Win.Trojan.FileTouch-1 / FileTouch.exe -- False Positive?

Discussions relating to ClamXav

Moderator: Mark

Win.Trojan.FileTouch-1 / FileTouch.exe -- False Positive?

Postby John96 » Wed 18 Jan 2017 8:05 pm

Hi All

I am not experience virus catcher... I am trying to decide, if this is a false positive.

I am using a plugin for Lightroom 4 called rc_ExifMeta. I have been using this plugin for probably 4 years.

Suddenly, one of the files in the package is listed as Trojan by ClamXav. rc_ExifMeta is a plugin for both Mac and PC. Obviously, it manipulates exif data in files and could legitametly have a use for FileTouch on the PC version, since FileTouch is used for changed creation dates, etc.

For sure, this plugin has not been touched or updated in maybe 4 years. It could be however that the version of the plugin (distributed at the beginning of 2013) distributed with the version of FileTouch was infected.

On the other hand, since I am on a Mac, I could probably just delete the file as its not needed on the Mac.

Feedback?

Cheers, John

For the record, at the time of this posting I am using:
CalmXav 2.2.1 on 10.6.8 and 10.4.11
rc_ExifMeta 5.2
Virus definitions from 17.01.2017 (Previous versions did not find this problem, but I haven't run a scan in probably 6 months!)
John96
 
Posts: 5
Joined: Wed 14 Jan 2015 4:31 pm

Re: Win.Trojan.FileTouch-1 / FileTouch.exe -- False Positive

Postby alvarnell » Wed 18 Jan 2017 10:16 pm

I can't seem to get to Rob Cole's site to download the plugin at this time.

All indications are that this is not a False Positive from a detection standpoint, but there is some evidence that it is harmless, and certainly can't impact your Mac.

The signature was added to the ClamAV database on Sep 20, 2016.

It's looking for a file size of 16384 with an MD5 hash value of b1cd938565269af03767a54d6148dbb4, so the chances of some other file matching this are extremely unlikely.

VirusTotal shows that 7 of 57 Anti-Virus scanners (including ClamAV) believe FileTouch.exe to be malware, but voting for over two years has been that it's not.

"Win" in the infection name indicates that it is Windows only.

You can choose to ignore it (<Control>-click/<Right>-click on the entry in the ClamXav window and choose "Exclude From Future Scans") or try deleting filetouch.exe as long as you have a backup of the plugin.
-Al-
--
iMac(21.5-inch, Mid 2011) 2.8GHz Intel Core i7/OS X 10.10.5, 10.11.6, 10.12.6 & 10.13.6/ClamXAV v3.0.9 (7713)/0.100.2_01
iMac(Retina 5K, 27-inch, 2017) 4.2GHz Intel Core i7/macOS 10.12.6, 10.13.6 & 10.14.3/ClamXAV v3.0.9 (7713)/0.100.2_01
alvarnell
Site Admin
 
Posts: 5507
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Win.Trojan.FileTouch-1 / FileTouch.exe -- False Positive

Postby John96 » Sun 22 Jan 2017 8:29 pm

Al, thanks for the feedback. I start to understand how this works now. I am going to head over to VirusTotal and check this out!

Regarding Rob Cole, he seems to have quit updating is stuff around the middle of 2015. Since then nobody has heard from him. So, I could not discuss the topic with him.
John96
 
Posts: 5
Joined: Wed 14 Jan 2015 4:31 pm


Return to ClamXav

Who is online

Users browsing this forum: No registered users