[Wine] ClamAV thinks Wine contains a rootkit?

Gert van den Berg wine-users at mohag.net
Thu Sep 30 11:36:14 CDT 2010

On Thu, Sep 30, 2010 at 07:37, doh123 <wineforum-user at winehq.org> wrote:
> Anyone wanna explain why ClamAV thinks Wine has a rootkit in it?
> It finds "mountmgr.sys" and "usbd.sys" as "BC.Heuristics.Rootkit.B"
They are replacemnets for standard Windows drivers that act different
than the normal versions (and miss the signatures of a authorized
Microsoft version)? Which seem to match the definition of a
rootkit.... (For Windows an unsigned core driver is quite likely to be

The wikipedia definition is: A rootkit is software that enables
continued privileged access to a computer, while actively hiding its
presence from administrators by subverting standard operating system
functionality or other applications.

Wine intentionally does modifies the behaviour of the underlying
system to make Windows program run, so detecting it as a generic
rootkit is probably accurate... (And it hides its presence from the
applications that runs under it)

ClamAV probably assume that a modified version of any Windows driver
that can be used to hide disks / partitions / files are likely to be a
rootkit (which it is, on Windows) and detects it as such?

(Rootkits can hide themselves by using virtualization and emulation
techniques, which makes any emulation / vitalization software
potential suspects to an antivirus)

(And since you can call hidden funtionality in Wine (Unix syscalls,
etc) it might even meet the definition of a rootkit from a Windows
application's point of view...)


More information about the wine-users mailing list