During a scheduled scan with ClamWIN 0.88.2.3 on a Windows 2000 server

Full message:
C:/Documents and Settings/All Users/Documents/DrWatson/user.dmp: W97M.1Table FOUND

Looking at drwtsn32.log which has same creation date/time as user.dmp:



Don't know much about these things but to me looks like clamscan caused an exception which caused DrWatson to create the user.dmp file.
Then the next time clamav scans it finds a virus in the user.dmp file.
This is the second time this has happened. The first time was a couple of weeks ago when I just deleted the user.dmp file with no further problems.

Hope the information is useful.

I've also seen false positives generated by clamscan from the user.dmp file. Here's what's probably going on:

The user.dmp is basically a memory dump which contains the variables for programs running at the time of a crash. This would include data from clamscan, as it was performing a scan at the time. Since virus scanners identify a virus by matching a pattern in a file, it's likely that clam would have had one (or more) virus patterns held in memory at that time. These were written out to the user.dmp file and were subsequently "identified" as a virus when you ran the scanner again.

The upshot is that, assumiing the drwatson log shows clamsacan running, then these are most likely false positives, so you should not be concerned and can just delete the dmp files to resolve the problem. However, I would not advise taking any action to ignore these files as it is quite possible that genuine viruses might exploit this by storing themselves in filenames matching user.dmp. Also, I guess that you could get a result like this if you had had a virus in memory at the time of the crash? However, I would expect that you would find other traces of the infection on your hard disk as well.

Hope this helps,

J