ClamWin Free Antivirus :: View topic - UpGrade To ClamWin Free AntiVirus 97 Perplexing

Posted: Sat Mar 26, 2011 6:56 pm

I have been mostly satisfied with ClamWin, although user information can be a bit sparce for the Computer Illiterate, like myself. I am hoping that someone can help with a problem that I have encountered.
I upgraded to the latest version and have seen something that I have not experienced previously. In the ClamWin AntiVirus Folder in my Start Programs, there is a Browser Quarantine listed along with the Virus Scanner, Help File, and Uninstall File . When I click on the Browser Quarantine, a QRecover Table opens, with a Yellow Triangle Message Box with the following message -

Directory C:\Documents and Settings\All Users\.clamwin\quarantine does not contain any quarantine iformation
To open another directory use "To Open Another Diirectory" in the File menu

This Yellow Triangle Message Box also contains an OK Button just below the above message . This would seeming to suggest to me, that there is supposed to be some information or files in the quarantine file folder that apparently are not there .
Does this mean that there should be some information in the quarantine folder, such as already quarantined infected files or other information relating to presently quarantined infected files or newly discovered infected files that need to be put in the quarantine folder ? Is the message just telling me what I already know ( that there were no infected files in the folder, as I try to Delete those from my system, as soon as they are discovered ) ? I am definitely in the dark about this . I presumed that the quarantine file works like others . If a file is put in the quarantine file, then that keeps it from infecting and affecting the system . IF that file is discovered to in fact NOT be infected, then it can be ReStored to the place that it originally was . Of course, if that suspected file in actually infected, then it can be reported and the deleted from the system .
BUT, is Browser Quarantine just like the old or regular quarantine ? If so, why is it designated as a Browser Quarantine ? If the message in the Yellow Triange Message Box is followed, a drop down menu from the File Menu choice, lists a first choice as, Open Quarantine Folder . If this is clicked on, a small window appears with the Heading of, Browse For Folder . If I search or follow through the information tree options, until I reach the quarantine folder ( since I already know where it is ) and then select the quarantine folder from the previous ClamWin Version, and click on the OK Button; the same identical Yellow Triangle Message Box with the same message & OK Button reappears . HELP, please !
LOST,
KK

Posted: Sat Mar 26, 2011 10:08 pm

The quarantine browser that was implemented with ClamWin version .97 is a tool to restore files that ClamWin has falsely detected as infected when they are not really infected--a "false positive" detection, in other words. ClamWin quarantine works just like it always did. There were just too many false positive detections (for various reasons) on important files, and it became too much of a problem for network users to restore the files on all the computers under their care. The quarantine browser is also handy for individuals, of course. It can be accessed via Start, All Programs, ClamWin, Quarantine Browser. You can select individual files to restore within the browser restore all files in quarantine.

You can verify whether or not a file is a real infection or a false positive by uploading it to Jotti at http://forums.clamwin.com/posting.php?mode=reply&t=3201 or to Virus Total at http://www.virustotal.com/ on the web. Either service will scan a file for you with multiple AV programs, including the Clam AV engine used by ClamWin. If several other AVs besides Clam say a file is infected, it probably is. I like to see a couple of these AVs verify an infection before I believe it: Avast, Bit Defender, Kaspersky, NOD32 and Sophos.

You should upload false positives to Clam AV at http://www.clamav.net/lang/en/sendvirus/ on the web. Be sure to select the false positive radio button, and tell the full name of the falsely-detected virus in the applicable box. Clam will adjust their signature within a couple of days.

ClamWin will not quarantine a false positive detection on Windows files that have been digitally signed by Microsoft on computers running Vista and Windows. The developers have been unable so far to come up with a reliable fix for computers running XP and older operating systems.

Regards,

Posted: Sat Apr 02, 2011 4:18 am

Thanks GuitarBob for taking the time to address my Posting . Actually, that is how I came to upgrade . A previous ClamWin Version was giving me a 'false positive' on a Scan . I have Avira & Ad-Aware also on my system . They, both were showing clean scans . BUT, just to check to the nth degree, I submitted the file to VirusTotal . The VirusTotal Scan came back all clean, including ClamWin . So, I suspected that I could have a false positive and that it would not hurt to upgrade a few versions to the latest (at this time) Version .97 .

However, I am still a bit perplexed with that Exclamation Marked Yellow Triangle Box Message of, "Directory C:\Documents and Settings\All Users\.clamwin\quarantine does not contain any quarantine information
To open another directory use "To Open Another Diirectory" in the File menu" . This message raised two questions in my mind . First, what does this message mean ? Obviously there is no information there from any quarantined files, because no scans have been done to require any files to be quarantined . The person (not me) that installed the previous ClamWin Version, apparently thought it wise to put the ClamWin Quarantine in a Folder separate & apart from the regular ClamWin in the C:\Program Files\ClamWin Folder . I can see some logic to that, in keeping the Quarantine away from the rest of the ClamWin Program . But, does this mean that my ClamWin is installed improperly and that I need to move the Quarantine to the ClamWin Program Folder instead of the \.clamwin\quarantine folder ? It appears that the program isn't working quite properly to me . I am definitely not that knowledgeable about this and that is why I posted here in the hopes of getting some help with my problem . Thanks Again !

Posted: Sat Apr 02, 2011 5:23 am

I suspect that you need to change your ClamWin quarantine to the original location, which is C:\ProgramData\.clamwin\quarantine on Windows 7 and Vista. Not having Win XP anymore, I forgot where it was there. Regardless, it is not in the ClamWin folder with the executables, so I cannot understand why the quarantine folder was put somewhere else in the first place. The ClamWin code is evidently looking in the correct location for quarantine but cannot find it. This is probably important now for the quarantine restore function, at least.

Regards,

Posted: Sun Apr 17, 2011 10:59 pm

Thanks again GuitarBob . Well, I have moved the ClamWin Quarantine Folder to C:\Program Files\ClamWin\.clamwin . So, I hope it will work out . I will let you know if it doesn't . Thanks again !

Posted: Mon Sep 19, 2011 9:58 am

Hi,
question to KK - you didn´t submit the result, did it work after moving the folder to C:\Program Files\ClamWin\.clamwin ? An if soimeone knows, what is the reason for having the ClamWin Quarantine Folder in different locations for difrerent MS OSs ?
Tks
Wolfgang

Very Happy

... and a happy, prosperous & healthy 2012 for all of you Smile

---------------------------------------------
my latest sites http://privatekrankenversicherungpkv.org/ Private Krankenversicherung
http://privatekrankenversicherungvergleichpkv.de/ Private Krankenversicherung Vergleich

Posted: Wed Sep 21, 2011 2:21 am

Blame Microsoft for ClamWin's database being in different folders depending upon the OS.

Regards,

Posted: Sun Nov 27, 2011 1:48 pm

Clam AV may have some new detection features with each new update of the program version--primarily signature-based functionality. ClamWin uses the Clam AV detection engine. If ClamWin has not yet integrated the new Clam version, it may detect some new false positives with its old engine because it does not know how to process the new signatures.

Regards,

Posted: Mon Jan 23, 2012 8:30 pm

Ok on Sunday I ran the clamwin program twice to get rid of problems. It all went to quariteen, so yesterday I ran the program again but this time I asked it to get rid of all the problems, now I have no desk top, no start, but most of the programs are on the computer, I just have to use ctrl, alt, delete to get into the program files to get anywhere and I can't get anything restored. What do I need to do to fix it?
Help and thank you for your help

Posted: Mon Jan 23, 2012 8:32 pm

Well the thing is that I also ran the updates as well so the new virsion should have been there.

Posted: Mon Jan 23, 2012 10:12 pm

You need to use the ClamWin Quarantine Browser program to restore the files you need. In the program/ClamWin\bin directory, the file is named QRecover.exe. You can run it from there. You can also run it from Start, All Programs, ClamWin, Quarantine Browser. When you run it, you can tick each file you want to restore or you can select to restore all files.

Most likely you have a false positive on a Virut signature or some other generic signature . I suggest that you exclude the file directory(ies) from ClamWin scans (via Configure ClamWin, Filters, Exclude Matching Filenames--example C:\Directory\) until the false positive detetion signature is corrected. The false positive signature will not be corrected, however, unless you upload several files (if all files are detected by the same signature) to Clam AV at http://www.clamav.net/lang/en/sendvirus/ on the web. You can zip several files. If your file is too large to submit, send email to luca at clamav dot net for instructions. On the submission form, when you submit false positives, change the submission type from "virus" to "false positive."

False positive signature corrections can take several days. I would give it about three days and then scan the directories involved--with the directories temporarily removed from the Exclude Matching Filenames and ClamWin set to Report Only. If there are no detections, you can leave the directories off the Exclude Matching Filenames configuration. If they are still detected, restore them to Exclude Matching Filenames and send more email to luca at clamav dot net and tell him the false positives are still detected.

Regards,

Posted: Thu Feb 09, 2012 12:13 pm

Scan Started Thu Nov 03 12:21:27 2011
-------------------------------------------------------------------------------

----------- SCAN SUMMARY -----------
Known viruses: 1065274
Engine version: 0.97.3
Scanned directories: 2
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 59.430 sec (0 m 59 s)

Scan Started Mon Dec 19 03:22:30 2011
-------------------------------------------------------------------------------

WARNING: Can't open file c:\GOBACKIO.BIN: Permission denied
WARNING: Can't open file c:\WIN386.SWP: Permission denied

c:\WINDOWS\SYSBCKUP\rb003.cab: Worm.P2P.Curuc FOUND
c:\WINDOWS\SYSBCKUP\rb004.cab: Worm.P2P.Curuc FOUND
c:\WINDOWS\SYSBCKUP\rb001.cab: Worm.P2P.Curuc FOUND
c:\WINDOWS\SYSBCKUP\rb000.cab: Worm.P2P.Curuc FOUND
c:\WINDOWS\SYSBCKUP\rb005.cab: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\TSB BALANCES.XLS.infected: BC.Exploit.CVE_2011_3412 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1095393
Engine version: 0.97.3
Scanned directories: 2116
Scanned files: 20097
Infected files: 6
Data scanned: 6625.48 MB
Data read: 11425.25 MB (ratio 0.58:1)
Time: 6679.380 sec (111 m 19 s)

Scan Started Mon Dec 19 10:27:49 2011
-------------------------------------------------------------------------------

----------- SCAN SUMMARY -----------
Known viruses: 1095393
Engine version: 0.97.3
Scanned directories: 2
Scanned files: 20
Infected files: 0
Data scanned: 2.09 MB
Data read: 1.17 MB (ratio 1.78:1)
Time: 93.870 sec (1 m 33 s)

Scan Started Mon Dec 19 10:32:44 2011
-------------------------------------------------------------------------------

----------- SCAN SUMMARY -----------
Known viruses: 1095393
Engine version: 0.97.3
Scanned directories: 91
Scanned files: 1108
Infected files: 0
Data scanned: 290.27 MB
Data read: 330.68 MB (ratio 0.88:1)
Time: 514.270 sec (8 m 34 s)

Scan Started Mon Dec 19 10:46:07 2011
-------------------------------------------------------------------------------

----------- SCAN SUMMARY -----------
Known viruses: 1095393
Engine version: 0.97.3
Scanned directories: 40
Scanned files: 532
Infected files: 0
Data scanned: 218.37 MB
Data read: 152.89 MB (ratio 1.43:1)
Time: 676.950 sec (11 m 16 s)

Scan Started Mon Dec 19 11:00:06 2011
-------------------------------------------------------------------------------

WARNING: Can't open file C:\GOBACKIO.BIN: Permission denied
WARNING: Can't open file C:\WIN386.SWP: Permission denied

C:\WINDOWS\SYSBCKUP\rb003.cab: Worm.P2P.Curuc FOUND
C:\WINDOWS\SYSBCKUP\rb004.cab: Worm.P2P.Curuc FOUND
C:\WINDOWS\SYSBCKUP\rb001.cab: Worm.P2P.Curuc FOUND
C:\WINDOWS\SYSBCKUP\rb000.cab: Worm.P2P.Curuc FOUND
C:\WINDOWS\SYSBCKUP\rb005.cab: Worm.P2P.Curuc FOUND
C:\WINDOWS\All Users\.clamwin\quarantine\TSB BALANCES.XLS.infected: BC.Exploit.CVE_2011_3412 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1095393
Engine version: 0.97.3
Scanned directories: 2156
Scanned files: 20240
Infected files: 6
Data scanned: 6625.33 MB
Data read: 11425.94 MB (ratio 0.58:1)
Time: 6677.670 sec (111 m 17 s)

Scan Started Wed Dec 21 19:06:09 2011
-------------------------------------------------------------------------------

WARNING: Can't open file c:\GOBACKIO.BIN: Permission denied
c:\WINDOWS\SYSBCKUP\rb003.cab: moved to 'C:\WINDOWS\All Users\.clamwin\quarantine\rb003.cab.infected'
c:\WINDOWS\SYSBCKUP\rb002.cab: moved to 'C:\WINDOWS\All Users\.clamwin\quarantine\rb002.cab.infected'
c:\WINDOWS\SYSBCKUP\rb001.cab: moved to 'C:\WINDOWS\All Users\.clamwin\quarantine\rb001.cab.infected'
c:\WINDOWS\SYSBCKUP\rb000.cab: moved to 'C:\WINDOWS\All Users\.clamwin\quarantine\rb000.cab.infected'
c:\WINDOWS\SYSBCKUP\rb005.cab: moved to 'C:\WINDOWS\All Users\.clamwin\quarantine\rb005.cab.infected'
c:\WINDOWS\All Users\.clamwin\quarantine\rb003.cab.infected not moved/copied since already in quarantine
c:\WINDOWS\All Users\.clamwin\quarantine\rb002.cab.infected not moved/copied since already in quarantine
c:\WINDOWS\All Users\.clamwin\quarantine\rb001.cab.infected not moved/copied since already in quarantine
c:\WINDOWS\All Users\.clamwin\quarantine\rb000.cab.infected not moved/copied since already in quarantine
c:\WINDOWS\All Users\.clamwin\quarantine\rb005.cab.infected not moved/copied since already in quarantine
WARNING: Can't open file c:\WIN386.SWP: Permission denied

c:\WINDOWS\SYSBCKUP\rb003.cab: Worm.P2P.Curuc FOUND
c:\WINDOWS\SYSBCKUP\rb002.cab: Worm.P2P.Curuc FOUND
c:\WINDOWS\SYSBCKUP\rb001.cab: Worm.P2P.Curuc FOUND
c:\WINDOWS\SYSBCKUP\rb000.cab: Worm.P2P.Curuc FOUND
c:\WINDOWS\SYSBCKUP\rb005.cab: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\rb003.cab.infected: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\rb002.cab.infected: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\rb001.cab.infected: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\rb000.cab.infected: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\rb005.cab.infected: Worm.P2P.Curuc FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1095654
Engine version: 0.97.3
Scanned directories: 2167
Scanned files: 20318
Infected files: 10
Not copied: 5
Data scanned: 6636.07 MB
Data read: 11437.46 MB (ratio 0.58:1)
Time: 6822.130 sec (113 m 42 s)

Scan Started Thu Dec 29 12:02:10 2011
-------------------------------------------------------------------------------

----------- SCAN SUMMARY -----------
Known viruses: 1097524
Engine version: 0.97.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 1.02 MB
Data read: 0.58 MB (ratio 1.77:1)
Time: 68.980 sec (1 m 8 s)

Scan Started Thu Dec 29 12:18:23 2011
-------------------------------------------------------------------------------

----------- SCAN SUMMARY -----------
Known viruses: 1097524
Engine version: 0.97.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 1.02 MB
Data read: 0.58 MB (ratio 1.77:1)
Time: 64.420 sec (1 m 4 s)

Scan Started Fri Jan 06 11:22:06 2012
-------------------------------------------------------------------------------

----------- SCAN SUMMARY -----------
Known viruses: 1108188
Engine version: 0.97.3
Scanned directories: 2
Scanned files: 3
Infected files: 0
Data scanned: 1.11 MB
Data read: 0.63 MB (ratio 1.77:1)
Time: 54.430 sec (0 m 54 s)

Scan Started Wed Jan 11 00:09:00 2012
-------------------------------------------------------------------------------

----------- SCAN SUMMARY -----------
Known viruses: 1110518
Engine version: 0.97.3
Scanned directories: 91
Scanned files: 1108
Infected files: 0
Data scanned: 290.27 MB
Data read: 330.68 MB (ratio 0.88:1)
Time: 524.160 sec (8 m 44 s)

Scan Started Wed Jan 11 02:08:34 2012
-------------------------------------------------------------------------------

----------- SCAN SUMMARY -----------
Known viruses: 1110518
Engine version: 0.97.3
Scanned directories: 1
Scanned files: 19
Infected files: 0
Data scanned: 2.09 MB
Data read: 1.20 MB (ratio 1.75:1)
Time: 53.610 sec (0 m 53 s)

Scan Started Sat Jan 21 12:30:01 2012
-------------------------------------------------------------------------------

WARNING: Can't open file c:\GOBACKIO.BIN: Permission denied
c:\WINDOWS\All Users\.clamwin\quarantine\rb003.cab.infected not moved/copied since already in quarantine
c:\WINDOWS\All Users\.clamwin\quarantine\rb002.cab.infected not moved/copied since already in quarantine
c:\WINDOWS\All Users\.clamwin\quarantine\rb001.cab.infected not moved/copied since already in quarantine
c:\WINDOWS\All Users\.clamwin\quarantine\rb000.cab.infected not moved/copied since already in quarantine
c:\WINDOWS\All Users\.clamwin\quarantine\rb005.cab.infected not moved/copied since already in quarantine
WARNING: Can't open file c:\WIN386.SWP: Permission denied

c:\WINDOWS\All Users\.clamwin\quarantine\rb003.cab.infected: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\rb002.cab.infected: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\rb001.cab.infected: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\rb000.cab.infected: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\rb005.cab.infected: Worm.P2P.Curuc FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1119346
Engine version: 0.97.3
Scanned directories: 2241
Scanned files: 20343
Infected files: 5
Not copied: 5
Data scanned: 6703.78 MB
Data read: 11442.00 MB (ratio 0.59:1)
Time: 6574.360 sec (109 m 34 s)

Scan Started Sat Feb 04 13:34:47 2012
-------------------------------------------------------------------------------

c:\CABS\WIN98_45.CAB: moved to 'C:\WINDOWS\All Users\.clamwin\quarantine\WIN98_45.CAB.infected'
WARNING: Can't open file c:\GOBACKIO.BIN: Permission denied
c:\WINDOWS\All Users\.clamwin\quarantine\TSB BALANCES.XLS.infected not moved/copied since already in quarantine
c:\WINDOWS\All Users\.clamwin\quarantine\rb003.cab.infected not moved/copied since already in quarantine
c:\WINDOWS\All Users\.clamwin\quarantine\rb002.cab.infected not moved/copied since already in quarantine
c:\WINDOWS\All Users\.clamwin\quarantine\rb001.cab.infected not moved/copied since already in quarantine
c:\WINDOWS\All Users\.clamwin\quarantine\rb000.cab.infected not moved/copied since already in quarantine
c:\WINDOWS\All Users\.clamwin\quarantine\rb005.cab.infected not moved/copied since already in quarantine
c:\WINDOWS\All Users\.clamwin\quarantine\WIN98_45.CAB.infected not moved/copied since already in quarantine
WARNING: Can't open file c:\WIN386.SWP: Permission denied

c:\CABS\WIN98_45.CAB: Trojan.Banker-4495 FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\TSB BALANCES.XLS.infected: BC.Exploit.CVE_2011_3412 FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\rb003.cab.infected: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\rb002.cab.infected: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\rb001.cab.infected: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\rb000.cab.infected: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\rb005.cab.infected: Worm.P2P.Curuc FOUND
c:\WINDOWS\All Users\.clamwin\quarantine\WIN98_45.CAB.infected: Trojan.Banker-4495 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1126908
Engine version: 0.97.3
Scanned directories: 2294
Scanned files: 20450
Infected files: 8
Not copied: 7
Data scanned: 6702.61 MB
Data read: 11445.39 MB (ratio 0.59:1)
Time: 6900.950 sec (115 m 0 s)

Hi all is this real or a false positave if false how do I remove them from the quarantine.
Regards pulteny

Posted: Thu Feb 09, 2012 12:33 pm

The best way to tell a false positive is to upload a file to Jotti or Virus Total and scan them there. If several other AVs besides Clam AV see an infection, it is probably a real one. I like to see at least 2 of these AVs verify something: AntiVir, Bitdefender, Kaspersky, Nod32, and Sophos.

You can use the ClamWin Quarantine Browser program (QRecover) to restore something from quarantine. You can whitelist the file in ClamWin's configuration, filters, exclude matching filenames until Clam AV fixes the false positive. You can access the recover program from Start, All Programs, ClamWin, QuarntineBrowser. It is QRecover.exe in the ClamWin Bin directory.

Regards,

Posted: Thu Mar 01, 2012 3:06 pm

@ plushorse

Do you know how to recover from antivir quaratine corner with QRecover.exe ?

Tx
Wolfgang

http://pkv1.org/ .http://pkvvergleich1.de/ .http://privatekrankenversicherungpkv.org/ .http://pkvvergleich1.de/ .... and have a nice day of course Smile

Posted: Fri Mar 02, 2012 5:37 am

QRecover is a program that works only with ClamWin. Each antivirus program has its own method to recover its quarantine files.

Regards,