ClamAV Zip.Suspect.WinDoubleExtension-zippwd false positive on miq-host-cmd.exe

Updated -

When scanning the file miq-host-cmd.exe as shipped in the mingw32-cfme-host package (a part of Red Hat CloudForms) ClamAV may indicate that the file is infected with Zip.Suspect.WinDoubleExtension-zippwd. The signature Zip.Suspect.WinDoubleExtension-zippwd is not an actual virus, it is simply a behavioral signature indicating that a file has embedded compressed files. When clamscan is used to scan miq-host-cmd.exe the following message (or similar) may be displayed:

$ clamscan -a miq-host-cmd.exe 
miq-host-cmd.exe!ZIP:lib/metadata/ScanProfile/modules/VmScanItemFile.rb!...!(2401)ZIP:lib/util/win32/miq-psd.ps1: Zip.Suspect.WinDoubleExtension-zippwd FOUND
miq-host-cmd.exe: Zip.Suspect.WinDoubleExtension-zippwd FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3517587
Engine version: 0.98.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 87.76 MB
Data read: 20.29 MB (ratio 4.32:1)
Time: 56.546 sec (0 m 56 s)

This warning can be safely ignored.

Workarounds

There are two workarounds that can be used to prevent ClamAV from triggering the Zip.Suspect.WinDoubleExtension-zippwd signature on the file miq-host-cmd.exe:

  • whitelist the file miq-host-cmd.exe
  • whitelist the rule Zip.Suspect.WinDoubleExtension-zippwd

Please see the ClamAV documentation "signatures.pdf" for specific information on how to create these whitelists and add them to the existing signature databases.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.