ReadyNAS 314 - Fw 6.9.5 After last update of antivirus engine (Feb 24, 2019), i recive alert "System: Antivirus scanner found a threat (Doc.Malware.Sagent-6865733-0)" on every winword document with .doc ext stored on NAS. Is it a false positive?

Hi All, Just wanted to provide another update. I turned off sending emails in the ReadyNAS for virus infections for now to prevent the flow of files it thinks are infected coming to my mailbox. I also submitted a false positive report to ClamAV, using this link: https://www.clamav.net/reports/fp If you are experiencing this problem and verified it appears to be a false positive, you may want to do the same. It seems like that to me when 58 programs pass it as fine and only ClamAV says it is infected.

tecniciCaq wrote: Yesterday was released new Antivirus scanner definition updated 58.25372 and resolved exploit (not firmware) Certainly it was ClamAV's issue. Upgrading the firmware would trigger apt-get updates though, so it could have gotten the new definitions onto the NAS more quickly.

Hi Everyone, It looks like my issue may be resolved. It appears for me, a check is done for virus definition updates at 2:45pm PST on a daily basis. Yesterday at that time, a new virus definition file was installed, 58.25372, which appears to have resolved the false positive. Since that was installed I have not seen one entry in the logs for the Doc.Malware.Sagent-686733-0 malware. It looks like this should resolve the problem for those experiencing the issue. Unfortunately, there is no mechanism to force a check for an updated virus definition file and install it if there is one. That would be a nice addition and not have us wait for the system to do it on its own. Just think about an actual virus or malware infection and having to wait a day when a fix is available to stop an infultration. Not a good way to manage things.

Marc_V wrote: The issue with False positives is with ClamAV that is why it needs to be reported to their site. This is the issue that Netgear should fix (and I think is what 2Compute was meaning ) rph1 wrote: Unfortunately, there is no mechanism to force a check for an updated virus definition file and install it if there is one. In general, Netgear doesn't provide any controls for ClamAV other than "on" and off". Requests for more options have been on the idea exchange for a couple years now - they were posted immediately after Netgear switched to ClamAV and removed all the configuration controls. So far they've been ignored.

Hi TechniciCaq, I am getting the same thing on many of my Word doc files. I took one of them and uploaded it to VirusTotal. It was scanned by 59 different virus programs, including Symantec, AVG, Avast, McAfee, ZoneAlarm, TrendMicro, and a number of other well known names. It passed on all of them except for ClamAV, which I understand is used by the Netgear NAS. Mine is a ReadyNAS 2120 and now believe this is a false positive since it is hitting a lot of my files that have been on the device for some time, some for years, without detection and are not actively being used/updated. It would be nice to find out how to fix the problem, other than waiting for another antivirus update since it is filling up the logs and keeps sending me emails of them all. I suppose I can stop the alerts but then I potentially won't know about something else that might happen.

Antivirus alert: Doc.Malware.Sagent-6865733-0

12 Replies

Replies have been turned off for this discussion

rph1
Star
Feb 25, 2019
Hi TechniciCaq,

I am getting the same thing on many of my Word doc files. I took one of them and uploaded it to VirusTotal. It was scanned by 59 different virus programs, including Symantec, AVG, Avast, McAfee, ZoneAlarm, TrendMicro, and a number of other well known names. It passed on all of them except for ClamAV, which I understand is used by the Netgear NAS. Mine is a ReadyNAS 2120 and now believe this is a false positive since it is hitting a lot of my files that have been on the device for some time, some for years, without detection and are not actively being used/updated.

It would be nice to find out how to fix the problem, other than waiting for another antivirus update since it is filling up the logs and keeps sending me emails of them all. I suppose I can stop the alerts but then I potentially won't know about something else that might happen.
- rph1
  Star
  Feb 25, 2019
  Hi All,
  
  Just wanted to provide another update. I turned off sending emails in the ReadyNAS for virus infections for now to prevent the flow of files it thinks are infected coming to my mailbox. I also submitted a false positive report to ClamAV, using this link:
  
  https://www.clamav.net/reports/fp
  
  If you are experiencing this problem and verified it appears to be a false positive, you may want to do the same. It seems like that to me when 58 programs pass it as fine and only ClamAV says it is infected.
  - rph1
    Star
    Feb 26, 2019
    Hi All,
    
    Latest update, the virus definition file on my ReadyNAS was updated yesterday at 2:45pm PST to version 58.25371 but that did not make a difference. There are still a whole slew of entries in the log file indicating word docs are infected. I ran one of the new files it identified as malware through Virus Total and it passed all scanners, including ClamAV so at this point I assume my device just doesn't have the most recent file definitions that properly detects this. I will monitor the logs to see when the virus definition file gets updated and if the reports of this stop.

Forum Discussion

Antivirus alert: Doc.Malware.Sagent-6865733-0

12 Replies

Related Content

RN214 - Antivirus Definitions

Antivirus

Antivirus

Antivirus stopped updating

readynas antivirus

NETGEAR Academy

ProSupport for Business