

Hi everyone, I downloaded the startup.exe file from the Italian site and found two things: 1) doing the scan with virustotal clamav detects it as Win.Virus.Sality-6812328-0. I guess it's a false positive. I don't always scan the files I download from the total virus but this time I did it out of curiosity and this was the result. I wanted to investigate further and other setups of other antivirus vendors have similar problems. Not all and not all with the same engines. Some are perfectly clean. What do you think? 2) Always the Italian startup.exe file is digitally signed but only with the sha1 algorithm without the presence of sha256 and above all without the signature timestamp. Can anyone explain why? Thank you all and sorry for my English.

Hello fabiodanzetta, Welcome! Your English is fine! Do not worry. Please copy the site url, the download url & the Virustotal url (result) to a text file and upload the text file using the upload icon in your reply please? Thanks & regards:pray_tone3:

Hi FLOOD, this is the link to the scan result: https://www.virustotal.com/gui/file/fd6a814dad07b5f289f01ce61664f492778fe0dbd801675d109b9eb029b17c21/detection and this is the file: https://products.s.kaspersky-labs.com/homeuser/kis2020/20.0.14.1085abc/italian-IT-0.2056.0/3232303839307c44454c7c31/startup.exe from this page: https://www.kaspersky.it/downloads/thank-you/internet-security .

Hello fabiodanzetta Thank you so much for posting back!Good detection:spy_tone3::clap_tone3: I wonder how often it happens:thinking: Curiously, I've just scanned the .exe from https://www.kaspersky.it/downloads/thank-you/internet-security, detection is not repeated: https://www.virustotal.com/gui/url/bab3720b8b84650041d72235ec7d07a7ac925e5a14a51206a99b26308581510c/detection No engines detected this URL I've tried 3 different browsers, same result. (imo) if anyone contacts Clam it should be Kaspersky. 'Thanks again:pray_tone3:

Hi, FLOOD, in your link is not present CLAMAV engine! The best way is download an .exe file on your pc and then upload in virustotal. With the link i don't know why the report is different. I have however opened a report to the clamav team as a possible false positive. Thanks .

[Flood and Flood's wife]

Hi everyone, I downloaded the startup.exe file from the Italian site and found two things: 1) doing the scan with virustotal clamav detects it as Win.Virus.Sality-6812328-0. I guess it's a false positive. I don't always scan the files I download from the total virus but this time I did it out of curiosity and this was the result. I wanted to investigate further and other setups of other antivirus vendors have similar problems. Not all and not all with the same engines. Some are perfectly clean. What do you think? 2) Always the Italian startup.exe file is digitally signed but only with the sha1 algorithm without the presence of sha256 and above all without the signature timestamp. Can anyone explain why? Thank you all and sorry for my English.

Hello fabiodanzetta, Welcome! Your English is fine! Do not worry. Please copy the site url, the download url & the Virustotal url (result) to a text file and upload the text file using the upload icon in your reply please? Thanks & regards:pray_tone3:

Hi FLOOD, this is the link to the scan result: https://www.virustotal.com/gui/file/fd6a814dad07b5f289f01ce61664f492778fe0dbd801675d109b9eb029b17c21/detection and this is the file: https://products.s.kaspersky-labs.com/homeuser/kis2020/20.0.14.1085abc/italian-IT-0.2056.0/3232303839307c44454c7c31/startup.exe from this page: https://www.kaspersky.it/downloads/thank-you/internet-security .

Hello fabiodanzetta Thank you so much for posting back!Good detection:spy_tone3::clap_tone3: I wonder how often it happens:thinking: Curiously, I've just scanned the .exe from https://www.kaspersky.it/downloads/thank-you/internet-security, detection is not repeated: https://www.virustotal.com/gui/url/bab3720b8b84650041d72235ec7d07a7ac925e5a14a51206a99b26308581510c/detection No engines detected this URL I've tried 3 different browsers, same result. (imo) if anyone contacts Clam it should be Kaspersky. 'Thanks again:pray_tone3:

Hi, FLOOD, in your link is not present CLAMAV engine! The best way is download an .exe file on your pc and then upload in virustotal. With the link i don't know why the report is different. I have however opened a report to the clamav team as a possible false positive. Thanks .

Hello fabiodanzetta, Yes, the VT result is different. I kinda didn't really want to download anything dodgy, even if it is Kaspersky & even if it is a FP... Thanks again.