ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
clamwin is scanning its own quarantine files
stib


Joined: 13 Feb 2007
Posts: 7
Reply with quote
and of course when it finds infected files in its quarantine folder it moves them to.. its quarantine folder. So if I start with one infected file, next time I scan I have two, the next time four, then next time eight and so on. One year later (doing a weekly scan) I have 4503599627370496 infected files (2^52), if I haven't done anything about them. Could be a problem yes?

It's easy to fix, you just add the quarantine folder or infected* to the filters list. In the interests of making the programme easier for the average luser, shouldn't that be the default behaviour?
View user's profileSend private message
budtse


Joined: 14 Jan 2006
Posts: 372
Location: Belgium
Reply with quote
When you have files in the quarantine folder, you should do something about it. You can upload the file to www.virustotal.com and check it against different scanners.

If you have reason to believe it is a false positive, you should report it to the clamav team and they will fix it. In the mean time you could move the file back to it's original location.

If it is a virus, you should remove it. Even though the quarantine folder should be pretty save, it's still a part of your system, and you shouldn't keep infected files on your system.

If you want to have easy notification of infected items (so you don't have to check the report after each scan), you can enable the email notifications.

regards,
budtse
View user's profileSend private message
stib


Joined: 13 Feb 2007
Posts: 7
Reply with quote
True, but some of us folks are busy with other stuff apart from picking at our quarantine files. Since Clamwin isn't exactly the most proactive scanner - it doesn't get in your face and actively alert you to infected files, it's easy to just ignore the logs and click the "whatever" button. In my experience 90% of my quarantined files are false positives, so I don't delete them too hastily. So if I'm busy working on something, putzing round on the internet finding out if foobar.bar is a virus or a legitimate operating system file is not top of the to-do list. It can sit in the sin-bin until either I get a "this program can not run because foobar.bar was not found" error, or I have a spare moment to sort it.

I'm posting this because it makes the program less user friendly; it is a setting that needs to be altered in a standard out of the box install, or Bad Things Might Happen.

..and surely making duplicates of infected files is not good behaviour for an anti virus application?
View user's profileSend private message
Quarantine
GuitarBob


Joined: 09 Jul 2006
Posts: 4388
Location: USA
Reply with quote
Perhaps in the future ClamWin could have an additional selection with Quarantine to Ignore Quarantine Files from scans or perhaps this could be a default. Most of the other antivirus software seems to exclude it--or perhaps they "cripple" the quarantined files in some manner so they are no longer recognized as malware.

Regards,
View user's profileSend private message
stib


Joined: 13 Feb 2007
Posts: 7
Reply with quote
yeah, I was thinking, wouldn't encrypting the quarantined files so you need a password to open them be a good way of stopping them being accidentally activated?
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
yes and that is how quarantine works in version 1, which is in it's final stages of development.
View user's profileSend private message
marcoscott


Joined: 27 Nov 2017
Posts: 1
Reply with quote
How to set the brightness and contrast at scanning?


Last edited by marcoscott on Fri Dec 01, 2017 6:13 am; edited 3 times in total
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4388
Location: USA
Reply with quote
There is no such setting in the ClamWin program itself. You might try adjusting your hardware/graphics/monitor settings to see if you can get something to suit you.

Regards,
View user's profileSend private message
This action has no effect that are already quarantined
orynider


Joined: 01 Jan 2018
Posts: 2
Location: Arad, Romania
Reply with quote
Hi,

I dont know watever this is a feature or a bug to append ".infected" to a file every time you do a new scan. Smile

If the directory scanned is same as the directory for "quarantine" then we should display a message such us "This action has no effect on the file(s) that are already quarantined".
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4388
Location: USA
Reply with quote
The developers have set up ClamWin to put an "infected" term on the end of each file that is quarantined. This serves 2 purposes: it prevents the file from being executed and it brings the file to someone's attention. There is also a text file created alongside the quarantined file to enable the Qrestore program to restore the file if it is needed.

I used to think that ClamWin did not scan the quarantine folder, but I have seen this happen a few times. If this bothers you, I suggest that you whitelist (exclude) the quarantine folder from future scans. You can whitelist/exclude the quarantine folder via the ClamWin preferences menu. Use c:\ProgramData\.clamwin\quarantine\* as the folder to exclude.

Thanks for using ClamWin! Please remember that you should use a real-time scanner for your first line of antivirus defense and keep ClamWin as a backup, second opinion scanner.

Regards,
View user's profileSend private message
oldyellr


Joined: 16 Nov 2018
Posts: 2
Reply with quote
The reason I came here is that I was disturbed that ClamWin was finding 24 infected files every week and since I don't hardly use that XP desktop computer for the web, I was wondering if it was scanning the quarantined folder. What I'm reading here now is that that's indeed the case.

So here are my questions:

1. Why isn't there an option to delete quarantined files like there is in just about every other virus scanner?

2. Can I just go directly to the quarantine folder and delete the files manually? Will ClamWin then still find them in my Recycle Bin?

3. I see the option to remove infected files in Preferences says "Use Carefully". I presume that's in case ClamWin falsely determines a necessary file is infected. But since I've seen the same 24 files reported as infected and quarantined for the last several weeks, and I haven't noticed any unusual problems with the computer, I should assume the quarantined files can be safely deleted. Would I be correct?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4388
Location: USA
Reply with quote
ClamWin will detect quarantined files if you scan your quarantine folder and you have not configured it to only scan certain files--like those that are more likely to be attacked by viruses. Infected files are placed in quarantine with a .infected extension placed after the real extension (.exe, .doc, .html, etc.) so they can not be executed and do anything harmful. However, if you scan a file by itself, it will scan it --no matter what the extension is.

You can configure ClamWin's Tools, Preferences, Filters, Exclude Matching Filenames to exclude the quarantine folder from being scanned by adding C:\ProgramData\.clamwin\quarantine there. However, as mentioned above, ClamWin will scan any file if you select just it to be scanned.

As you thought, you can manually delete files from the quarantine folder if there have been no problems with your computer during the time they have been quarantined.. You can also delete them/restore them via the QRecover.exe little utility program in the ClamWin program/bin folder--I keep a shortcut to it on my desktop. ClamWin is also programed to prevent most important system files from being quarantined due to a "false positive" detection.

You should not normally have to scan the quarantine folder.

The folders that are most likely to harbor viruses are: AppData, Windows System32, and C:\Windows\SysWOW64, as well as memory if you have an ongoing infection.

The extensions that are most likely to harbor viruses in those folders are: bat, cab, chm, class, cmd, com, cpl, dll, doc, docx, exe, hta, htm, html, inf, jar, js, Lnk, msi, ocx, pdf, pif, ps1, rar, rtf, scr, tmp, vb, vbs, xls, xlsx, and zip. It will speed up your scans if you configure ClamWin to scan for these extensions.

Also...if you use a computer frequently, you should use ClamWin as a backup scanner to a real-time scanner, as suggested by the ClamWin developers.

Thanks for using ClamWin!

Regards,
View user's profileSend private message
oldyellr


Joined: 16 Nov 2018
Posts: 2
Reply with quote
So if I go to Tools > Preferences > Filters and add "*.infected" to excluded filenames, I won't have those come up as new infected files in subsequent scans until I decide what to do with them? Sounds like a plan.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4388
Location: USA
Reply with quote
Yes, you can do that. However, you could also exclude the Quarantine folder when ClamWin scans multiple folders.

You can check files on Virus Total's website with 60 or so other AVs to see what they think.

Regards,
View user's profileSend private message
clamwin is scanning its own quarantine files
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic