ClamAV Zip.Suspect.WinDoubleExtension-zippwd false positive on miq-host-cmd.exe

When scanning the file miq-host-cmd.exe as shipped in the mingw32-cfme-host package (a part of Red Hat CloudForms) ClamAV may indicate that the file is infected with Zip.Suspect.WinDoubleExtension-zippwd. The signature Zip.Suspect.WinDoubleExtension-zippwd is not an actual virus, it is simply a behavioral signature indicating that a file has embedded compressed files. When clamscan is used to scan miq-host-cmd.exe the following message (or similar) may be displayed:

$ clamscan -a miq-host-cmd.exe 
miq-host-cmd.exe!ZIP:lib/metadata/ScanProfile/modules/VmScanItemFile.rb!...!(2401)ZIP:lib/util/win32/miq-psd.ps1: Zip.Suspect.WinDoubleExtension-zippwd FOUND
miq-host-cmd.exe: Zip.Suspect.WinDoubleExtension-zippwd FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3517587
Engine version: 0.98.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 87.76 MB
Data read: 20.29 MB (ratio 4.32:1)
Time: 56.546 sec (0 m 56 s)

This warning can be safely ignored.

Workarounds

There are two workarounds that can be used to prevent ClamAV from triggering the Zip.Suspect.WinDoubleExtension-zippwd signature on the file miq-host-cmd.exe:

• whitelist the file miq-host-cmd.exe
• whitelist the rule Zip.Suspect.WinDoubleExtension-zippwd

Please see the ClamAV documentation "signatures.pdf" for specific information on how to create these whitelists and add them to the existing signature databases.