ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Can I somehow specify "--detect-broken" in ClamWin
russelljohnson


Joined: 01 Apr 2006
Posts: 2
Reply with quote
Online virus scans from BitDefender, Kapersky, McAfee, and Panda identified file C:\WINDOWS\SYSTEM32\TFTP4044 on my PC as a W32/Blaster.worm.a.
(Norton did not.)

I tried submitting the file to the ClamWin database, but was told that it was already in the database as a "broken executable". What exactly is that?

clamscan.exe successfully detected this "broken executable" when I ran it from either a batch file or the command line, when I specified (as shown in clamscan --help):

--detect-broken Try to detect broken executable files

as in:

clamscan.exe --quiet --bell --detect-broken --recursive --database="C:\Documents and Settings\All Users\.clamwin\db" --tempdir="\ClamWin\tmp" %1

Can I somehow specify to use "--detect-broken" in my ClamWin.conf file? If so, how?

The "Example config file for the Clam AV daemyes" at http://www.sosdg.org/clamav-win32/clamd.conf (and elsewhere) has the following:

# With this option clamav will try to detect broken executables and mark
# them as Broken.Executable
# Default: no
#DetectBrokenExecutables yes

but apparently ClamWin.conf uses a different format.

Thank you for any information you can provide.
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
broken executable is a file with damaged executable header and most likely it will not run anyway (don't try on a live system though)

clamd.conf is for clamav background service (daemon) which is not part of clamwin.

I will add --detect-broken to clamwin's options (beta will be released soon)
View user's profileSend private message
russelljohnson


Joined: 01 Apr 2006
Posts: 2
Reply with quote
Thank you for the clear, concise explanation of the term "broken executable".

I just looked at the parent directory of the clamd.conf file I referenced, and it looks like this particular one is for ClamAV for Win32 -- which is apparently a command-line only CygWin interface to ClamAv.

Thank you for putting addition of the "--detect-broken" option into clamwin's options in your plans. I appreciate that.

With that, and with the ClamWin Antivirus Glue for Firefox (https://addons.mozilla.org/extensions/moreinfo.php?application=firefox&category=Privacy%20and%20Security&id=771), I may ultimately be able to eliminate my need for a commercial antirivus program.

Thank you.
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
Quote:

broken executable is a file with damaged executable header and most likely it will not run anyway (don't try on a live system though)


actually broken-executable in clamav is slightly broader then just damaged exe header. Basically any file that does not have proper PE (Portable Executable) file structure, more info here:
http://win32assembly.online.fr/pe-tut1.html

It can be a file that hasn't been fully downloaded or damaged in transit, etc It is unlikely that windows will execute such file
View user's profileSend private message
Can I somehow specify "--detect-broken" in ClamWin
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic