So I have a system that downloaded an update this morning, and it scanned and moved almost every .exe file on the system into the .quarantine folder. INCLUDING the ClamWin scan executeables. It renamed everything with the .infected extension, but when I'm looking at the scan logs, it doesn't show a log for the scheduled scan that should have run today.

No shady business going on with the database updates or anything is there? I'm going to have to reload this system because it's just not feasible to spend the time trying to figure out where everything belongs (even jacked .dll files).

I saw the same thing affect Windows Server 2008 servers. I am now rebuilding several servers, and shopping for another antivirus engine.

It did the same to my 2008 R2 server. Completely blew out my SQL and the DBs as well. Windows 7 didn't seem to agree with what it was doing.

For anyone else wondering, if your scan runs and your windows close, ClamWin's shutting down the programs because it's flagging them as infected. Including itself, which is awesome.

Same here, I had 76 dlls and exes quarantined this morning. the problem is, it also got clamwin.exe, so it killed itself before it could write out the log, so I don't know where to put all of these files back.

I am on win2003 Server Enterprise.

What virus(es) are being falsely-detected? Did anyone submit the file(s) to Clam AV for signature correction? I do not see any false positive reports on the Clam AV submission interface, so perhaps it has been taken care of by now.

ClamWin has false positive protection for Windows digitally-signed system files on Vista and Win 7 machines now. It will not quarantine these files--just provide a message in the scan report to submit a false positive to Clam AV.

Regards,

There's no way to submit a false positive report, since it's killing it's own .exe and process. I found it curious that there were no log reports after yesterday's scheduled run, and then watched ClamWin kill itself on my laptop and it dawned on me it's not getting to the point where it generates a program before it gets shut down by it's own scan.

No log, no way to show what of the 80+ files it keeps wanting to kill off. And it called a positive on the Google Chrome executable in Win 7 and moved it, while leaving most everything else alone (Win7 didn't allow it to move the files).

There was a bug in 0.96.2 release which is fixed in 0.96.4 released today. Please download and install the update:
https://sourceforge.net/projects/clamwin/files/clamwin/0.96.4/clamwin-0.96.4-setup-nodb.exe/download

My only concern with that would be that my software was functioning fine until the system downloaded today's update. The error's in the program, despite running normally until it installed a database update the program made today?

I also find it suspicious that on the XP machine PC that was wrecked, there was a system restore point created during the scan. Does ClamWin normally create a system restore point during the beginning of the scan process?

There is no way to report all of these false positives! Clamwin totally took out one system, moved 890 files to quarantine including clamscan.exe and clamtray.exe.

Broken system update log: updated Thursday 18 Nov at 13:00 EST (GMT-5), daily update ver. 12280 (builder ccordes) database updated from IP 155.98.64.87 (mirror-vip.cs.utah.edu)

So far, alternate scanner showing no viruses.

Went to another computer which had not scanned yet: disabled move/unload from memory and did a memory scan:
Scan Started Thu Nov 18 20:01:09 2010

-------------------------------------------------------------------------------



*** Scanning Programs in Computer Memory ***

*** Memory Scan: using ToolHelp ***





*** Scanned 10 processes - 190 modules ***

*** Computer Memory Scan Completed ***





C:\Program Files\Bonjour\mdnsNSP.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\uwinapi.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\MSVCR71.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\stlport_vc7145.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\OpenOffice.org 2.3\program\MSVCP71.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\ExpShell.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\7-Zip\7-zip.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\WINDOWS\system32\CmdLineExt.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\ClamWin.exe: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\python23.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32api.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\pywintypes23.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\wxc.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\wxmsw24h.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_sre.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_socket.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_ssl.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_winreg.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32gui.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32event.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\pythoncom23.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\shell.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32security.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_ctypes.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32file.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32pipe.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\win32process.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\gizmosc.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\mxDateTime.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\htmlc.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\pyc.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\libclamav.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\libclamav_llvm.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCP80.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\libclamunrar_iface.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\libclamunrar.dll: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\datetime.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\lib\_bsddb.pyd: Heuristic.Trojan.SusPacked.TMS FOUND

C:\Program Files\ClamWin\bin\clamscan.exe: Heuristic.Trojan.SusPacked.TMS FOUND

----------- SCAN SUMMARY -----------

Known viruses: 851477

Engine version: 0.96.2

Scanned directories: 0

Scanned files: 200

Infected files: 42

The restore point is a coincidence.

The problem with this false positive was in the virus database update but 0.96.2 had a bug in handling a certain parts of the signature and hence triggered a false positive. The signature will be dropped today and 0.96.2 will function ok, but it is still better to update to 0.96.4 to avoid possible similar issues in the future.

There was a bug in 0.96.2 release which is fixed in 0.96.4 released today. Please download and install the update:
https://sourceforge.net/projects/clamwin/files/clamwin/0.96.4/clamwin-0.96.4-setup-nodb.exe/download

That signature has been dropped from the Clam AV signatures.

Regards,

OK,

ther has been an error.

BUT HOW TO RESTORE THE 20.000 Files ? I have found no restore function in ClamWin. But there is a database with some 60 MB. Is there a possibility to do an automatic restore out of hte quarantine folder?????

Thats what i need !!!

BeRu

1) Check the log file
Win7 and Vista: C:\Users\All Users\.clamwin\log\ClamScanLog.txt
XP: C:\Documents and Settings\All Users\.clamwin\log\ClamScanLog.txt


2) If the log does not have the quarantine info there is still a chance it would be in the temp folder. Can you check your temp folder and let me know? It should start with tmp and look like this:

C:\Documents and Settings\user\Local Settings\Temp\tmp0bx8st on XP
or
C:\Users\alex\AppData\Local\Temp\tmp0bx8st on Vista/7

look for a larger file and check if it has quarantine info inside

Thanks Clamwin, for messing up my server!!
More then 2000 'infected' files,which i have to move back manually.