On Thu, Sep 30, 2010 at 07:37, doh123 <wineforum-user@xxxxxxxxxx> wrote: > Anyone wanna explain why ClamAV thinks Wine has a rootkit in it? > > It finds "mountmgr.sys" and "usbd.sys" as "BC.Heuristics.Rootkit.B" > They are replacemnets for standard Windows drivers that act different than the normal versions (and miss the signatures of a authorized Microsoft version)? Which seem to match the definition of a rootkit.... (For Windows an unsigned core driver is quite likely to be dangerous) The wikipedia definition is: A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. Wine intentionally does modifies the behaviour of the underlying system to make Windows program run, so detecting it as a generic rootkit is probably accurate... (And it hides its presence from the applications that runs under it) ClamAV probably assume that a modified version of any Windows driver that can be used to hide disks / partitions / files are likely to be a rootkit (which it is, on Windows) and detects it as such? (Rootkits can hide themselves by using virtualization and emulation techniques, which makes any emulation / vitalization software potential suspects to an antivirus) (And since you can call hidden funtionality in Wine (Unix syscalls, etc) it might even meet the definition of a rootkit from a Windows application's point of view...) Gert
