ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Suspicious Origin for xxxEAY.DLL should not Quarantine
misitu


Joined: 29 Sep 2016
Posts: 4
Location: Peru
Reply with quote
Hello!
I am wondering how I can stop ClamWin/ClamSentinel from intercepting these files; they are used in an internal sendmail service.
ClamSentinel is quarantining them which is a bit of a show stopper.
My only solution for the moment is to "STOP" Clam before running the process that invokes this sendmail, and restart it after. It would be nice to be able to exclude.

I tried, by wildcarding the filename as follows (the filename suffix is generated at run time)

Quote:
Paths or files not scanned

Code:
%APPDATA%\Local\Temp\pdk-Accounts-*\libeay32.dll
%APPDATA%\Local\Temp\pdk-Accounts-*\ssleay32.dll


However, the following appear in clam Quarantine and I then need to recover the libeay32.dll and ssleay.dll before attempting a rerun.

Code:
libeay32.dll.suspiciousorigin
libeay32.dll.suspiciousorigin0
libeay32.dll.suspiciousorigin0.txt

the contents of the last are:
Quote:
\\?\C:\Users\Accounts\AppData\Local\Temp\pdk-Accounts-4404\libeay32.dll \\?\C:\ProgramData\.clamwin\quarantine\libeay32.dll.suspiciousorigin0


Code:
ssleay32.dll.suspiciousorigin
ssleay32.dll.suspiciousorigin0
ssleay32.dll.suspiciousorigin0.txt


the contents of the last are:
Quote:
\\?\C:\Users\Accounts\AppData\Local\Temp\pdk-Accounts-4404\ssleay32.dll \\?\C:\ProgramData\.clamwin\quarantine\ssleay32.dll.suspiciousorigin0


Any help will be appreciated!

Thanks
David
Trujillo, Peru
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4255
Location: USA
Reply with quote
"Suspicious Origin" is a Clam Sentinel heuristic detection. Whitelisting the file in Clam Sentinel's Advanced Settings, Files or Paths Not To Be Scanned should have excluded it. I suppose the % and * are screwing things up.

Try whitelisting only libeay32.dll--maybe that will work. As a last resort, consider whitelisting *.dll--it might reduce security if you exclude all dll files, but a dll malware must be called by an executable. If you can detect the executable file, there is no problem.

Thanks for using ClamWin/Clam Sentinel!

Regards,
View user's profileSend private message
misitu


Joined: 29 Sep 2016
Posts: 4
Location: Peru
Reply with quote
Thanks, that seems to have fixed it. Process runs cleanly and libeay etc not quarantined.

My guess was that the wildcard in the folder name causes the problem but I will defer to your expertise.

Much appreciated
thanks.
David
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4255
Location: USA
Reply with quote
You are probably right. Clam Sentinel is supposed to handle wild card file names, but I don't know about its use in folders.

I hope you are also using another, real-time AV. Some malware is becoming too tough for small file-based AVs like ClamWin/Clam Sentinel to handle all by themselves. It takes an organization with resources and research to keep up with it.

Regards,
View user's profileSend private message
misitu


Joined: 29 Sep 2016
Posts: 4
Location: Peru
Reply with quote
I am using a bunch of different "detection engines". Funnily enough ClamWin is currently catching stuff that the others are missing, but "YMMV", sometimes I find stuff in another quarantine so overall I think am better protected from this multiple defence in comparison with a single program. When I moved off Avast the other engines found stuff that it had missed. So yes you are correct!

Thanks for the help.

For the record, am currently running

ClamWin + ClamSentinel
Malwarebytes
Microsoft Security Essentials
Emsisoft

on Windows 7.

Some of these don't work on Windows 10 (my other laptop) pffffft!!

Anyway, thanks very much for the prompt help, MUCH appreciated.

David
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
MSE and Emsisoft are both real-time AVs and I hope you are not running them back to back as this can cause conflicts.

I have always found running multiple engines is just a waste of resources. Safe browsing, not clicking on suspicious links, and keeping software up-to-date will keep you protected from 85-90% of infections on the web. I only use Windows Defender and most of the time I even think that is useless.

Soon I will be switching to ReactOS as a permanent operating system, which is a open-source Windows replica. Not sure if windows malware are capable of running on it, yet, but at least I don't have to worry about vulnerabilities/back doors in Windows (which is usually where the other 10 - 15% of infections come from). Of course, it will still have some in it as that is usually next to impossible to avoid, but since it's open-source and has tons of eyes looking at it, the amount and severity is a lot lower.
View user's profileSend private message
misitu


Joined: 29 Sep 2016
Posts: 4
Location: Peru
Reply with quote
Thanks! I will see how I get on. At the moment I have the occasional hang but tbh is probably mostly Windows. Am running an out of date Win 7 (because a "Windows Update" broke a year or so back), which one day I will have to deal with. But that is my particular bit of fun. Mostly performs OK. I take your point about conflicts but am seeing how it goes. Nothing obvious as yet and as I mentioned the various scanners pick up different suspected infections Surprised and not each other Cool

The ReactOS is interesting; the last time I looked was around 4 years ago when I left the UK and was running a bunch of OpenBSD service boxes. I will have another look. Getting off Windows would be nice but I have a bit of a commitment to OpenOffice for my Accounts so a move to Linux may be my only alternative.

I will have a look at ReactOS... thanks for the suggestion.
View user's profileSend private message
Suspicious Origin for xxxEAY.DLL should not Quarantine
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic