I've emailed you the zipped up log file.

I'm waiting for the datacentre people to get a KVM on my server, as i can no longer RDP (missing DLL files).. But as soon as it's on.. I'll know more of the damage.

I was going to do some regex on the log myself, to make a crude batch file.. but if you've got something better up your sleeve, i'm sure alot of people will be very grateful.

Thanks.

I had a similar problem when I checked my anti-virus logs this morning - 657 files incorrectly quarantined.

I've written some sample code which can be used to parse the ClamWin log file to restore quarantined files to their original location:

https://www.mrceri.co.uk/blog/?p=1033

Hope it helps,

Cheers,
Ceri

Hi

If anyone can let me have a copy of their log file I'd be very grateful.

Thanks

p.s. is this/is this going to be "stickied" somewhere?

I just made the sticky how-to post with the quarantine restore app attached, please follow the steps and let me know by posting in the thread below.

https://forums.clamwin.com/viewtopic.php?p=13147

Also I have had today several critical problems derived from this issue, I am downloading the recent fix, I hope to have my server back ASAP.

Right, damn.

Maybe the ClamAV shouldn't release a db before ClamWin is released or, maybe, a db update may not be applied if there is a flag on the update to have a required version, that will force to update the engine before the DB, but this is something to pass to ClamAV team as not depends on ClamWin

Hi,

Did anyone else have this problem affected their MS SQL Server?
I have the Clamwin log, but it has no information on these files (files are in quarantine, along with many others which are not mentioned in the log file for some reason).
I want to restore that functionality, but I don´t know which files are involved and their original paths.

Yes, I had the same thing. Unfortunately I am one of the lucky ones that did not have a log file or a tmp file. I basically have to rebuild my server. In addition to that, I also had all my websites, about 100 of them, on the same box and it wiped out all the assemblies for every website. I will be spending the whole weekend recovering from this. I just spent the money to register for one of the paid virus scanners for my servers because I cannot afford this kind of downtime due to a faulty virus scanner. Someone said it best, I would have rather have gotten a virus. At least that could be cleaned up, this is just a huge mess.

Thank you, alch. I believe this addressed the source of our problems. I have updated my clients in kind and ran a couple of test scans of the same directories wherein clamscan erroneously found the aforementioned Trojan malware on the morning of the 18th. There were no positive identifications.

I suppose checking to see what the latest version is and reviewing release notes may have been a wise troubleshooting step on our parts. But I think I speak for everyone when I say that we assumed it must have been a recent definition update. Oh, well!

Thanks,
Matthew

Yea, I've had this hit servers and workstations of my clients for the last week.

Super easy fix - Windows System Restore to any date prior to about 11-16-10
It puts all the files back. Then I uninstalled clamwin.
I use it on about 300 or so machines for my various clients, but the false positives are just getting NUTS!
At least Windows boots up THIS time...

Now that it's all over I can look back on a sleepless weekend..



And laugh... albeit, with a tear in my eye.

Had to get a new server online with the same OS installed, and then put the old hard disk in the new server to recover the files.. Windows was far too screwed

But i would like to now take this opportunity to say THANKS... the outcome (apart from alot of angry customers)... was a new server from my very understanding and helpful hosting company.

Hi Everybody,

I just wanted to say..

Alch and the ClamWin guys have gone above and beyond any other open source development team would have, to assist myself, and other people via this forum, and other methods.

They COULD NOT have foreseen this happening, as the guys releasing the DB Updates aren't the same guys working on ClamWin.

But even if this never happens again, and I agree with another poster.. Having a flag in the DB updates that only lets it download with a minimum version number would be a fantastic idea. Therefore if ClamWin is still at 0.96.2 whilst the good guys are working on porting the latest code to windows.. Only the DB updates that are tagged with at least that number can be imported.

I can see that's it would be immensely impractical for the ClamWin guys to test and release the DB Updates from ClamAV before they are pushed out to ClamWin clients.. It would prolong the time in getting up to date definitions, and increase the chance of viruses hitting.

Anybody who's got heuristic scanning enabled is obviously in the mind of 'Better to be safe than sorry'.. And it this case... I cant see as it could have possibly gone any other way.


I would like to see some statistics, out of all the existing ClamWin users... how many were unfortunate enough to get the DB Updates AND do a scheduled scan during the few minutes / hours that the problematic DB Update was available.

Even though the people affected have only made perhaps less than 150 posts to this forum... (And a few of those are mine)
That has surely got to be a good percentage of users out there have not got a clue any of this even happened?


I'm still going to use ClamWin..

Nice try!, using System Restore, except that in my case it is a Windows Server 2003, which doesn´t have System Restore installed by default, and it wasn´t there, so it won´t work for me...

Thank you for the idea though...