What EXACTLY is the name of the "threat"? Something with "gen"? Maybe "heur"? You gotta provide a bit more detail.

Threat categories trojan dropper

Antiy-AVL. Trojan/Win32 Agent
AVG Win32:MalwareX-gen (Trj]
Bkav Pro W32 AlDetectMalware
Google Detected
Ikarus Trojan.Dropper
Avast Win32:MalwareX-gen (Trj]
Avira (no cloud) TR/Dropper.Gen
Elastic Malicious (high Confidence)
Gridinsoft Trojan.Win32.Agent.oalsl
WithSecure trojan. TR /Dropper. Gen

can please some recheck this with the file wbemprox.dll ?

/home/deck/.local/share/Steam/steamapps/common/Proton (Beta)/files/lib/wine/i386-windows/wbemprox.dll

This all reads generic as ♥♥♥♥. False-positives.

I got the same warning using ClamAV of Proton Experimental on my linux machine under the signature:
Only 11/73 scanners recognize it though so probably false positive?
VirusTotal Result[www.virustotal.com]

Originally posted by Made of Magic And Wires:

I got the same warning using ClamAV of Proton Experimental on my linux machine under the signature:

Win.Dropper.Malwarex-10037124-0

Only 11/73 scanners recognize it though so probably false positive?
VirusTotal Result[www.virustotal.com]

Just wanted to mention I had the same results as you in Linux. How do we confirm this is a false positive, though? Is this something to do with Valve's new work towards creating a better anti-cheat solution? Anti-cheats can sometimes trigger false positives, right?

Originally posted by Made of Magic And Wires:

I got the same warning using ClamAV of Proton Experimental on my linux machine under the signature:

Win.Dropper.Malwarex-10037124-0

Only 11/73 scanners recognize it though so probably false positive?
VirusTotal Result[www.virustotal.com]

Same results as well, but instead of "Win.Dropper.Malwarex-10037124-0" I got
"Win.Dropper.Malwarex-10037125-0"

23/73 scanners got it, false positives, nothing to worry about.

Originally posted by Plutopotamus:

Originally posted by Made of Magic And Wires:

I got the same warning using ClamAV of Proton Experimental on my linux machine under the signature:

Win.Dropper.Malwarex-10037124-0

Only 11/73 scanners recognize it though so probably false positive?
VirusTotal Result[www.virustotal.com]

Just wanted to mention I had the same results as you in Linux. How do we confirm this is a false positive, though? Is this something to do with Valve's new work towards creating a better anti-cheat solution? Anti-cheats can sometimes trigger false positives, right?

You use
1. Your understanding of the matter and
2. Basic logic

There's no hard criterion for false-positives (if there was, there wouldn't be any false-positives).

Speaking of logic, this got nothing to do with Valve's anti cheat measures. No causal connection. There's a connection through a basic principle of "attempting to detect something bad".

Originally posted by Plutopotamus:

Originally posted by Made of Magic And Wires:

I got the same warning using ClamAV of Proton Experimental on my linux machine under the signature:

Win.Dropper.Malwarex-10037124-0

Only 11/73 scanners recognize it though so probably false positive?
VirusTotal Result[www.virustotal.com]

Just wanted to mention I had the same results as you in Linux. How do we confirm this is a false positive, though? Is this something to do with Valve's new work towards creating a better anti-cheat solution? Anti-cheats can sometimes trigger false positives, right?

For clamav specifically, you can try to find out why certain files were flagged[docs.clamav.net] by looking into the signature and what conditions trigger it.

For this signature you would run `sigtool --find-sigs 'Win.Dropper.Malwarex-10037125-0' | sigtool --decode-sigs` which for me spits out the following information:


Now this isn't particularly helpful since I'm not very familiar with the syntax, but at a glance it does at least tell me this signature matches logical patterns rather than looking for specific file signatures of known viruses.

So it casts a wider net, in the hope of flagging possibly malicious programming practices that could be possibly dangerous which, in my mind, is more likely to produce false positives.

Some programming practices might be malicious in one context and perfectly valid in another, or just a straight up bug. Hard to know without really digging into this and analyzing the actual code and learning clamav's signature syntax[docs.clamav.net] but TL;DR false positive is definitely possible, more than if clamav was just comparing files against a specific known malware hash.

These A/V solutions aren't always right and it also depends on "intent" or "usage". For example, most of them will flag the Torrent protocol as bad since its was used in the past by bad actors. However, there are a lot of open source tools that use Torrent as a protocol. The usage of the protocol isn't bad, but some of those used to get flagged. I say used to as when Torrent started getting included in some browsers, A/Vs stopped reporting Torrent as bad but that's just an example of how a "thing" can get flagged even though its actual usage is not "bad".

I would put too much effort into this. If you are wondering "how do you know for sure", security teams would put the file(s) into a safe container, run it and see what it does. If it does nothing bad, they know it's a false positive.