Hello,

I recently installed ClamWin on a co-worker's computer. On running the first scan, Clamwin quarantined 3 files: agentsvr.exe, MYCD.BAT, and PopTray.exe (we've been using this clean program for a long time). None of these files have been modified in years, and MYCD.BAT came with the computer when it was new.

I suspect the false positives may be related to a definition update, because I've been running ClamWin on my computer for several months and this hasn't happened to me. (My computer is almost identical to the one I'm asking about.)

How can I get ClamWin to restore these files to their original locations?

ClamWin is not able to restore any quarantined files. You will have to look at the scan log to see if you can identify the folder on your computer where the file came from and manually copy it to the folder. If that fails, you may be able to do a search on the web for the filename and see if you can find out where it is located. You will have to rename the file to delete the "infected" tag from the name. You should also exclude the filename.extension from ClamWin's scans for a while (give them some time to correct the false positive you are going to submit--below) via the Configuration, Filters, Exclude option. Finally, submit each file (one at a time) to Clam AV at https://www.clamav.net/lang/en/sendvirus/ on the web. When you get to the submission page, be sure to check that it is a False Positive. In the comments section, give the exact name of the false positive virus and tell why you think it is a false positive. You will be doing other ClamWin users a favor!

Regards,

Thanks, GuitarBob. The files have been restored, and 2 of the 3 have been submitted. I'll send along the 3rd file on Monday (per site instructions to submit no more than 2 files per day).

Yes, I forgot about the Clam submission limit. They process all samples manually--not automated like the large AV companies, and they don't want just a few users submitting the bulk of samples. Clam is still used primarily by Linux email servers, so I like to see more submissions from ClamWin users. The viruses are mostly Windows viruses, but I think the "mix" is different depending upon the type of submitter. It's the difference between email stuff and "real world" stuff.

If you use the ClamSentinel real-time front end to ClamWin, it is much easier to get to the Quarantine files--just right click on the Sentinel badge in the system tray and select Quarantine and you are there. Additionally, Sentinel has a message log and a realtime log to identify what's been going on and where on your computer.

Regards,