Last night's scan log reported:

C:\i386\CB32.EX_: Trojan.Waledac-389 FOUND
C:\i386\CB32.EX_: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\CB32.EX_.infected'
.
.
C:\Program Files\NetMeeting\cb32.exe: Trojan.Waledac-389 FOUND
C:\Program Files\NetMeeting\cb32.exe: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\cb32.exe.infected'
.
.
.
C:\WINDOWS\system32\dllcache\cb32.exe: Trojan.Waledac-389 FOUND
C:\WINDOWS\system32\dllcache\cb32.exe: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\cb32.exe.infected.000'

Upon googling: Trojan.Waledac-389 FOUND

I came accross the following post:

https://hphosts.blogspot.com/2009/07/clamwin-serious-fp-again.html

This ocurred on two computers on my network - one was set to 'quarantine' the other to 'report only'.

Before finding the above post, bright-spark (report only m/c) did a safe mode reboot and deleted these files. Upon re-start and login, computer goes back to login after stating 'loading user settings'.

Brightspark then booted from xp-pro cd and did a install/repair. This initially said it was repairing installation but then proceeded to install a Windows.0. At this point bright-spark halted the process. The original Windows folder appears to be intact but re-starting gets him back into the completing setup.

This is a serious issue and needs to be resolved ASAP. Is this really a F/P? How to get back to the original state, ie rollback the Windows.0 installation?

All comments/solutions appreciated.

seahawkja

Clam processed a LOT of Waledec signatures yesterday, so it is very likely to be a false positive, although I don't know about that particular one. Please report all false positives to Clam, starting at https://www.clamav.net/sendvirus/ on the web. When you get to the upload page, be sure to classify the file as a false positive, give them the exact name of the false positive and tell why you think it is false in the comments section.

I'm afraid I can't be of much help in restoring. You might look at https://antivirus.about.com/od/windowsbasics/ht/windowsrecovery.htm on the web. I recommend for everyone using ClamWin to set their infected files reporting option to Report Only and verify important files are really infected before removing them. False positives are getting to be a real problem for most AVs now.

Regards,

I've had Clamwin on all my clients machines for ages, I had this false positive on XP this morning on mine and on all my clients machines. Clamwin is set to Quarantine. After a reboot the machine becomes unusable, you cannot log in. I can't have this happen on my client's machines and I can't have Clamwin set to report only.

I am now removing Clamwin for good from all my client's machines and mine after being a loyal user of clamwin for the last few years.

If FPs are going to cause this sort of problem then Clamwin needs to be tested every day by somebody to be sure it does not take out users computers.

I am reverting to AVG as of this point and Clamwin is being removed from multiple PCs.

I am really disappointed. I know someone is going to kick up a fuss at me saying this but if Clamwin takes out your PC then what is it other than a virus...

All antivirus programs are subject to false positives. If you read the security blogs, you can occasionally see a high profile incident. Here is a blog about this problem from back in May: https://www.raymond.cc/blog/archives/2009/05/23/false-positives-is-a-common-problem-in-todays-antivirus-software/ on the web.

Viral code frequently uses similar code and expressions that you find in "good" programs. The viral code is usually packed to hinder analysis. Even if an AV can unpack a certain packer, the viral code is almost always further obfuscated, so the sigmakers don't often get clean, unpacked code they can use to prepare a signature--they use what they can get.

Clam AV furnishes the scanning engine and virus signature database for ClamWin. Clam is used primarily on Linux email gateways. It does not have to worry about Windows false positives there. Clam's signatures are always checked for false positives against "good" programs on a false positive "farm" colection before release, but they do not have all possible Windows (and Office) .exe and .dll programs on the farm. I've been told that it would be very expensive to include them all, and they are on a budget that is much less than the budget of the commercial AV companies. Because of the Clam false positives, ClamWin really needs to do something to help users out--maybe disable quarantine for Windows/Office detections (Report Them Only) or run a False Positve Assurance check against Windows/Office detections (check the dates to see if it was set up or changed recently at least--no change, no detection--report as a possible FP only).

I hope this adds some light to the situation. Good luck with AVG. I used it for many years until it became bloated like most of the other commercial stuff.

Regards,

Thanks for that information, I knew it in any case but is good for others to kow. With regard to disabling quarantine for Windows/Office detections (Report Them Only) or run a False Positve Assurance check against Windows/Office detections, this is a superb idea and it HAS to be implemented.

Quite frankly until this is done I regard running Clamwin on any sort of Windows PC as a complete no-no and I would now really recommend against it. I am at this moment rebuilding ten of my clients PCs all of which have been trashed because of Clamwin's FP. One thing I have learnt is that you should not run the same a/v tool on all your PCs.

You are quite right, AVG is bloated and my machines run may slowly but it is worth the pain of not having to repair 10 windows PCs just because a file or two has been placed in quarantine.

I am quite shocked at the experience and my faith in Clamwin is completely lost. Maybe I was being naive but I expected more testing on the Windows environment. My machine is XP SP3. I should imagine a large number, perhaps a majority of the PCs in the world are running in that configuration. At the moment it makes no sense to let Clamwin anywhere near that huge chunk of machines.

FYI - I am trying Avast and Comodo as alternatives to Clamwin