Well we just spent most of the morning battling the sobor.X worm. It had infected one of our PCs. We have clamwin on most of them. The others still have Norton AV and will be changed to Clamwin when their Norton expires. The infected PC has Clamwin 0.86.2. It was left on last night with a scan of the C: running. No virus was detected. I personally updated the virus definitions this morning and ran it again on the infect PC (an all of the others) 2 times. No infection was detected. The spoofed email addreses in the avalanch of infected spam we were getting convinced us that this particular computer was infected. I downloaded symantec's untility for removing the Sobor worms. I ran it. It found the worm and removed it. My confidence in Clamwin has been severly shaken. It deteced the virus in incoming emails but NOT during a scan of an infected PC.

Firstly you should UPGRADE your outdated 0.86.2 installation to the latest version - 0.87.1 (when you updated the definitions this morning, it should have told you that your installation is out of date).

Secondly, you need to be aware that ClamWin does not scan the files automatically, only if you do that manually. Therefore it is not ready yet to be a full Antivirus product for an average user. It provides an on-demand solution for a security-aware and competent user, however most of the users will require on-access scanner. The team is working on it.

And finally, just saying that ClamWin did not detect a virus is not helpful - we can't see if it is the software's or a user's fault. At least you should analyse the scan reports and see what is wrong there. Perhaps attach part of the report here.

This is what is included in the "scan log". It included all three scans that I described.

--------------------------------------
Scan started: Thu Sep 29 17:07:49 2005

ERROR: Can't open file C:\WINDOWS\system32\config\default
ERROR: Can't open file C:\WINDOWS\system32\config\SAM
ERROR: Can't open file C:\WINDOWS\system32\config\SECURITY
ERROR: Can't open file C:\WINDOWS\system32\config\software
ERROR: Can't open file C:\WINDOWS\system32\config\system

-- summary --
Known viruses: 40394
Engine version: 0.86.2
Scanned directories: 1896
Scanned files: 23187
Infected files: 0
Data scanned: 4315.25 MB
Time: 4370.388 sec (72 m 50 s)
--------------------------------------
Scan started: Mon Nov 28 16:22:39 2005

ERROR: Can't open file C:\WINDOWS\system32\CatRoot2\tmp.edb
ERROR: Can't open file C:\WINDOWS\system32\config\default
ERROR: Can't open file C:\WINDOWS\system32\config\SAM
ERROR: Can't open file C:\WINDOWS\system32\config\SECURITY
ERROR: Can't open file C:\WINDOWS\system32\config\software
ERROR: Can't open file C:\WINDOWS\system32\config\system
ERROR: Can't open file C:\WINDOWS\WinSecurity\csrss.exe
ERROR: Can't open file C:\WINDOWS\WinSecurity\mssock1.dli
ERROR: Can't open file C:\WINDOWS\WinSecurity\mssock2.dli
ERROR: Can't open file C:\WINDOWS\WinSecurity\mssock3.dli
ERROR: Can't open file C:\WINDOWS\WinSecurity\services.exe
ERROR: Can't open file C:\WINDOWS\WinSecurity\smss.exe
ERROR: Can't open file C:\WINDOWS\WinSecurity\socket1.ifo
ERROR: Can't open file C:\WINDOWS\WinSecurity\socket2.ifo
ERROR: Can't open file C:\WINDOWS\WinSecurity\socket3.ifo
ERROR: Can't open file C:\WINDOWS\WinSecurity\winmem1.ory
ERROR: Can't open file C:\WINDOWS\WinSecurity\winmem2.ory
ERROR: Can't open file C:\WINDOWS\WinSecurity\winmem3.ory

-- summary --
Known viruses: 41289
Engine version: 0.86.2
Scanned directories: 1994
Scanned files: 25102
Infected files: 0
Data scanned: 4452.99 MB
Time: 4693.828 sec (78 m 13 s)
--------------------------------------
Scan started: Tue Nov 29 09:23:38 2005

--------------------------------------
Scan started: Tue Nov 29 09:24:01 2005

ERROR: Can't open file C:\WINDOWS\system32\CatRoot2\tmp.edb
ERROR: Can't open file C:\WINDOWS\system32\config\default
ERROR: Can't open file C:\WINDOWS\system32\config\SAM
ERROR: Can't open file C:\WINDOWS\system32\config\SECURITY
ERROR: Can't open file C:\WINDOWS\system32\config\software
ERROR: Can't open file C:\WINDOWS\system32\config\system
ERROR: Can't open file C:\WINDOWS\WinSecurity\csrss.exe
ERROR: Can't open file C:\WINDOWS\WinSecurity\mssock1.dli
ERROR: Can't open file C:\WINDOWS\WinSecurity\mssock2.dli
ERROR: Can't open file C:\WINDOWS\WinSecurity\mssock3.dli
ERROR: Can't open file C:\WINDOWS\WinSecurity\services.exe
ERROR: Can't open file C:\WINDOWS\WinSecurity\smss.exe
ERROR: Can't open file C:\WINDOWS\WinSecurity\socket1.ifo
ERROR: Can't open file C:\WINDOWS\WinSecurity\socket2.ifo
ERROR: Can't open file C:\WINDOWS\WinSecurity\socket3.ifo
ERROR: Can't open file C:\WINDOWS\WinSecurity\winmem1.ory
ERROR: Can't open file C:\WINDOWS\WinSecurity\winmem2.ory
ERROR: Can't open file C:\WINDOWS\WinSecurity\winmem3.ory

-- summary --
Known viruses: 41292
Engine version: 0.86.2
Scanned directories: 1995
Scanned files: 25111
Infected files: 0
Data scanned: 4453.16 MB
Time: 4888.434 sec (81 m 28 s)

The computer was off from the 18th until monday the 28th. It was set to update definitions at 3:40pm. She probably opened an infected attachment before the definitions updated. Because we started getting a blizzard of infected emails characteristic of the sobor.X (as described by symantech) at about 3pm. My concern is that we ran three scans last night and today with updated definitions and it was not found.

BTW, that computer (and all of the others, I hope) have been updated to 0.87 today.

I am aware that clamwin isn't intended for typical end-users. I am modestly savvy, and way beyond most of the other people here. I am not concerned that the infection happened. I understand how it happened and all the PCs are now set to update at login. I am a bit concerned that the scans didn't detect the infection.

Would the upgrade from 0.86 to 0.87 really be the key factor here?


anyway here is the update log showing the update times.

--------------------------------------
ClamAV update process started at Fri Nov 18 15:13:01 2005
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.86.2 Recommended version: 0.87.1
DON'T PANIC! Read http:\\www.clamav.net\faq.html
main.cvd is up to date (version: 34, sigs: 39625, f-level: 5, builder: tkojm)
daily.cvd updated (version: 1179, sigs: 1630, f-level: 6, builder: tomek)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 5, recommended = 6
DON'T PANIC! Read http:\\www.clamav.net\faq.html
Database updated (41255 signatures) from database.clamav.net (IP: 66.111.55.10)
--------------------------------------
ClamAV update process started at Mon Nov 28 15:13:02 2005
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.86.2 Recommended version: 0.87.1
DON'T PANIC! Read http:\\www.clamav.net\faq.html
main.cvd is up to date (version: 34, sigs: 39625, f-level: 5, builder: tkojm)
daily.cvd updated (version: 1197, sigs: 1664, f-level: 6, builder: tomek)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 5, recommended = 6
DON'T PANIC! Read http:\\www.clamav.net\faq.html
Database updated (41289 signatures) from database.clamav.net (IP: 205.139.192.13)
--------------------------------------
ClamAV update process started at Tue Nov 29 09:13:00 2005
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.86.2 Recommended version: 0.87.1
DON'T PANIC! Read http:\\www.clamav.net\faq.html
main.cvd is up to date (version: 34, sigs: 39625, f-level: 5, builder: tkojm)
daily.cvd updated (version: 1198, sigs: 1667, f-level: 6, builder: diego)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 5, recommended = 6
DON'T PANIC! Read http:\\www.clamav.net\faq.html
Database updated (41292 signatures) from database.clamav.net (IP: 64.186.250.53)
--------------------------------------
ClamAV update process started at Tue Nov 29 09:23:46 2005
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.86.2 Recommended version: 0.87.1
DON'T PANIC! Read http:\\www.clamav.net\faq.html
main.cvd is up to date (version: 34, sigs: 39625, f-level: 5, builder: tkojm)
daily.cvd is up to date (version: 1198, sigs: 1667, f-level: 6, builder: diego)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 5, recommended = 6
DON'T PANIC! Read http:\\www.clamav.net\faq.html
--------------------------------------
ClamAV update process started at Tue Nov 29 15:22:42 2005
main.cvd is up to date (version: 34, sigs: 39625, f-level: 5, builder: tkojm)
daily.cvd is up to date (version: 1198, sigs: 1667, f-level: 6, builder: diego)

Thanks for the log files.

I see now where the problem is. ClamWin was called to scan when it was too late - the virus was already executed loaded iteself in memory and protected itself from being scanned by ClamWin (https://www.f-prot.com/virusinfo/print/descriptions/sober_z.html)

all files C:\WINDOWS\WinSecurity\ belong to Sober virus.

That is why On-Access scanner is important - it would find a virus before it gets a chance to run. Before we release this feature, ClamWin should be used as a on-demand scanner only complimenting other AV software.

thanx,

I think I understand now. I will send a link to this thread to our IT person. It could be that a re-evaluation of our use of this software may be in order.

Mike

Hello,
I have an infected file W32.Sober.X@mm!zip in my mail box.
ClamWim don't detect it (it is not referenced in the "Virus Statistics").
I have an example if you need.

ClamWin 0.87.1 updated the last 5 minutes.

Best Regards, MP.

what email client are you using? Clamwin only integrates with MS Outlook (not Outlook Express) and scans emails automatically. If you are not using MS Outlook, then you need to save the attachment and scan it manually.