ClamAV reports ConEmu as a malware

[gerhardol]

https://www.virustotal.com/gui/file/894f7b2d08ea386ed3c84e5378a6e1b8d21acdf88c0250ce99b0beb9e67f5566 Reported as Win.Malware.Doina-9956863-0 (Jiangmin and MaxSecure also flags the portable package.) Also Google detects ConEmu.exe if uploaded separately https://www.virustotal.com/gui/file/922005e768a5cd0d5374964fb8e5a2a103c966a5cfbc573842464cc4df45ca40

This also affects GitExtensions with embedded ConEmu. Both for the year old public 3.5.4 with v21.7.18 and the latest Alpha that used v22.04.18 that was the latest at the release time. Discussion here: https://github.com/gitextensions/gitextensions/discussions/9597#discussioncomment-3724154

Versions

ConEmu build: 220807 x32/x64

• Microsoft Windows NT 10.0.19044.0

Problem description

No usage of ConEmu, just check with ClamAV.

I do not believe that this is a problem in ConEmu (I would be very suprised if it was a virus), this is a false positive. I have voted for the files to be OK.

Hopefully, this can be resolved without code changes.

[Zeroes1]

Good AV have feature : add exclusions if no have this, change your AV

many product have some troubles, for examplse: https://blog.nirsoft.net/2015/10/18/antivirus-statistics-and-scores-according-to-false-positives-of-nirsoft-tools/

[Maximus5]

I think only users may force ClamAV to fix false detections. Personally I've reported that to clamwin on August 7, so no response or action. As for me, that drives to bad reputation of AV product :(

[gerhardol]

For GitExtensions, this was resolved after requesting that for ClamAV. (There are more info in the GE thread.) I believe I did that for ConEmu too, may have missed that. Google still flags the GE package though, do not know if that is due to ConEmu or something else (VirusTotal has a few low prio markings for GE internals.)

No update for ConEmu, more users may request a change to clamav...

As viruses get more complex virus scanners must guess even more. It is sure a pain.

[cristianst85]

Everything is green now (no red flags) as well for ConEmu version 21.3.14 which comes bundled with GitExtensions-3.5.4.12724-65f01f399.msi.

https://www.virustotal.com/gui/file/e840e41909b22720944c655a0066dca561445153540d202ed82ba75a6c4e121b https://www.virustotal.com/gui/file/d76fa323b01b5d56fb641a51481877a2f9faadc3e6c9d8d87b6e74b101010ef2

[gerhardol]

ConEmuPack.220807.7z is still reported on, submitted for ClamAV (again?). That version should probably be included with GE4.0.0 (as it has signed executables).

[cristianst85]

ConEmuPack.220807.7z is not being flagged anymore by ClamAV. There are still two AV engines (Jiangmin and MaxSecure) that flag it. Do we care for them? MaxSecure is an Indian company although their site is in English I couldn't find where to report a false positive. Jiangmin is a Chinese company and I don't understand their language nor speak it. So there is that.

https://www.virustotal.com/gui/file/894f7b2d08ea386ed3c84e5378a6e1b8d21acdf88c0250ce99b0beb9e67f5566/detection

[gerhardol]

I reported to MaxSecure and got reference number: 20220928-224131538100 No response yet So this is hopefully fine now, except for Jiangmin that i guess we have to ignore.

[gerhardol]

SecureAPlus false positive report successful Your false detection(s) will be cleared within the next 72 hours

So only Jiangmin remains.