I see that AVG recently "killed" an important Windows XP file. You can read about it at https://securityandthe.net/2008/11/10/avg-virus-scanner-removes-critical-windows-file/ on the Web. The article mentioned ClamWin as one of the alternative scanners to AVG.

How about the efficacy of overriding Quarantine and using Report Only during ClamWin scans when a Windows file is "infected"? The user could then check the file via Jotti/VirusTotal to verify the infection. If this could be done without too much trouble, we could safely use Quarantine, and we would never have a ClamWin user losing access to Windows again because of a false positive in a system file.

Regards,

teorically windows files can be verified using windows api and ms signature, unfortunately this process is slow, an idea may be do sign check only if the file is detected as virus

and I'm glad to see that we are not the only ones that killed system files

All AVs have similar problems. Malware is just another program, and many programs have similar code, so false positives happen. Clam did not have enough Windows programs on their false positive "farm" where signatures are checked before they are published. I think they are better now.

Most current malware isn't going to kill a major system file. Malware users can't make any money from a dead computer!

Regards,

where can i sent clamwin reports (and screenshots) containing possible fals pos ?

regards bart

Clam AV furnishes the scanning engine/signature database that ClamWin uses. You can upload both false positive files and undetected virus files to Clam starting at https://www.clamav.net/sendvirus/ on the web. After reading this, there is a link to the the Clam submission/upload page to upload a copy of the file concerned. Be sure to give them the exact name of the virus or false positive virus. If it is a false positive, tell them why you think it is false in the comment block.

Regards,