Hi,

I have downloaded and tested ClamWin the other day, was about time: it found 45+ pieces of malware on two of my disks, but none in memory or on any system disk. It seems to work fine.

My questions:

1. What to do with the infected files? (after verification with VirusTotal). Deleting them is an option, but is it possible to repair them? Since the viruses reside inside the file's cavities AND their signature is known AND provided they are not polymporphic, I could try to repair them with a disk hex editor, e.g. by replacing the virus data with zeros. Will this render the original files (exe and zip) unusable?

Assuming this as an option, i would need a way to extract random signatures from the CVDs - can this be done with the sigtool?

(BTW, what exactly is the difference between a virus signature and its code?)

2. In the old days (10 years ago) I used to scan for viruses by booting from an emergency diskette to prevent MBR viruses to load into memory. Now some vendors still provide this option, but my impression is that most people scan after a normal boot. Are MBR viruses no more of importance?

What method do you suggest?

* scan from a bootable emergency removable medium? (btw, does ClamWin support this?)
* scan after booting in safe mode?
* scan after booting normally?

Many thanks
Chris

I don't have an official answer for you, but here's my opinion, based on being around antivirus software since 1988.

Clam/ClamWin doesn't disinfect files that contain malware. To enable an antivirus to do so would bloat the program code and would require a lot of effort with malware which is accompanied by multiple payloads. In my opinion, it's easier to just delete the file if it hasn't yet been accessed. I have found it hard to work with Sigtool.

Virus code contains the entire program instructions accompanying the malware. The virus signature is the specific feature that a virus analyst has decided is indicative of the virus. It can vary from one virus analyst to another. It usually consists of a hexadecimal representation of a piece of code. Clam/ClamWin allows signatures containing an MD5 hash of an entire file if it isn't subject to changing. Sometimes for lack of anything better, the signature could be file header information, the name of a file dropped by the malware, or the type of packer/compressor used.

Master boot record viruses are not very prevalent nowadays. For one thing, with the Web, swapping disks isn't as necessary as it once was. I've seen one MBR virus indicated so far this year, but it was a false positive from a hard drive "rollback" program.

It's a good idea to have an emergency bootable CD in case of a system failure, or if you suspect that malware has compromised a system. If you scan after startup, I recommend it after a normal boot. I just schedule regular daily scans. Once a month or so, I will scan in Safe Mode.

You might be interested in the portable version of ClamWin which can be used on removable media. It's at https://portableapps.com/apps/utilities/clamwin_portable .

Regards,

you can try with pebuilder and my clamwin plugin:
https://oss.netfarm.it/winpe/ https://oss.netfarm.it/winpe/