I've found that if a file has already been quarantined and is scanned for a second time it's not move.

The output below shows that when the file exists in the quarantine area it gets "excluded" (what does this mean?)

The second output shows that the file gets moved when I delete from the quarantine before I ran a scan.

This behaviour concerns me because I expect files left in my download area to be clean i.e if it's not there then clam has moved it because of an infection. Otherwise I assume it OK.

C:\Downloads>"C:\Program Files\ClamWin\bin\clamscan.exe" --database="C:\Document
s and Settings\All Users.WINDOWS\.clamwin\db" -l "C:\Documents and Settings\All
Users.WINDOWS\.clamwin\log\ClamScanLog.txt" --bell --move="C:\Documents and Sett
ings\All Users.WINDOWS\.clamwin\quarantine" --debug eicar_com.zip
LibClamAV debug: Loading databases from C:\Documents and Settings\All Users.WIND
OWS\.clamwin\db
LibClamAV debug: Loading C:\Documents and Settings\All Users.WINDOWS\.clamwin\db
/daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 59b355ea6cd32f70124fc421e29023b6
LibClamAV debug: Decoded signature: 59b355ea6cd32f70124fc421e29023b6
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking C:\Temp/clamav-c1d1b4ff87efd0e9/COPYING
LibClamAV debug: Unpacking C:\Temp/clamav-c1d1b4ff87efd0e9/daily.db
LibClamAV debug: Unpacking C:\Temp/clamav-c1d1b4ff87efd0e9/daily.hdb
LibClamAV debug: Unpacking C:\Temp/clamav-c1d1b4ff87efd0e9/daily.ndb
LibClamAV debug: Loading databases from C:\Temp/clamav-c1d1b4ff87efd0e9
LibClamAV debug: Loading C:\Temp/clamav-c1d1b4ff87efd0e9/daily.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading C:\Temp/clamav-c1d1b4ff87efd0e9/daily.hdb
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading C:\Temp/clamav-c1d1b4ff87efd0e9/daily.ndb
LibClamAV debug: Loading C:\Documents and Settings\All Users.WINDOWS\.clamwin\db
/main.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = a9a400e70dcbfe2c9e11d78416e1c0cc
LibClamAV debug: Decoded signature: a9a400e70dcbfe2c9e11d78416e1c0cc
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking C:\Temp/clamav-ef45681c8aacd9a7/COPYING
LibClamAV debug: Unpacking C:\Temp/clamav-ef45681c8aacd9a7/main.db
LibClamAV debug: Unpacking C:\Temp/clamav-ef45681c8aacd9a7/main.hdb
LibClamAV debug: Unpacking C:\Temp/clamav-ef45681c8aacd9a7/main.ndb
LibClamAV debug: Unpacking C:\Temp/clamav-ef45681c8aacd9a7/main.zmd
LibClamAV debug: Unpacking C:\Temp/clamav-ef45681c8aacd9a7/main.fp
LibClamAV debug: Loading databases from C:\Temp/clamav-ef45681c8aacd9a7
LibClamAV debug: Loading C:\Temp/clamav-ef45681c8aacd9a7/main.db
LibClamAV debug: Loading C:\Temp/clamav-ef45681c8aacd9a7/main.fp
LibClamAV debug: Loading C:\Temp/clamav-ef45681c8aacd9a7/main.hdb
LibClamAV debug: Loading C:\Temp/clamav-ef45681c8aacd9a7/main.ndb
LibClamAV debug: Loading C:\Temp/clamav-ef45681c8aacd9a7/main.zmd
LibClamAV debug: Recognized ZIP file
LibClamAV debug: in scanzip()
LibClamAV debug: Zip: eicar.com, crc32: 0x6851cf3c, offset: 0, encrypted: 0, com
pressed: 68, normal: 68, method: 0, ratio: 1 (max: 250)
LibClamAV debug: Eicar-Test-Signature found in descriptor 6.
LibClamAV debug: Zip: Infected with Eicar-Test-Signature
eicar_com.zip: Eicar-Test-Signature FOUND
File excluded 'eicar_com.zip'

----------- SCAN SUMMARY -----------
Known viruses: 60037
Engine version: 0.88.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Not moved: 1
Data scanned: 0.00 MB
Time: 5.568 sec (0 m 5 s)

C:\Downloads>clamscan.bat eicar_com.zip

C:\Downloads>"C:\Program Files\ClamWin\bin\clamscan.exe" --database="C:\Document
s and Settings\All Users.WINDOWS\.clamwin\db" -l "C:\Documents and Settings\All
Users.WINDOWS\.clamwin\log\ClamScanLog.txt" --bell --move="C:\Documents and Sett
ings\All Users.WINDOWS\.clamwin\quarantine" --debug eicar_com.zip
LibClamAV debug: Loading databases from C:\Documents and Settings\All Users.WIND
OWS\.clamwin\db
LibClamAV debug: Loading C:\Documents and Settings\All Users.WINDOWS\.clamwin\db
/daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 59b355ea6cd32f70124fc421e29023b6
LibClamAV debug: Decoded signature: 59b355ea6cd32f70124fc421e29023b6
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking C:\Temp/clamav-04d4cbdeedc6e3bb/COPYING
LibClamAV debug: Unpacking C:\Temp/clamav-04d4cbdeedc6e3bb/daily.db
LibClamAV debug: Unpacking C:\Temp/clamav-04d4cbdeedc6e3bb/daily.hdb
LibClamAV debug: Unpacking C:\Temp/clamav-04d4cbdeedc6e3bb/daily.ndb
LibClamAV debug: Loading databases from C:\Temp/clamav-04d4cbdeedc6e3bb
LibClamAV debug: Loading C:\Temp/clamav-04d4cbdeedc6e3bb/daily.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading C:\Temp/clamav-04d4cbdeedc6e3bb/daily.hdb
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading C:\Temp/clamav-04d4cbdeedc6e3bb/daily.ndb
LibClamAV debug: Loading C:\Documents and Settings\All Users.WINDOWS\.clamwin\db
/main.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = a9a400e70dcbfe2c9e11d78416e1c0cc
LibClamAV debug: Decoded signature: a9a400e70dcbfe2c9e11d78416e1c0cc
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking C:\Temp/clamav-f4f591c74837f98b/COPYING
LibClamAV debug: Unpacking C:\Temp/clamav-f4f591c74837f98b/main.db
LibClamAV debug: Unpacking C:\Temp/clamav-f4f591c74837f98b/main.hdb
LibClamAV debug: Unpacking C:\Temp/clamav-f4f591c74837f98b/main.ndb
LibClamAV debug: Unpacking C:\Temp/clamav-f4f591c74837f98b/main.zmd
LibClamAV debug: Unpacking C:\Temp/clamav-f4f591c74837f98b/main.fp
LibClamAV debug: Loading databases from C:\Temp/clamav-f4f591c74837f98b
LibClamAV debug: Loading C:\Temp/clamav-f4f591c74837f98b/main.db
LibClamAV debug: Loading C:\Temp/clamav-f4f591c74837f98b/main.fp
LibClamAV debug: Loading C:\Temp/clamav-f4f591c74837f98b/main.hdb
LibClamAV debug: Loading C:\Temp/clamav-f4f591c74837f98b/main.ndb
LibClamAV debug: Loading C:\Temp/clamav-f4f591c74837f98b/main.zmd
LibClamAV debug: Recognized ZIP file
LibClamAV debug: in scanzip()
LibClamAV debug: Zip: eicar.com, crc32: 0x6851cf3c, offset: 0, encrypted: 0, com
pressed: 68, normal: 68, method: 0, ratio: 1 (max: 250)
LibClamAV debug: Eicar-Test-Signature found in descriptor 6.
LibClamAV debug: Zip: Infected with Eicar-Test-Signature
eicar_com.zip: Eicar-Test-Signature FOUND
eicar_com.zip: moved to 'C:\Documents and Settings\All Users.WINDOWS\.clamwin\qu
arantine/eicar_com.zip'

Are you shure the file is still on it's original location ?

What should happen is this :

- Try to move the file
- if you can't move it, check if the same file is in quarantine
- if the same file is in quarantine, just say "file excluded" and delete the file
- if it is an other file, append 001 to the filename and copy to that filename

So normally the file should be removed anyway.

budtse

Yeah it's not removed.

I removed the file from my download folder and from quarantine.
Then download the file with FlashGet which kicks off clamscan with
C:\Program Files\ClamWin\bin\clamscan.exe --database="C:\Documents and Settings\All Users.WINDOWS\.clamwin\db" -l "C:\Documents and Settings\All Users.WINDOWS\.clamwin\log\ClamScanLog.txt" --bell --move="C:\Documents and Settings\All Users.WINDOWS\.clamwin\quarantine"

This correctly identifies the file as a virus and moves it to quarantine.

Scan started: Fri Jun 16 12:15:21 2006

C:\Downloads\eicar_com.zip: Eicar-Test-Signature FOUND
C:\Downloads\eicar_com.zip: moved to 'C:\Documents and Settings\All Users.WINDOWS\.clamwin\quarantine/eicar_com.zip'

-- summary --
Known viruses: 60037
Engine version: 0.88.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Time: 8.803 sec (0 m 8 s)

When I then download it again it gets excluded but not deleted.
Scan started: Fri Jun 16 12:44:01 2006

C:\Downloads\eicar_com.zip: Eicar-Test-Signature FOUND
File excluded 'C:\Downloads\eicar_com.zip'

-- summary --
Known viruses: 60037
Engine version: 0.88.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Not moved: 1
Data scanned: 0.00 MB
Time: 5.328 sec (0 m 5 s)

BTW: Is this the right forum? or should I be posting somewhere else??

Cheers,
Carl

Well, it's really a ClamAV issue, but we'll do our best to support you anyway. ClamAV does not seem to have a forum. There are mailing lists though (https://www.clamav.net/ml.html#pagestart https://www.clamav.net/ml.html#pagestart), maybe they can help you out, because i'm not shure what the problem would be.

Looking at the code


There is no call to unlink when a file gets excluded.

I had a quick look in clamav posts and couldn't see anything about this.

You seem to be right about this. I will inform the ClamAV team of this bug, so it gets fixed.