After updating virus definitions this evening, ClamWin reported 4 resident memory viruses found, and on regular scan, found 202 infected files. After testing about 10 files (on https://virusscan.jotti.org/) it looks like they may all be false positives since ClamWin is the only engine that finds anything. I am surprised that I don't see any other posts regarding this problem. The virus that is being reported is Worm.Palevo-9668 - is this a know issue? How soon do you expect it be fixed?

Yup, same thing is happening to me I'm running windows storage server 2008 sp2, hardly did anything on this machine then updates and get clamwin, please let me know

This signature for a version of the Palevo worm has been reported to Clam. I found 8 of my files were affected. This was due to a signature prepared late on Wednesday (Europe), and it will probably be corrected on Thursday. It's still a good policy to set ClamWin's infected files option to Report Only--not to Quarantine.

Regards,

I use ClamAV for Linux (because I have a SMB share that acts as a file server for Windows files) and I look at the output of last nights scan and there are atleast 50 files marked as positive for Worm.Palevo-9668. Good thing it only reports and doesn't delete/quarantine/etc. Glad to see this is a false alarm. Does anyone know when Clam will be releasing updated definitions?

I installed ClamWin YESTERDAY for the first time time ever to deal with a ruined Symantec Corp edition. This the FIRST SCAN I Have ever run with this product and it has just about put me out of business. I have about 600 instances of Worm.Palevo-9668 FOUND and since I accepted all the default settings for the install, all these files are moved.

Can anyone tell me how to resdtore these files, or do I need to restore the prior day's back-up, and deal with the bad Symantrec issue all over again?

Thanks,
Jim

No answrs after a few hours, so I'm restoring a back-up

You're not the only ones. I also got around 80 infections reported last night, all of them sent (as per default) to quarantine. This is gonna be a nasty restore session for the next hour or so... Ok, lesson learned.

Given the latest increase in false positives, I'm also turning of the quarantine and go for report only... An "Undo"-option would be fine, but hey this tool's generally working fine for free

J

p.s. As I already stated here in this forum about false positives incidents earlier, once again there is a significant high portion (say 75%) of false positives in installer files (msi, cab, ??_, zip etc.)...

So am I to understand this is a false positive and the palevo virus doesn't really exist?

If that is the case how do I restore all the files quarantined?

There is a Worm.Palevo virus--lots of them. This was a signature for one of them that contained some code that is also used by some "good" software.

ClamWin has about the same rate of false positives as any antivirus (they happen sometimes), so a false detection of a few files is not really something major--although it is to the user.

To restore the files, see if you can find anything in the ClamWin scan logs that will tell you where the files were quarantined from. You will probably only have a scan summary unless you chose to get a detailed report when at the original detection--might be a good idea from now on.

If that fails, I suggest you search on the web for the filenames involved and see if you can find in what directory they belong. Also, if you have a friend with a similar computer/similar progrma(s), you might see if you can identify the file location(s) there.

Just set ClamWin's infected files option to Report only from now on.

Regards,

This one hit me hard too. It triggered a series of events that ended with me having to leave my main job, drive 50km, and resurrect some important files at my second job.

I'm just sitting down now to run through the full list of files it moved so I can return any others that have gone missing. I believe I had about 200 moved, so it's going to take a while
I'm thinking it may actually be quicker to knock up a script to convert my log of what was moved into a script that moves everything back... If you follow what that means.

You have your work cut out for you! There's really no way to completely eliminate false positives. One thing...the Clam Sentinel Project (unrelated to ClamWin) adds a basic real-time monitor to ClamWin. It includes real-time and message logs that really identify any real-time detections as to locality. It doesn't do anything, however, on detection via ClamWin scheduled scans.

Regards,

It shut down Logmein, Quickbooks DB server, and the backup software.

----------- SCAN SUMMARY -----------
Known viruses: 819246
Engine version: 0.96.1
Scanned directories: 11091
Scanned files: 128775
Infected files: 450
Not copied: 90
Data scanned: 43090.62 MB
Data read: 73475.20 MB (ratio 0.59:1)
Time: 12547.566 sec (209 m 7 s)

You can configure ClamWin to send you an email warning when something is detected. Perhaps this would be better in your situation than removing or quarantining it. You should not normally be getting 450 real viruses in the same scan. Protection for Windows folder files was added a couple of ClamWin updates ago (for Vista/Windows 7).

Regards,

This is simply devastating, it completely destroys MS Office Excel.
I have always valued my decision to use ClamWin and trusted the developers of this product.
Why is there not a restore function which would be so simple to program.... what a shame.


Here are the symptoms:
Open MS excel and receive error messages as follows:

Windows installer
Preparing to install

Problem with Shortcut
This patch package could not be opened. Verify that the patch package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer patch package.

Turns out the Clamwin had falsely identifed the following as infected...
EXCEL.EXE.infected
excelcnv.exe.infected
3415a62.msp.infected
excel.cab.infected
3415a37.msp.infected
xlconv.cab.infected




Regards,

gzimmerer

ClamWin comes with an infected files default of Report Only. The user is the one who chooses the alternate options to Remove or Quarantine. If you have been looking at ClamWin forum posts for the last three years, I am sure you have seen some recommendations to use the default and even seen the sad stories of those who changed the default.

The ClamWin developers have added false positive protection for Windows system files for Vista and Windows 7 users. It is my hope they will soon be able to do that for XP and older computers. They have been furnished with some information/sample code that might help. If possible, they should also extend false positive protection to Microsoft Office files, which are probably digitally-signed by Microsoft just like the system files.

The only way a false positive can be "fixed" is to report it to Clam AV (Clam furnishes the virus signatures and scanning engine for ClamWin), starting at https://www.clamav.net/lang/en/sendvirus/ on the web. Be sure to indicate that it is a false positive and give the exact of the falsely-detected virus in the Comments section. Scan your quarantined files to get the name(s). If you have the same false positive for mor ethan one file, you only need to submit one of the files to Clam. It may take a couple of days for Clam to act, so until the false positive is corrected by Clam AV, you should exclude the affected file(s) from ClamWin's scans.

Regards,

Could you please upload the false positives to rapidshare.com and send me the link?