Apologies if this has been addressed before. I searched, but didn't find any previous comments on this.

I have a scheduled scan that includes scanning active processes. It detected a virus, but the path and filename given were those of a temporary file, which was deleted once scanning was done.

Problem 1: Since the file is deleted, I can't upload it to Jotti or VirusTotal for a second opinion.

Work-around: I enabled quarantining, rescanned and got a file that I could submit. Turned out to be a likely false positive.

Problem 2: There is no indication of which process was infected or where the file originally resided, so I didn't know where to restore it. Luckily, a web search pointed out one of my applications, so I managed to set things right.

How can I make ClamWin report the name of an infected process and/or the original path of a quarantined file?

Any help greatly appreciated!

The particulars to a detection will be in the ClamWin scan log. The location of the log (scan report file) is noted in the ClamWin Reports tab. Generally keep the infected files option set to Report only unless you have verified an infection--which you are doing. Good job!

Regards,

This file just points me to the temporary directory, with no indication of original location or the process being scanned:

c:\docume~1\usr\lokala~1\temp/clamav-d7a2b350d566d1f371fd338c532ef1d1.000004f8.clamtmp: W32.Virut.Gen.D-144 FOUND

This is independent of the Report/Quarantine/Remove setting.

Would it be fair to conclude that
- there is no way of knowing who the culprit is when scanning memory using the Report option
- using the quarantine option saves the infected file, but makes it impossible to restore it in case it's a false positive?

Cheers,

Yes, using Quarantine will not let you easily restore a false positive detection back to its original location, although you may be able to using the scan report and deleting the "infected" in the name and manually tranfrerring/copying it back. That's why you should probably verify all detections with Jotti or Virus Total or another installed AV on your computer. Since ClamWin does not yet have a resident scanner, most users should employ a real-time scanner and use ClamWin as a backup. If you must use ClamWin only, look into the ClamSentinel front-end at https://sourceforge.net/projects/clamsentinel/ on the web, but it only provides partial real-time detection.

The Virut detection you showed appears to be in a Clam temp file. These are temporary files ClamWin uses as it is scanning. Their name will look somelthing like a file hash mark with a clamtmp extension. You can safely delete them if you want. It usually deletes them as soon as its finished with one, or upon the next reboot.

I also don't set ClamWin to remove infected files from memory. You will see the filename in the scan report (either on screen or in the scan log). You can save a scan report for a memory only scan, and a log is available for a regular scan.

Regards,