|
M.McCormack
| Joined: 06 Sep 2009 |
| Posts: 0 |
| Location: NY |
|
|
 Posted: Sun Sep 06, 2009 8:21 pm |
|
 |
 |
|
|
Clamwin found this virus: tmp.edb:worm.autorun-1899. It doesn't show up in any other scan. How can I remove it? Thank you.
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Sun Sep 06, 2009 9:27 pm |
|
|
|
|
|
I like to verify something is a real infection (not a "false positive" detection) before removing it. ClamWin comes with a default action for infected files of Report Only, but you can change it to Quarantine or Remove. If you are sure something is a virus, you can temporarily change the default for infected files to Quarantine or Remove, scan the infected file or its directory, and then change the default back to Report Only. You can also just manually delete the infected file.
To verify if something is a real infection, upload it to Jotti at https://virusscan.jotti.org/en on the web or to VirusTotal at https://www.virustotal.com/ on the web. Either service will scan files (one at a time) for free with multiple antiviruses, including Clam AV (which furnishes the scanning engine and signature database for ClamWin). If more than a few AVs (I like to see at least 5) find a file is infected, it probably is a real infection.
If a file turns out to be a false positive detection, go to the Clam AV submission page at https://www.clamav.net/sendvirus/ on the web. When you get to the uploat page, upload the file that is falsely detected, indicate that it is a false positive, tell them the exact name of the false positive, and tell in the comments section why you think it is a false positive. Clam will correct their signature in a day or so. You will also be helping ClamWin to be a better product!
Regards,
|
|
|
|
M.McCormack
| Joined: 06 Sep 2009 |
| Posts: 0 |
| Location: NY |
|
|
| Posted: Sun Sep 06, 2009 10:27 pm |
|
|
|
|
|
Thank you for that link. It only showed as being a virus on Clamwin.
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Mon Sep 07, 2009 2:25 am |
|
|
|
|
|
It is probably a false positive then. Please upload it to Clam AV so they can fix it for Clam and ClamWin. This happens sometimes, and that's why you should use Report Only as your infected files option. If it was an important Windows system file with a false positive and you had the option set to Quarantine or Remove, either way you would lose access to your system. It happened to me once and I use Report Only now and verify with Jotti/VirusTotal before I do anything.
Regards,
|
|
|
|
M.McCormack
| Joined: 06 Sep 2009 |
| Posts: 0 |
| Location: NY |
|
|
| Posted: Mon Sep 07, 2009 1:28 pm |
|
|
|
|
|
Again, thank you - that's a great link and I appreciate the advice.
|
|
|
