Yesterday I got what I thought were false positives on mfcmifc80.dll. Last night I got two apparent false positives on Explorer.exe, but I had not updated signatures since the file had last been scanned. I also got over 6000 clamtmp folders in my Temp directory containing lots of data - it created a 229 MB tar.gzip file.

The virus update logs look strange. They are very inconsistent and have oddly shaped chunks of whitespace in them. I am seeing scheduled updates run off the schedule and without any possibility of interactive user action to cause them. I will insert the log text below and hope it preserves the spaces. I ran the GPG check against the installer and it was OK. I don't see any way to verify that I am getting valid, signed updates from a trusted source.

The last scan triggered this alert:

File replacement was attempted on the protected system file c:\windows\explorer.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.3156.

I am concerned that there was an attempt to patch or replace the file that triggered this alert. If you just tried to delete the file, you wouldn't get this warning. Only if you try to replace it would this happen. Altering it would be considered a replacement because you would have to overwrite the existing file. There are other posts in here talking about Clamwin trying to write to system files, and again, reading and deleting are not writing.

Scanning the same file today does not cause the problem and there are no infections found. The MD5 sums for the two quarantined files are the same as for the running file. The scan that caused the error did not create a log entry in the scan log.

I am very concerned that this program is being exploited to insert malware onto systems.





--------------------------------------
freshclam 0.92 (OS: win32, ARCH: x86, CPU: i686)
ClamAV update process started at Tue Feb 26 10:26:42 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92 Recommended version: 0.92.1
DON'T PANIC! Read https://www.clamav.net/support/faq
main.cvd is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
WARNING: getfile: daily-5500.cdiff not found on remote server (IP: 64.142.100.50)
ERROR: getpatch: Can't download daily-5500.cdiff from database.clamav.net
WARNING: getfile: daily-5500.cdiff not found on remote server (IP: 64.142.100.50)
ERROR: getpatch: Can't download daily-5500.cdiff from database.clamav.net
WARNING: getfile: daily-5500.cdiff not found on remote server (IP: 64.142.100.50)
ERROR: getpatch: Can't download daily-5500.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd

daily.cvd updated (version: 6003, sigs: 50469, f-level: 26, builder: ccordes)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 25, recommended = 26
DON'T PANIC! Read https://www.clamav.net/support/faq
Database updated (220145 signatures) from database.clamav.net (IP: 64.142.100.50)
--------------------------------------
freshclam 0.92 (OS: win32, ARCH: x86, CPU: i686)
ClamAV update process started at Wed Feb 27 10:23:01 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92 Recommended version: 0.92.1
DON'T PANIC! Read https://www.clamav.net/support/faq
main.cvd is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)







daily.cvd updated (version: 6010, sigs: 50476, f-level: 26, builder: arnaud)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 25, recommended = 26
DON'T PANIC! Read https://www.clamav.net/support/faq
Database updated (220152 signatures) from database.clamav.net (IP: 205.139.192.213)
--------------------------------------
freshclam 0.92 (OS: win32, ARCH: x86, CPU: i686)
ClamAV update process started at Fri Feb 29 10:23:00 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92 Recommended version: 0.92.1
DON'T PANIC! Read https://www.clamav.net/support/faq
main.cvd is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)


































daily.inc updated (version: 6044, sigs: 51676, f-level: 26, builder: ccordes)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 25, recommended = 26
DON'T PANIC! Read https://www.clamav.net/support/faq
Database updated (221352 signatures) from database.clamav.net (IP: 128.121.60.235)
--------------------------------------
freshclam 0.92 (OS: win32, ARCH: x86, CPU: i686)
ClamAV update process started at Mon Mar 03 10:23:01 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92 Recommended version: 0.92.1
DON'T PANIC! Read https://www.clamav.net/support/faq
main.cvd is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)

















































daily.inc updated (version: 6093, sigs: 54664, f-level: 26, builder: ccordes)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 25, recommended = 26
DON'T PANIC! Read https://www.clamav.net/support/faq
Database updated (224340 signatures) from database.clamav.net (IP: 64.246.134.133)
--------------------------------------
freshclam 0.92 (OS: win32, ARCH: x86, CPU: i686)
ClamAV update process started at Tue Mar 04 10:23:00 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92 Recommended version: 0.92.1
DON'T PANIC! Read https://www.clamav.net/support/faq
main.cvd is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)































daily.inc updated (version: 6124, sigs: 54953, f-level: 26, builder: arnaud)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 25, recommended = 26
DON'T PANIC! Read https://www.clamav.net/support/faq
Database updated (224629 signatures) from database.clamav.net (IP: 194.47.250.218)
--------------------------------------
freshclam 0.92 (OS: win32, ARCH: x86, CPU: i686)
ClamAV update process started at Wed Mar 05 10:23:00 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92 Recommended version: 0.92.1
DON'T PANIC! Read https://www.clamav.net/support/faq
main.cvd is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
















daily.inc updated (version: 6140, sigs: 55519, f-level: 26, builder: sven)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 25, recommended = 26
DON'T PANIC! Read https://www.clamav.net/support/faq
Database updated (225195 signatures) from database.clamav.net (IP: 216.24.174.245)
--------------------------------------
freshclam 0.92 (OS: win32, ARCH: x86, CPU: i686)
ClamAV update process started at Thu Mar 06 09:38:26 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92 Recommended version: 0.92.1
DON'T PANIC! Read https://www.clamav.net/support/faq
main.cvd is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)













daily.inc updated (version: 6153, sigs: 56135, f-level: 26, builder: arnaud)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 25, recommended = 26
DON'T PANIC! Read https://www.clamav.net/support/faq
Database updated (225811 signatures) from database.clamav.net (IP: 206.154.202.13)
--------------------------------------
freshclam 0.92 (OS: win32, ARCH: x86, CPU: i686)
ClamAV update process started at Thu Mar 06 09:41:57 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92 Recommended version: 0.92.1
DON'T PANIC! Read https://www.clamav.net/support/faq
main.cvd is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
daily.inc is up to date (version: 6153, sigs: 56135, f-level: 26, builder: arnaud)
--------------------------------------
freshclam 0.92 (OS: win32, ARCH: x86, CPU: i686)
ClamAV update process started at Thu Mar 06 10:23:00 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92 Recommended version: 0.92.1
DON'T PANIC! Read https://www.clamav.net/support/faq
main.cvd is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
daily.inc is up to date (version: 6153, sigs: 56135, f-level: 26, builder: arnaud)
--------------------------------------
freshclam 0.92 (OS: win32, ARCH: x86, CPU: i686)
ClamAV update process started at Fri Mar 07 10:23:00 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92 Recommended version: 0.92.1
DON'T PANIC! Read https://www.clamav.net/support/faq
main.cvd is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)











daily.inc updated (version: 6164, sigs: 56184, f-level: 26, builder: ccordes)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 25, recommended = 26
DON'T PANIC! Read https://www.clamav.net/support/faq
Database updated (225860 signatures) from database.clamav.net (IP: 65.120.238.5)
--------------------------------------
freshclam 0.92 (OS: win32, ARCH: x86, CPU: i686)
ClamAV update process started at Fri Mar 07 13:21:22 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92 Recommended version: 0.92.1
DON'T PANIC! Read https://www.clamav.net/support/faq
main.cvd is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
Control+C pressed, aborting...

Clam's signature updates are supposedly signed/verified before they are placed for updating, so I don't think i'ts very likely that their signature updates are infected. It is possible, of course, to get an exploit targeting Clam (or anything else). About a month ago I saw a virus that attempted to disable lots of security software, including freshclam.exe, but Clam is still pretty low on visibility to most malware writers.

I wonder if Microsoft shoved down any changes to system files yesterday. I have seen them do that on occasion, and, in fact, in addition to the usual message about hiberfil and pagefile not having permission to open , I have also lately seen "WARNING: Can't open file \\?\C:\WINDOWS\SoftwareDistribution\EventCache\{2346645A-D5A9-444D-BE2F-0EDC1A727B4B}.bin, Permission denied." This looks to me like a Microsoft event. The process of patching is similar--whether it's done by Microsoft or a patch is slipped in by malware. Check your scan summaries for the last day or so, and if you see a similar SoftwareDistribution/Event thinkgee, I think this is the answer.

It's looking more and more like we're going to have to add intrusion detection to antivirus, antispyware, and firewall software though, isn't it?

Regards,