ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Microsoft Security Essentials detected ClamWin Temp item
davehatpec


Joined: 01 Feb 2017
Posts: 4
Reply with quote
Been running a ClamWin scan since this morning, I come back and MSSE says one of its temp files is infected with Win32/Hadsruda!bit

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Program%3aWin32%2fHadsruda!bit&threatid=213971&enterprise=0

[img]http://imgur.com/a/qDIi1[/img]

Is this just because ClamWin stuck a scanned infected file there and MSSE noticed it?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4216
Location: USA
Reply with quote
ClamWin uses temporary files during scanning. If another AV detects something in a ClamWin temp file while ClamWin is scanning, it might be detecting either a file being scanned or a virus signature being used in the scan. This happens occasionally. To prevent this, I exclude the clamwin.tmp files from Security Essentials' scans. I also exclude every .exe file in the ClamWin\bin folder from Security Essentials' scans as processes that are not to be scanned. I also exclude the ClamWin\data folders for quarantine and db (database signatures). MSSE and ClamWin work pretty well together if you do this.

Thanks for using ClamWin!

Regards,
View user's profileSend private message
davehatpec


Joined: 01 Feb 2017
Posts: 4
Reply with quote
Thanks, I'll look into that.

I noticed possibly a bug while trying to read ClamWin's scan log:

[img]http://imgur.com/a/qDIi1[/img]

Why is the path of the first virus found chopped off at the beginning? It just says oogle\Chrome\User Data\Default\Cache\f_000885: Swf.Exploit.CVE_2016_7874-5351170-0 FOUND

Why is it doing that?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4216
Location: USA
Reply with quote
If there is really a preceding G in the address, it is probably a bug or it exceeds a size limit--in which case it would probably truncate the last item instead of the first.

We'll mention this to the developers.

Regards,
View user's profileSend private message
davehatpec


Joined: 01 Feb 2017
Posts: 4
Reply with quote
GuitarBob wrote:
If there is really a preceding G in the address, it is probably a bug or it exceeds a size limit--in which case it would probably truncate the last item instead of the first.

We'll mention this to the developers.

Regards,


So this now pops up every week (probably due to some false flag in ClamWin), and here's the actual result from MSSE:

The folder its found in is Temp, which I don't want to ignore, and the file found is *.clamtmp, so do I just put that into MSSE ignore?

C:\Users\Dave\AppData\Local\Temp\clamav-94f9ffc5ea99828290b18ad8a9c7b7f6.000001e4.clamtmp

[img]http://imgur.com/a/qDIi1[/img] --> I don't know why clicking Img button in the editor doesn't parse the [img ] tag
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4216
Location: USA
Reply with quote
Just put clamtmp in Security Essentials' settings as a file type to ignore.That's what I do, and I'm never bothered. Also exclude the ClamWin quarantine and DB folders as folders for SE to ignore.

Regards,
View user's profileSend private message
Microsoft Security Essentials detected ClamWin Temp item
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic