I am using ClamWin that reports 0.94.1 when asked via clamscan.exe -h via command line
(even though it still warns me "This version of the ClamAV engine is outdated." Why?)

I recently had need to scan the C:\ drive of my computer and after running awhile is generates lots (40+ occurences in my case) of the following:
LibClamAV Error: [platform] FindFirstFileW() failed (3)
I don't see this error reported anywhere in my research.

The scan seems to eventually finish normally.

I invoke it with this line:
"C:\Program Files\ClamWin\bin\clamscan.exe" -d "C:\Documents and Settings\All Users\.clamwin\db" -i --detect-pua -r "C:\" > C:\Clamwin_prob090122.log

The log file includes a number of '... Permission denied' messages for files like '...\Application Data\Microsoft\Windows\UsrClass.dat', '...\NTUSER.DAT' and such.

When I scan anything else that's not a windows boot disk, I don't get those errors.

Any clues?

permission denied on nt registry files ntuser.dat it's normal,
I would known more about the findfirstfilew error, what are the filenames causing the problem?

error 3 is ERROR_PATH_NOT_FOUND
looks like a bug related to filepath conversion,
your os?

My OS is Win XP SP2. I'm using Clam AntiVirus Scanner 0.94, via c:\Program Files\ClamWin\bin\clamscan.exe

I've rerun the same command but on a separate drive other than the boot disk. Its a copy of the Windows boot disk, so it has all the same files and directories, but it is not what the computer is running from... so none of its files should be tied up by system processes.

I'm still getting the
LibClamAV Error: [platform] FindFirstFileW() failed (3)
messages MANY times.

Can no one reproduce this?

Oh, about the filenames causing the problem... They are not reported at the time the messages appear, so I have no way know, or so it seems.

please try to add --debug
in advanced options as additional clamscan command line parameters and post the output

Thank you for your reply and suggestion.

Using the --debug command, I certainly see lots of extra information being displayed during the scan process. Unfortunately, this extra output isn't being captured with the redirection techniques that I'm familiar with.

For example, the following doesn't capture the extra information that I see coming out on the screen:
"C:\Program Files\ClamWin\bin\clamscan.exe" -d "C:\Documents and Settings\All Users\.clamwin\db" --debug -l c:\Clamwin_debug_log.txt -r "d:\WINDOWS" > c:\Clamwin_debug_redir.txt

Both Clamwin_debug_redir.txt and Clamwin_debug_log.txt end up containing only the same information as they do when I don't use the --debug option.

I especially need to trap the information for later review due to the fact I don't know the directories containing the files that are generating the original issue. So, I need to ultimately scan the whole drive ("D:\") in this case and that generates a lot more output than I can scroll back to within the command window.

Can you (or other readers) help with that aspect?

Thanks.

Below is the comman to use to put debug output in any directory/subdirectory you want:

--debug --leave-temps --tempdir C:\DirectoryName\SubDirectoryName

Thanks GuitarBob.

There's a lot being generated there. I'm scanning an 80 GB drive which has only about 10 GB free space on it. My working drive is an 80 GB drive with about 17 GB free on it. I *hope* the debug option isn't going to generate more than I have room for.

And assuming that it completes without running out of space, sherpya, what portion of that stuff do you want me to post on here? Do I do a strings search on what's generated, looking for some part of "[platform] FindFirstFileW() failed (3) "?

no leave temps it's not needed and with a lot of data it can lead to out of space as you said

Yikes. I read your message after I'd started it and gone to sleep. Yes, I ran out of space.

OK, redoing it (and after clearing out the HUGE temporary folder), how do you recommend that I trap the debug output needed to troubleshoot this mystery? (See an earlier message about my unsuccessful attempts to get the extra debug info into the log file)

Additional factor: I've been running this Clamwin experiment in a VMware Virtual machine (Using VMware Workstation 6.0), since I don't have permission to install Clamwin on all the machines that I have access to for testing. Would running in a VM have bearing on my difficulty to trap the debug info from the control/command window?

I've had no problem trapping ClamWin's debug information in VMware for signatures--one file at a time though.

Regards,

Thanks GuitarBob.

When you were 'trapping' the debug information, did you do something other than copy/paste from the command window? Did you get either of the methods I mentioned earlier to get that debug info automatically into an output file?

I just copied and pasted the command into ClamWin's additional clamscan command line paramaters in the Advanced preferences. I just scan one file containing malware at a time, and the debug information is saved in the directory\subdirectory named in the command as a file named with the MD5 hash.

This doesn't help you though, because you are looking at multiple stuff. Perhaps you could limit it to a directory at at a time, but you would still have to edit the output with something, I guess. It would be tedious.

Regards,

Yes, I'm going to retry the original format of the scan with trial and error choices of specific directories to try and narrow down where the problems are, before regenerating any debug information.

I'm unfamiliar with the 'Advanced preferences', and haven't been able to find anything useful with a quick try in Google. Could you point me there?

Thanks.