clamwin deleted the following files 12.02.16



WHYYYYYY????

Probably because of one or more bad/erroneous Clam AV virus signatures. The signatures and scan engine used by ClamWin are provided by the Clam AV project. All false positives like this should be reported to Clam AV via the False positive link on its contact page.

Set ClamWin to Report Only so it will not falsely quarantine, and use it as a backup scanner to a real-time, on-access scanner.

You can restore files that have been falsely quarantined via the Qrestore utility in the ClamWin\bin folder.

Regards,

@bierdosenhalter

They were having a shocker last week. Someone published a signature that has wreaked havoc on windows systems ( https://forums.clamwin.com/viewtopic.php?p=18970#18970 ). REPORT MODE is now the ONLY real way of using Clamwin if you really must rely on it as your AV scanner. (Releasing untested signatures that can do so much damage is truely unacceptable and indicative of a software 'company' that doesnt care - and where they dont care, you are at danger).

They (Clam AV) don't care about Windows systems--only about Linux email scanners--which will not be directly hurt by false positive detections on Windows system/application files. They still do not have enough Windows system files on their false positive "farm" where signatures are tested before release. Some of their signatures are based on code that can be used by both malware and by goodware. One thing that is notable: false detections of .dll files is rampant. Installers and setup files are there also, but they are far behind .dll in false detections. These files are rather sloppily written--the authors are only concerned with the actual executable file(s) they install, not with the install or routines it calls.

Regards,

Ive been talking to Steve (who provides the Sanesecurity defintions) today about this Clamwin false positive issue. And during the conversation today I did a test and discovered Clamwin was scanning Windows files and detecting them as FALSE POSITIVES and reporting as such.

eg

However, when the get reported to Clam, Clam flatly refuses it and says it was never detected by them:


And to verify it, Steve ran the same program through other ClamAV breeds and none of them reported on these files (only CLAMWIN had the error report).

It turns out that CLAMWIN is wrong (not ClamAV) and has a fundamental error in it.

Steves report (to save me typing or paraphrasing):


Seems that behaviour of Clamwin is NOT all down to ClamAV source and their slackness after all.

(Not only that, but the link to report FP's to Clam in the original Clamwin summary report, https://www.clamav.net/sendvirus, is invalid.)

I think Alch has pretty much given up on improving ClamWin, other then just porting newer versions, which is actually by Sherpya. ClamWin needs some developers that are willing to do more with it then just port it.

The correct FP reporting link is now: https://www.clamav.net/reports/fp

Cheers,

Steve

Ooh, a phantom post by ME apparently! Now it seems even the clamwin forum is misbehaving.
(Note to Admin/moderators: I did NOT make that last post despite it saying I did. Steve posted it).

Anyway....
.....just for completeness, Steve also made a bulk report of FP's of windows files to Clam on the hope it may do something:



200mb of FP's. Thats a LOT of 'dont care about windows' lack of testing.

In the past, ClamWin has occasionally reported false detections when Clam AV has updated to a new version but ClamWin has not. this was due to new Clam AV scan code that ClamWin could not process properly. There are some new Clam AV heuristics and scanning that might not not have gotten into the code use for ClamWin the version .99 port. This could be the reason for some of the erroneous detections by ClamWin--either false positives or false detections.

Perhaps its time to toss the current ClamWin source code, use the Clam AV Windows port, and slap a Windows GUI onto it. I'd be willing to wait a while for other niceties--like scheduling and custom extensions, as long as it updated definitions.

Regards,

We could always just fork ClamWin and re-write the port ourselfs. I don't think it should be too hard to do. Then we can work on somethings, like making ClamWin run as a service and expanding the mail scanner to Thunderbird and other email clients (currently it is only set for Outlook).