I manage the computers for a few small businesses around town. They either don't want to pay for antivirus software, or have too many computers for that to be practical. ClamWin has long been my standard antivirus scanner. I always set ClamWin to move files to quarantine, as reporting only does not disable the virus and only serves to scare users that wouldn't know how to deal with a virus. For businesses where I serve as the entire IT department, I also have ClamWin set to email me on detection. This setup has worked nicely for me for several years now.

The last few months have become problematic. The false positive rate has gone through the roof. Every couple of months, including this morning, ClamWin up and decides that one or more Windows XP system files are infected. It quarantines them and I wake up to find a couple dozen email alerts in my inbox. Windows would normally replace the file with its backup copy in the DLL cache, but ClamWin quarantined it too. It's at that point that Windows XP generates a messagebox about inserting the Windows XP SP3 CD (which we don't have because the computers have been updated to SP3 and the original XP CDs don't have the newer, SP3 versions of the files) to copy the file. This messagebox scares users and must be canceled. A reboot will often cause a BSoD because system files are missing. Over the last six months, I've had this happen to msxml2.dll, user32.dll, wextract.exe this morning, and dozens of others.

Why aren't new updates to the virus signature database first tested on a fully-patched Windows XP SP3 system? Could you do the same for Windows 2000 and Windows Vista? This seems like an obvious step to prevent the majority of the false positive problems that ClamWin users have been having.

ClamWin uses the antivirus scanning engine and signature database provided by the Clam Antivirus project. Clam is essentially an antivirus program for use on email servers running the Linux operating system. ClamWin is another project unrelated to Clam that ports the Clam scanning engine over to Windows use and it is heavily dependent upon Clam. Clam is a fairly small operation as antivirus companies go, but ClamWin is even smaller--with only two part-time developers and volunteers for other tasks.

Every antivirus program has false positives. Sometimes you hear of some real doozies. Clam does have its share of false positives. Clam tests their signatures for false positives against "good" software before they are released. Unfortunately, they don't have enough Windows software to test against. Windows false positives are not a problem with their Linux email server primary user base. It is also unfortunate that Microsoft has to update their software so often. Finally, Clam would need to make some procedural changes and install more equipment to set up extensive testing of Windows programs for false positives.

The ClamWin developers are looking into the recent spate of false positives to see what can be done about it for its Windows user base. Hopefully something can be done to alleviate the problem.

Regards,

https://simulationcreditauto.net/ simulation credit auto
Many thanks to Guitarbob for such a very useful post

It's happened again. This is such a waste of my time as a system administrator that I'm about ready to buy the virus database maintainers a Windows XP SP3 machine against which to check definitions for false positives. Anyway, I got up this morning to find a bunch of these scan logs in my inbox (from ClamWin installations on my machines):

except one of my machines fails to log on - it immediately logs off when a log on is attempted. ClamWin should have an option to eliminate folders from scanning - that would help with this specific issue anyway - can anyone offer suggestions on what I might try?

I've done a repair already - and none of the safe mode options work either.

All suggestions appreciated.

ClamWin does have the ability to eliminate folders/files from its scans. It's in the Configuration, Filters, Exclude Matching Filenames section. Here's a couple of items I have excluded:

File - C:\ProgramData\.clamwin\quarantine\*
Folder - C:\Malware\*

See Keith's post (Keith064) of today in the Virus Scanner forum. It tells what he did using Recovery Console.

Regards,

I will look at those posts. I will also use your suggestion for eliminating those items. Are there other files/folders (understanding that there is no liability to you) that you might suggest I exclude?

Thanks.

GuitarBob - I went to the Virus Scanner Forum and cannot seem to find the posts you suggest. Additionally I cannot find Keith064 to find his posts of today. Is there something I am doing wrong?

found it (the author was showing: ooounohu)

GuitarBob - Thanks for the info about the filter functionality - I didn't know I could add full paths (perhaps a note there would be helpful). If my filespec has spaces in it, should I enclose the path in quotes?

I'm not sure, but I don't think you need to enclose a space in quotes. Try it with a test copy of something like that to your desktop and see if it's okay.

Regards,

Thanks for all of your help!

Thank you for the above thread. This addressed my question and provided the answer. I was losing my userinit.exe and excel.exe files as infected.(Which they weren't. I'll head over to clamav and see if I can contribute to their definitions.

It happened again. I'm really getting tired of seeing hundreds of these false positive detection reports in my inbox per month.

could you please zip notepad.exe with password "clamwin" and email it to clamwin at clamwin dot com ?
Thanks,
Alch