First off: I've tried and failed to send you the affected files. Even though I only try to send one file the screen keeps claiming I've already send my two for the day. Probably something lost in communication.

I'm not sure how to get into ESET's Quarantine file on my Windows XP machine and they won't let me copy the log. But, routinely ESET quarantines files as malware. The specific files vary but the current batch are:
>a variant of Win32/Conficker.Y-worm
>a second instance of the variant of Win43/Conficker.Y.worm
>two instances of "an unknown Script Virus"

? Are thisee for real? Is ClamWin being used as a conduit for these?
? If you want the actual files as quarantined by ESET please someone send instructions.
? Or, is this a case of ESET's programmers not being able to differentiate between malware and clamwin?

If I unquarantine the files neither ClamWin nor Malware Bytes detects them as malware.
If they are part of ClamWin it doesn't seem to know they are missing because there are no error messages when I run ClamWin.



What is happening?

Files sent to Virus Total for scanning will be passed on to ClamWin and the other AVs that are used by Virus Total--both false positives and undetected viruses. So that is another way to get something to Clam if you cannot submit it directly.

I have not used Eset NOD32 in quite a while, but I believe it enables the user to visit/inspect its quarantine folder. Most AVs will allow this. What files is Eset quarantining regularly? Are they ClamWin program files? If ClamWin runs with the files in quarantine, they are not ClamWin program files. Eset is usually very low on false positives, so its detections will usually stand up as real infections. Here's what may be happening--when Eset scans in real-time during a ClamWin scan, it could could be that it is picking up some of the ClamWin signatures that are processed in temp files created during ClamWin scans. See if you can exclude ClamWin's quarantine folder and its signature database folder from Eset's scans and see if that solves the problem. You should probably also exclude Eset's quarantine folder and signature folder from ClamWin's scans as well. AV programs can have common signatures, and the signatures may be detected as a virus in a temp scanning file, as I mentioned above.

Regards,

Thanks for the explanation. From what little I know it makes sense.

Now I need to find the ClamAV temp directory to put in the ESET exclusions.

Since ClamWin doesn't do real time scanning the reverse but with ClamWin hasn't happened.

Any comments on why I get locked out when trying to submit something for analysis? I use the form on the web page. As I said originally I put the single file in the form. The response from the web is that I can' submit because I'm limited to two per day, even though I've submitted none.

I think the ClamWin temp files may be created in several directories or they are in a directory that has other files as well. So it may be best to just excude the temp files themselves--files that have an extension of .clamtmp. Perhaps you can exclude them by calling them *.clamtmp.

I don't know why the Clam submission form locks you out. Try a Disk Clean up (one of the Windows accessory utilities under system tools) and see if that helps. If it does not help, report the problem to Clam--Luca Gibelli would be the person to notify.

Regards,

Thanks for the suggestions. It helps me better understand what is happening.

Or, the easy way, I think is just to let ESET quarantine the tmp files and then remove them from ESET's quarantine folder. In ESET there is an option to either Restore or Remove quarantined files.

I routinely use CCleaner and Disk Cleanup so I don't know what is happening regarding file submission. This isn't a new problem as it has happened before. But, I so seldom want to submit a file it really isn't a significant issue to me. If it is to him I'm sure he has heard it from others and will respond.