ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Virus in daily.ndb?
dspadrino


Joined: 21 Jul 2007
Posts: 2
Reply with quote
My McAfee VirusScan console has now detected, three times in a night, a virus in what I believe to be my ClamWin update files.

The files are always something like this:
C:\Documents and Settings\David\Local Settings\Temp\clamav-3bc03469743d9147e762562dd2967bb7.00001738.clamtmp\daily.ndb
(only with different numbers, etc)

It says that the problem is a virus called "New Script.C"

This is the meager McAfee offers on what it claims to be finding:
http://vil.nai.com/vil/content/v_119649.htm

Can anyone help me understand this? Are these indeed my ClamWin update files, and what could be going wrong? Is McAfee suddenly incompatible with ClamWin, or is there a real problem coming from somewhere else?

If it makes any difference, I suspect that the problem may have to do with the ClamWin autoscanner I have built in to my Firefox downloader... the last time at least, I know for sure, the virus alert popped up right when that autoscanner was going.
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
most likely it is a false positive in mcafee. You can safely remove this temp file, it shouldn't be there anyway - most likely left over after an aborted virus db update.
View user's profileSend private message
dspadrino


Joined: 21 Jul 2007
Posts: 2
Reply with quote
Alright. Thanks a lot for your input. I appreciate it. Things seem to be fine today.
View user's profileSend private message
getting the same new script.c message
lee


Joined: 21 Jul 2007
Posts: 4
Reply with quote
I am getting the same New script.c message. It started yesterday. And my clamwin will no longer run. It states is cannot open the file. I have uninstalled and reinstalled clamwin but still no luck. Is your machine running fine now?
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
paste the logs please
View user's profileSend private message
jel123


Joined: 25 Jul 2007
Posts: 3
Reply with quote
I'm seeing the same thing; 'New Script.c' virus report from McAfee when clamwin tries to run a scan.
Saw this for the first time today with clamwin-0.90.2.1 Spent most of the afternoon searching for an answer. Have done an uninstall and fresh install of clamwin-0.91.1

This is what the log looks like on failure;
Code:
Scan Started Wed Jul 25 17:19:59 2007
-------------------------------------------------------------------------------

ERROR: Unable to open file or directory

----------- SCAN SUMMARY -----------
Known viruses: 5978
Engine version: 0.91.1
Scanned directories: 0
Scanned files: 0
Skipped non-executable files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 0.063 sec (0 m 0 s)


And with McAfee virus scan turned off - the scan works;

Code:
Scan Started Wed Jul 25 17:21:00 2007
-------------------------------------------------------------------------------

 *** Scanning Programs in Computer Memory ***


 *** Scanned 60 processes - 663 modules ***
 *** Computer Memory Scan Completed ***


----------- SCAN SUMMARY -----------
Known viruses: 140290
Engine version: 0.91.1
Scanned directories: 3
Scanned files: 724
Skipped non-executable files: 0
Infected files: 0
Data scanned: 334.10 MB
Time: 183.328 sec (3 m 3 s)
View user's profileSend private message
jel123


Joined: 25 Jul 2007
Posts: 3
Reply with quote
Well, this went on for a few days;

1) McAfee virus scan would complain about ...\Local Settings\Temp\clamav-*.clamtmp\daily.ndb being infected by the 'New Script.c' virus every time ClamWin (unsuccessfully) ran. The virus could not be "cleaned" probably because the directory did not exist (ClamWin had already deleted it?).

2) A full disk scan by McAfee would find daily.ndb (didn't record the location but probably in ...\.clamwin\db\daily.inc) and successfully deleted it.

3) ClamWin would work again until the next Database Update then 'New Script.c' pop-ups would start again.

This cycle stopped on about the 27th or 28th without making any changes to the setup.
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
jel123 wrote:
Well, this went on for a few days;

1) McAfee virus scan would complain about ...\Local Settings\Temp\clamav-*.clamtmp\daily.ndb being infected by the 'New Script.c' virus every time ClamWin (unsuccessfully) ran. The virus could not be "cleaned" probably because the directory did not exist (ClamWin had already deleted it?).

2) A full disk scan by McAfee would find daily.ndb (didn't record the location but probably in ...\.clamwin\db\daily.inc) and successfully deleted it.

3) ClamWin would work again until the next Database Update then 'New Script.c' pop-ups would start again.

This cycle stopped on about the 27th or 28th without making any changes to the setup.


Which means that McAfee most likely removed the false positive from their db
View user's profileSend private message
jel123


Joined: 25 Jul 2007
Posts: 3
Reply with quote
alch wrote:
Which means that McAfee most likely removed the false positive from their db
Possibly, but I'm embarrassed Embarassed to say that my subscription has expired. The about screen reports that the DAT file was created several months ago. So not sure if anything has changed on the McAfee end.

Anyway, I'm just happy it's all working now.

Thanks.
View user's profileSend private message
Same Problem here, gotta be mcafee
vifee


Joined: 18 Aug 2007
Posts: 3
Location: Canberra
Reply with quote
Same Problem here. I've just loaded up the portable version of clamwin 0.9.1.1 from PortableApps.com, run it from the usb stick choosing to scan memory first and the mcafee that came with this new vista laptop threw up a window with the same message. It says that the New Script.c virus is located in file daily.ndb located along path c:\users\username\appdata\local\temp\clamav- (next line there is a long number/string then .clamtmp\daily.ndb

Both virus programs had recently been updated. I am thinking that McAfee is jumping at shadows and is incompatible with other virus programs. I have submitted the file to McAfee using their menu option and if I can find suspect file on my drive i'll submit it to the notification area here and we might get some answers.
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 898
Location: Italy
Reply with quote
looks like mcafee on-access scanner locks the unpacked virus db since it detects as virus
it's very easy that an antivirus detects a virus db as a virus since the virus db itself contains virus signatures
It's really not a great idea but you can tell mcafee to ignore clamav-* files in temp directory
View user's profileSend private message
Way around McAfee when downloading updates for ClamWin
kokushta


Joined: 05 Oct 2007
Posts: 1
Location: Albania
Reply with quote
I got the same problem here and maybe I found a way around McAfee not to detect ClamWin updates as virus.

10/5/2007 7:16:50 AM Moved (Clean failed because the file isn't cleanable) KOKUSHTA\Administrator freshclam.exe E:\Documents and Settings\Administrator\My Documents\ClamWinInst\ClamWinPortable\Data\db\daily.inc\clamav-9ce600f5958f6cdc4dc4bcb74b3a5240.00000e94.clamtmp New Script.c (Virus)
10/5/2007 7:19:43 AM Moved (Clean failed because the file isn't cleanable) KOKUSHTA\Administrator explorer.exe E:\QUARANTINE\clamav-9ce600f5958f6cdc4dc4bcb74b3a5240.00000e94.clamtmp.Vir New Script.c (Virus)


This is the msg I got.

Now what I did was add some exclusion file info to McAfee as follows:

At McAfee Virus Console (I have McAfee VirusScan Enterprise v8.0) for both scanning tasks right-click to access properties.
Click on Detection Tab and click on Exclusions... button and then click on Add

As you can see from the McAfee msg the file ends with .clamtmp as in (clamav-9ce600f5958f6cdc4dc4bcb74b3a5240.00000e94.clamtmp)

Now check the By name/location (can include wildcard * or ?) optin and type into the text box:
Code:
*.clamtmp

and click OK and again OK and OK (as needed to confirm all your actions till you exit Virus Console).

Hope this will work, I just did it and I'll test it time to time. If something else will come up I'll let you know.
View user's profileSend private message
Virus in daily.ndb?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic