ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Suggestion: Once nasties are Quarantined, stop the warnings
Suncoast


Joined: 11 Aug 2015
Posts: 1
Location: Florida, United States
Reply with quote
On my system, Malware, Viruses, etc. are automatically quarantined. I have 4 email spools that were backed up from my Sendmail server, and have been Quarantined.

I have a scheduled daily scan. Every morning, there is a warning that a Virus was detected, review the reports. But it is referring to those 4 quarantined spool files.

It would be nice if any warnings excluded previously handled detections.

Thanks
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 559
Location: **UNKNOWN**
Reply with quote
Hello and welcome to the forums.

Alch has not updated that email notifications in a long time (I am surprised it even still works). I have never used it before so I don't know much about. When beta testing comes around, I will notify Alch of this so he can fix it. Thank you for using ClamWin.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4173
Location: USA
Reply with quote
If the spool/files are in quarantine, and ClamWin is picking them up from there during a scan, what about just whitelisting the quarantine folder from ClamWin? An alternative might be to whitelist the spool/files.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 89
Reply with quote
GuitarBob wrote:
If the spool/files are in quarantine, and ClamWin is picking them up from there during a scan, what about just whitelisting the quarantine folder from ClamWin? An alternative might be to whitelist the spool/files.

Regards,

This is something I realised a LONG time ago. I whitelisted the quarantine folder to stop it being scanned. But it still does make me wonder why scanning a quarantine folder which, by its definition contains the very infections it finds, was overlooked at the beginning. I dont know of any other AV software that makes this simple error. (Surely its a simple line of code like 'if current_scan_directory = clam_environment_quarantine_directory then skip' type of thing.)
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4173
Location: USA
Reply with quote
Most of the ClamWin code comes from the Clam AV code, and the ClamWin developers try not to do anything to it other than port it over to Windows from the original Clam AV Linux code.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 559
Location: **UNKNOWN**
Reply with quote
ClamAV was designed to scan everything on your system, with a large number of supported extensions, and more recently, extensionless files. It was also designed to scan any filesize at any location. This is how the original (and current) ClamAV team wanted it to be. They want the user to be able to decide what they wanted best for their own systems, hence the reason why ClamAV is so highly configurable. It is not something I do not think was ever overlooked, I think it was just meant to be that way.

You can try to send this to the ClamAV team and see what they say about it, but as I said, I don't think this is a bug, otherwise, I think they would have had it fixed by now.

As I recall, .98 added some self-defense in the scan code for ClamAV and more was added in .99. This could be the reason, too.
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 89
Reply with quote
ROCKNROLLKID wrote:

You can try to send this to the ClamAV team and see what they say about it

How does one do that? What is the method to raise 'concerns'/queries with the clamAV team? (I wonder if linux users also have the same problem of needing to manually exclude their own quarantine folder).
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4173
Location: USA
Reply with quote
Remember that by design, if you do a ClamWin scan of a single file, it will still be scanned even if the folder the file is in is whitelisted. Whitelisting only works when you do a multiple scan.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 559
Location: **UNKNOWN**
Reply with quote
ClamAV support can be found here: http://www.clamav.net/contact
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 89
Reply with quote
I have a concern about sending this 'observation'/query to the ClamAV team because this is something that we (Clamwin users) are reporting. I do not know if the ClamAV linux product behaves in the same way and it could meet with resistance if I say "[This] happens on CLAMWIN...could you review" when they arent even responsible for that port and dont have the problem with their linux product. And of course ClamAV dont have a forum to search to see if others have encountered this. I say this because I did a quick search and found in a ClamXav forum that ClamXav, presumably based on ClamAV (and converted for Mac iOS), DOESNT scan its own quarantine folder and doesnt need it whitelisting. (But of course it could be irrelevant if ClamXav isnt a direct port). That said, it might be a direct port and behaves the same way as ClamAV, and it is only Clamwin that has this oversight of scanning the quarantine folder. (I hope you can see my thinking).

Interesting to see a quote from GuitarBob back in Fri Mar 23, 2007 7:29 pm http://forums.clamwin.com/viewtopic.php?p=4268#4268

GuitarBob wrote:
Perhaps in the future ClamWin could have an additional selection with Quarantine to Ignore Quarantine Files from scans or perhaps this could be a default. Most of the other antivirus software seems to exclude it--or perhaps they "cripple" the quarantined files in some manner so they are no longer recognized as malware.

Regards,

Perhaps....but alas no. But intestestingly, Alch then replies
alch wrote:
yes and that is how quarantine works in version 1, which is in it's final stages of development.

(9 years ago. Come on "Version 1"....hurry up. Rolling Eyes )


Last edited by jimimaseye on Thu Jan 14, 2016 7:42 am; edited 2 times in total
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 89
Reply with quote
ROCKNROLLKID wrote:
Hello and welcome to the forums.

Alch has not updated that email notifications in a long time (I am surprised it even still works). I have never used it before so I don't know much about. When beta testing comes around, I will notify Alch of this so he can fix it. Thank you for using ClamWin.

Will you still be doing this, Rocknrollkid? If so, I will defer to your more expert and considered involvement with Alch and leave you to do it (you'll probably get a better result).
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 559
Location: **UNKNOWN**
Reply with quote
ClamXAV was recently turned into a commercial product, so it's possible that they have re-modified some of the ClamAV engine to fit their commercial needs.

As Bob has said, Alch (led developer) doesn't do much more other then the Outlook plugin and porting ClamAV to ClamWin. I don't this is a porting issue, so you are better off checking in with ClamAV and see if they are getting this there. If not, I will notify Alch and see what he says then.
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 89
Reply with quote
ClamAV 'Report A Bug' page says:
Quote:
"If you find a bug in ClamAV, please check it against the latest git code. Read the instructions below, then visit our bug tracker to submit your bug report. Please do not submit bugs for third party software."

I cant read 'git code' and Clamwin is a thirdparty software. I conclude this as that page continues to give advice on how to submit various system variables and they use all Linux commands such as kernel core dumps and (therefore no provision for equivalent windows commands).
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4173
Location: USA
Reply with quote
Until something is done by the developers,try whitelisting C:\ProgramData\.clamwin\quarantine\*.infected in ClamWin. That is probably what would be done to correct the code.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 89
Reply with quote
Yes. From above:
jimimaseye wrote:
GuitarBob wrote:
If the spool/files are in quarantine, and ClamWin is picking them up from there during a scan, what about just whitelisting the quarantine folder from ClamWin? An alternative might be to whitelist the spool/files.

Regards,

This is something I realised a LONG time ago. I whitelisted the quarantine folder to stop it being scanned. But it still does make me wonder why scanning a quarantine folder which, by its definition contains the very infections it finds, was overlooked at the beginning. I dont know of any other AV software that makes this simple error. (Surely its a simple line of code like 'if current_scan_directory = clam_environment_quarantine_directory then skip' type of thing.)
View user's profileSend private message
Suggestion: Once nasties are Quarantined, stop the warnings
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  

  
  
 Reply to topic