ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Bad database update?
evilrobert


Joined: 18 Nov 2010
Posts: 4
Location: Chesapeake, VA
Reply with quote
So I have a system that downloaded an update this morning, and it scanned and moved almost every .exe file on the system into the .quarantine folder. INCLUDING the ClamWin scan executeables. It renamed everything with the .infected extension, but when I'm looking at the scan logs, it doesn't show a log for the scheduled scan that should have run today.

No shady business going on with the database updates or anything is there? I'm going to have to reload this system because it's just not feasible to spend the time trying to figure out where everything belongs (even jacked .dll files).
View user's profileSend private message
brianecole


Joined: 18 Nov 2010
Posts: 2
Reply with quote
I saw the same thing affect Windows Server 2008 servers. I am now rebuilding several servers, and shopping for another antivirus engine.
View user's profileSend private message
evilrobert


Joined: 18 Nov 2010
Posts: 4
Location: Chesapeake, VA
Reply with quote
It did the same to my 2008 R2 server. Completely blew out my SQL and the DBs as well. Windows 7 didn't seem to agree with what it was doing.

For anyone else wondering, if your scan runs and your windows close, ClamWin's shutting down the programs because it's flagging them as infected. Including itself, which is awesome.
View user's profileSend private message
kjnc


Joined: 18 Nov 2010
Posts: 1
Reply with quote
Same here, I had 76 dlls and exes quarantined this morning. the problem is, it also got clamwin.exe, so it killed itself before it could write out the log, so I don't know where to put all of these files back.

I am on win2003 Server Enterprise.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
What virus(es) are being falsely-detected? Did anyone submit the file(s) to Clam AV for signature correction? I do not see any false positive reports on the Clam AV submission interface, so perhaps it has been taken care of by now.

ClamWin has false positive protection for Windows digitally-signed system files on Vista and Win 7 machines now. It will not quarantine these files--just provide a message in the scan report to submit a false positive to Clam AV.

Regards,
View user's profileSend private message
evilrobert


Joined: 18 Nov 2010
Posts: 4
Location: Chesapeake, VA
Reply with quote
There's no way to submit a false positive report, since it's killing it's own .exe and process. I found it curious that there were no log reports after yesterday's scheduled run, and then watched ClamWin kill itself on my laptop and it dawned on me it's not getting to the point where it generates a program before it gets shut down by it's own scan.

No log, no way to show what of the 80+ files it keeps wanting to kill off. And it called a positive on the Google Chrome executable in Win 7 and moved it, while leaving most everything else alone (Win7 didn't allow it to move the files).
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
There was a bug in 0.96.2 release which is fixed in 0.96.4 released today. Please download and install the update:
https://sourceforge.net/projects/clamwin/files/clamwin/0.96.4/clamwin-0.96.4-setup-nodb.exe/download
View user's profileSend private message
evilrobert


Joined: 18 Nov 2010
Posts: 4
Location: Chesapeake, VA
Reply with quote
My only concern with that would be that my software was functioning fine until the system downloaded today's update. The error's in the program, despite running normally until it installed a database update the program made today?

I also find it suspicious that on the XP machine PC that was wrecked, there was a system restore point created during the scan. Does ClamWin normally create a system restore point during the beginning of the scan process?
View user's profileSend private message
Same problem, on winXP
cjturner


Joined: 01 Aug 2007
Posts: 3
Location: Fairfax, VA
Reply with quote
There is no way to report all of these false positives! Clamwin totally took out one system, moved 890 files to quarantine including clamscan.exe and clamtray.exe.

Broken system update log: updated Thursday 18 Nov at 13:00 EST (GMT-5), daily update ver. 12280 (builder ccordes) database updated from IP 155.98.64.87 (mirror-vip.cs.utah.edu)

So far, alternate scanner showing no viruses.

Went to another computer which had not scanned yet: disabled move/unload from memory and did a memory scan:
Scan Started Thu Nov 18 20:01:09 2010

-------------------------------------------------------------------------------



*** Scanning Programs in Computer Memory ***

*** Memory Scan: using ToolHelp ***





*** Scanned 10 processes - 190 modules ***

*** Computer Memory Scan Completed ***





C:\Program Files\Bonjour\mdnsNSP.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\uwinapi.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\MSVCR71.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\stlport_vc7145.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\MSVCP71.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\ExpShell.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\7-Zip\7-zip.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\WINDOWS\system32\CmdLineExt.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\ClamWin.exe: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\python23.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32api.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\pywintypes23.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\wxc.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\wxmsw24h.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_sre.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_socket.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_ssl.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_winreg.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32gui.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32event.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\pythoncom23.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\shell.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32security.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_ctypes.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32file.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32pipe.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32process.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\gizmosc.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\mxDateTime.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\htmlc.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\pyc.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\libclamav.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\libclamav_llvm.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCP80.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\libclamunrar_iface.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\libclamunrar.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\datetime.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_bsddb.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\clamscan.exe: Heuristic.Trojan.SusPacked.TMS FOUND

----------- SCAN SUMMARY -----------

Known viruses: 851477

Engine version: 0.96.2

Scanned directories: 0

Scanned files: 200

Infected files: 42
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
evilrobert wrote:
My only concern with that would be that my software was functioning fine until the system downloaded today's update. The error's in the program, despite running normally until it installed a database update the program made today?

I also find it suspicious that on the XP machine PC that was wrecked, there was a system restore point created during the scan. Does ClamWin normally create a system restore point during the beginning of the scan process?


The restore point is a coincidence.

The problem with this false positive was in the virus database update but 0.96.2 had a bug in handling a certain parts of the signature and hence triggered a false positive. The signature will be dropped today and 0.96.2 will function ok, but it is still better to update to 0.96.4 to avoid possible similar issues in the future.
View user's profileSend private message
Re: Same problem, on winXP
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
There was a bug in 0.96.2 release which is fixed in 0.96.4 released today. Please download and install the update:
https://sourceforge.net/projects/clamwin/files/clamwin/0.96.4/clamwin-0.96.4-setup-nodb.exe/download

cjturner wrote:
There is no way to report all of these false positives! Clamwin totally took out one system, moved 890 files to quarantine including clamscan.exe and clamtray.exe.

Broken system update log: updated Thursday 18 Nov at 13:00 EST (GMT-5), daily update ver. 12280 (builder ccordes) database updated from IP 155.98.64.87 (mirror-vip.cs.utah.edu)

So far, alternate scanner showing no viruses.

Went to another computer which had not scanned yet: disabled move/unload from memory and did a memory scan:
Scan Started Thu Nov 18 20:01:09 2010

-------------------------------------------------------------------------------



*** Scanning Programs in Computer Memory ***

*** Memory Scan: using ToolHelp ***





*** Scanned 10 processes - 190 modules ***

*** Computer Memory Scan Completed ***





C:\Program Files\Bonjour\mdnsNSP.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\uwinapi.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\MSVCR71.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\stlport_vc7145.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\MSVCP71.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\ExpShell.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\7-Zip\7-zip.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\WINDOWS\system32\CmdLineExt.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\ClamWin.exe: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\python23.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32api.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\pywintypes23.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\wxc.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\wxmsw24h.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_sre.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_socket.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_ssl.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_winreg.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32gui.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32event.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\pythoncom23.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\shell.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32security.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_ctypes.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32file.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32pipe.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32process.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\gizmosc.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\mxDateTime.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\htmlc.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\pyc.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\libclamav.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\libclamav_llvm.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCP80.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\libclamunrar_iface.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\libclamunrar.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\datetime.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_bsddb.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\clamscan.exe: Heuristic.Trojan.SusPacked.TMS FOUND

----------- SCAN SUMMARY -----------

Known viruses: 851477

Engine version: 0.96.2

Scanned directories: 0

Scanned files: 200

Infected files: 42
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
That signature has been dropped from the Clam AV signatures.

Regards,
View user's profileSend private message
BeRu


Joined: 19 Nov 2010
Posts: 1
Reply with quote
OK,

ther has been an error.

BUT HOW TO RESTORE THE 20.000 Files ? I have found no restore function in ClamWin. But there is a database with some 60 MB. Is there a possibility to do an automatic restore out of hte quarantine folder?????

Thats what i need !!!

BeRu
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
BeRu wrote:
OK,

ther has been an error.

BUT HOW TO RESTORE THE 20.000 Files ? I have found no restore function in ClamWin. But there is a database with some 60 MB. Is there a possibility to do an automatic restore out of hte quarantine folder?????

Thats what i need !!!

BeRu



1) Check the log file
Win7 and Vista: C:\Users\All Users\.clamwin\log\ClamScanLog.txt
XP: C:\Documents and Settings\All Users\.clamwin\log\ClamScanLog.txt


2) If the log does not have the quarantine info there is still a chance it would be in the temp folder. Can you check your temp folder and let me know? It should start with tmp and look like this:

C:\Documents and Settings\user\Local Settings\Temp\tmp0bx8st on XP
or
C:\Users\alex\AppData\Local\Temp\tmp0bx8st on Vista/7

look for a larger file and check if it has quarantine info inside
View user's profileSend private message
Administrator


Joined: 19 Nov 2010
Posts: 6
Reply with quote
Thanks Clamwin, for messing up my server!!
More then 2000 'infected' files,which i have to move back manually.
View user's profileSend private message
Bad database update?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  

  
  
 Reply to topic