I actually registered here just to post this one time because i will NEVER use this program again, ever. this POS took down My server and several workstations and cost me my job. If i could meed the morons that release those signatures i would do unspeakable things. this project should be shutdown and the idoits should be working at MacDonalds where they are not allowed to think. I to am an idiot for using this program and setting it to report only. I just began using it because symantec was hosed and I needed something asap until I could get approval for spending money on a real product, yea, red tape sucks and so does this AV. Warning to any potenial user: getting hit with a nasty virus would be better than using this program. Astalavista clam!

All antivirus programs have a false positive now and then--sooner or later, you will encounter this no matter which one you use.

On the sigmaker side, it is sometimes not easy to get a good signature for a virus. Viruses can use the same coding, packers and techniques used by "good" programs.

On the networking/server side, it seems to me that a professional server-guy should have a backup/restore program in place to keep the system operating when the inevitable happens. In addition, ClamWin is still beta software (see--the current version is less than 1.0--it is .96.4, which is a pretty good indication of beta), and a professional should not use beta software in a production environment.

On the ClamWin side, the developers will learn from this incident, and it will ultimately help to improve ClamWin.

Regards,

ClamWin is at 0.96.4 KCKev...

Hi there,

I'm just seeing 11818 files in the ClamWin quarantine folder of a laptop that is now simply useless for the upcoming Monday working day!!

I'm completely surprised that the developers thought to suggest (looking at various posts in this forum) to:
-) recover manually the files, checking the logs for the original locations
-) use the QRestore utility, which is not advertised no-where on the website (I'm not even sure about which one
is the latest version -- is it 1.1 ?)
-) set ClamWin into "report-only" mode, instead of quarantining -- I would have suggested to uninstall the tool, instead!

Now some constructive ideas and suggestions:
1) advertise this on the front-page of the ClamWin website as a major issue that has potentially affected ALL THE USERS!!
2) SUGGEST TO ALL USERS TO REINSTALL CLAMWIN from a clean new download from your website
On this PC, ClamWin quarantined its own executable as well, letting it become unusable!!!
3) provide clear pointers to a receipt for fixing the problem
4) consider that NOT ALL USERS are ICT-experts, so you must consider also how to deal with them
5) PROVIDE AN AUTOMATIC PROCEDURE AS PART OF THE NEXT CLAMWIN UPDATE, to be released ASAP (now!!!!);
The recovery procedure is relatively simple to build:
a) scan all the log files present on the system, and build a map of the quarantined file paths, along with the original location
b) scan all the quarantine folder files, rescan them with the new version/virus-db which does not have the problem, and,
if the file is not infected, then restore it into its original location, possibly asking the user to confirm the action


I hope the developers do something to address this in a professional way. And, IMHO, trying to blame users of ClamWin because they didn't properly backup their systems, is NOT a professional way of dealing with the issue.

My 2 cents.

Tommaso

We are sorry to hear that.

The propblem was promptly fixed and after the virus database update from 19th it is no longer affected.

The problem was rectified a few hours after it was discovered via a database update. Furthermore we issued a software update notification that pops up when clamwin is running alerting users to the issue and prompting them to upgrade.

That is what QRestore does - you locate the log file using the instructions and the tool does the rest.

No one is blaming the users, you have got the wrong impression. Although there is no doubt a backup is an essential component for running a dependable server, no software should delete files, but it happened. We tried to help as many users as we can by personally processing the logs and remote assistance with VNC etc. We managed to save quite a few, but in some cases the logs just weren't there. We will improve the quarantine in the next release (soon) so that log files are no longer required.

Clamwin version prior to 0.96.4 destroyed my Windows Server 2003. I had a web server running and ClamwWin quarantined hundreds of system files, especially ASP.net files. I've been running ClamWin for many months with auto-quarantine and never had a problem until now. It was actually quicker to completely re-install the OS and rebuild the server than to figure out where each one of those files went and manually move each one back.

Then today, I spent 2 hours at a client's office because the ClamWin I trustingly put on his computer wiped out Mozilla Thunderbird, Microsoft Excel, and Adobe Photoshop Elements. It even quarantined SpyBot.

Something went haywire with ClamWin and I don't believe claims that it was within the normal range of false positives.

I am sorry to hear about the problems.

It was certainly not a "normal" false positive. There was a bug in 0.96.2 in the signature processing which applied the signature incorrectly to all executables instead of just icon files. The bug affected both Windows and unix versions, although it was much less of a problem for Unix as there are no Windows executables there. The database is maintained by the ClamAV team (unix based scanning engine) and they test it for false positives with the current version which was 0.96.4, but we had our 0.96.4 release in beta-testing and it had not yet been released. Therefore this bug affected ClamWin userbase which were still on 0.96.2 at the time. When we were alerted to the problem we notified ClamAV team and they removed the signature from the database promptly so the virus database update fixed the problem but it still affected some of our users. We also immediately pushed the 0.96.4 update and developed QRestore utility to copy the quarantined files back from the log files (see https://forums.clamwin.com/viewtopic.php?t=3096 ) and spent considerable amount of time trying to help affected users.

I think we did all we possibly could after the event to minimise and remedy the damage and we are deeply sorry for those "killed" machines we could not help to restore. We will include measures to facilitate easier quarantine recovery in the next release which is not far away.

I read the other threads and I understand that the team released a bad version for a short time, but it was long enough to cause lots of broken machines around the world. I've recovered with less downtime, hair-pulling, and lost time and money than some of the other users.

I accept the apologies and I understand these things can happen. I trust the dev team will be more careful in the future and I will continue to use ClamWin in 'Report Only" mode until my trust is regained . . . a restore function would go a long way . . .

Unfortunately, I just realized it was not so simple to recover the system. For what it matters, here are a couple of issues I noticed:
A) ClamWin repeatedly finds again the files it had put in the quarantine folder at every scan (or, at least, it used to behave so one year ago or so). This used to push users towards deleting periodically the quarantined files, in order to avoid the continuous false alerts
B) The log file didn't include at all the 11818 files I had in the quarantine folder, but ONLY A FEW TENS OF THEM, so I'm actually left with a system in which I don't know how many applications or system components have been compromised, and I see no better option than reinstalling the OS from scratch, if I want to be sure (I cannot lookup all the 11818 file names over the Internet in order to understand what used to be their prior location).

Anyway, thanks for the prompt answer.

[quote="tcucinotta"][quote="alch"]

That could be a good sign - it is likely that the temporary log file is still in the TEMP folder. Did you check for file looking like these:


XP: C:\Documents and Settings\user\Local Settings\Temp\tmp0bx8st
Win7 and Vista: C:\Users\user\AppData\Local\Temp\tmp0bx8st

?

After fixing 2 of our bricked servers, (one of which SQL 2008 still doesn't work properly), I have set Clamwin to "Report Only" now. I managed to get the log file for the one with 676 files but not the other which fortunatly only had 27 files, (2 of which were clamwin itself lol, how STUPID!!).

I like Clamwin, but this was a MAJOR screwup guys!