 |
 | ClamWin messes up MS Office 2007 |  |
|
cdysthe
|
|
Hi,
I keep getting positives related to files belonging to Microsoft Office 2007. I have had to set ClamWin to only report since my Office install gets corrupted if ClamWin gets it's way quarantining what it finds. This is the entries from today's log: C:\Windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.4518\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND C:\Windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.4518\XL12CNV.EXE: W32.Virut.Gen.D-163 FOUND C:\Windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.6215\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND C:\Windows\Installer\1df6d35c.msp: W32.Virut.Gen.D-163 FOUND C:\Windows\SoftwareDistribution\Download\9c50f58c375d536720c74a564e5e3daa\xlconv.cab: W32.Virut.Gen.D-163 FOUND Are these false positives? If not, what are they? //C |
|||||||||||
|
|||||||||||||
 |
| |
|
alch
Site Admin
|
|
there is a known issue with clamwin 0.95.1 and some versions of Excel in Office 12.
It would be great if you could upload those files that yield a false positives somewhere (rapidshare or similar) and then let us know the link. Alternatively please email me at alch [at] clamwin [dot] com and I will send you the ftp server details. Thanks Alch |
|||||||||||
|
|||||||||||||
|
| |
|
cdysthe
|
|
The files (archived) can be downloaded here: https://www.dysthe.net/files/ClamWinFP.rar I checked the files again and got the same result: Infected. If I quarantine them Office stops working. I get an install dialog when I try to open an application, and then an error message. //C |
|||||||||||||
|
|||||||||||||||
|
| |
|
GuitarBob
|
|
You can exclude the two files from ClamWin scans temporarily by using ClamWin's filters. Go to the Filters tab in Configuration and add them to the default list on the left-hand side. Format is: filename.exe (like excelcnv.exe). You can delete them when Clam fixes the false positive.
Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
cdysthe
|
|
Thanks, but one of the files in question is "EXCEL.EXE" (in two different directories) which exist as part of MS Office. I am not sure I would like to exclude such a "tempting" file name for virus authors. Could I exclude the files with their full path from the log? //C |
|||||||||||||
|
|||||||||||||||
|
| |
|
GuitarBob
|
|
Yes. I believe you can exclude the files with the full path name from the scan log. That way, they will only be excluded when the path is scanned. Verify this, however, after you make the exclusion. Scan the path directory to make sure they are excluded. They should still be scanned if you scan the individual file.
Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
alch
Site Admin
|
|
The FP should be fixed now, please re-scan and let us know.
Alch |
|||||||||||
|
|||||||||||||
|
| |
|
cdysthe
|
|
There was a major Office update (SP2) yesterday. Now I am getting these positives which I think are FP's as well linked to MS Office 2007: C:\Program Files\Common Files\microsoft shared\VBA\VBA6\VBE6.DLL: W32.Virut.Gen.D-159 FOUND C:\Program Files\Microsoft Office\Office12\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND The files can be downloaded here: https://www.dysthe.net/files/ClamWinFP2.rar //C |
|||||||||||||
|
Last edited by cdysthe on Thu Apr 30, 2009 1:30 pm; edited 1 time in total
|
|||||||||||||||
|
| |
|
GuitarBob
|
|
Please make them available ASAP. Theose Virut.Gen sigs are designed to catch an entire family of viruses. They are therefore very valuable, so Clam doesn't want to delete the signature--they "whitelist" each "good" file individually. Unfortunately, it looks like Microsoft has a lot of Office-related files that use similar coding.
Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
cdysthe
|
|
They are available now. See my edited post above which contains a download link. //C |
|||||||||||||
|
|||||||||||||||
|
| |
|
xrmtor
|
|
Hi, this is the result after clamwin scanned my computer... clamwin is set to report only. what should i do???
C:\Program Files\Common Files\microsoft shared\VBA\VBA6\VBE6.DLL: W32.Virut.Gen.D-159 FOUND C:\Program Files\Microsoft Office\Office12\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 546247 Engine version: 0.95.1 Scanned directories: 15491 Scanned files: 87713 Infected files: 3 Data scanned: 24427.44 MB Data read: 21857.73 MB (ratio 1.12:1) Time: 14793.418 sec (246 m 33 s) -------------------------------------- Completed --------------------------------------  |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
Clam is working on the Office false positives. Leave ClamWin on Report Only until they are fixed--hopefully today.
Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
cdysthe
|
|
This is good advice! I had mine set to auto-quarantine and it broke my Office installation and it's Windows Installer entry. If you accidentally are having the files quarantined you would need the Windows Installer Clean up utility to remove the broken installer entry or you won't even be able to reinstall MS Office. //C |
|||||||||||||
|
|||||||||||||||
|
 | ClamWin messes up MS Office 2007 | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.