I run a home server (Windows 2008), which includes a number of media-services, mail server, etc. When I entered my office Saturday morning, virtually everything was dead. The OS was running, but many error messages (missing files, etc) on the screen and most services were dead. I figured that I had a corrupted disk/RAID, ran all the diagnostics and they were good. I *finally* figured out that CLAM had decided that literally hundreds of my files (which have been stable and not reported in the past) were suddenly virus-infected.

After research, I found the QRecover utility. It doesn't list the dates the files had been quarantined, so I don't know if it listed more than the mess it had just made. I certainly had no time to go through what I believe was thousands of lines to cherry-pick them, so I selected to recover all the files, It reported success on most of them, but I have about 140 that failed for one reason or another.

Now, 18 hours later, I have my MDaemon email server *mostly* back -- it isn't properly processing the queues, but at least I am getting *some* of the email now. I still have at least another 5 programs that aren't working yet. I'll probably spend most of tomorrow on those.

I have changed the option in CLAM to only inform me of viruses now ... this error, ironically, has made me go thru a process similar to having been infected with a virus.

I know that CLAM is free and I appreciate the support that is given without being paid, so I don't mean to sound ungrateful, but are there alternatives (I just don't have time to spend a day or two recovering from this kind of issue)? Points:
01. I would be happy to buy a reliable commercial program in the $50 range, but as I am running Windows *Server* (but no Domain Controller), they all seem to want me to pay as if I'm running a business (it's just a simple home system)
02. Could CLAM have some sanity check within itself, e.g. if finding more than two folders (or x files) having virus, then don't take action other than alerting the admin?
03. Could CLAM have a simple "RECOVER TO LAST SCAN" option that would simply un-do what it did last? Short of that, perhaps add the timestamp to the log entries?
04. Could QRECOVER have a SORT option so that all damage to a given folder is grouped together?

Thanks

My storey:

It KILLED my system last night:


The Memory Scan portion completely disabling my MAIL SERVER and Antispam filter (the sole active purpose of its existence, as well as a network drive repository), as well as email client and firefox browser. I had forgotten about this MEMORY SCAN part of nightly scans (I had only disabled my C: scan). And then of course there is the 98 FPs of various softwares on my D: (as you can see).

Really was unacceptable and it highlights just how much damage a lack of care by these sig writers could actually do. (Can you imagine if people hadnt used 'Moved to quarantine' and instead had used the REMOVE IMMEDIATELY option?!). CISCO need to be more responsible for this (as owners). Made me rethink about the choice to 'Scan Programs In Memory': its too damaging to kill my server components "on a whim" of a sigmaker that cant do proper testing, so Ive now disabled this option. Its also making me doubt the use of it at all, TBH, beyond that of an incoming email scanner.


I just performed a definition update:


and then retested on one of the files, and the file is no longer detected.

So HOPEFULLY this dodgy signature has been reversed (although it is 21362 and 21363 that has the reversal for these FP's not 21360 as suggested by RNRK). I shall fing out tonight. It took them 24 hours to rectify.

I can imagine the uproar out there that may be happening on forums from users in the meantime.

Ditto, but I was able to recover all files with Qrestore. Access to the quarantine folder is a bit easier if you use Clam Sentinel, and the restore GUI is better than ClamWin's. Many valid system files will not be quarantined--all you will see in quarantine is the text "locator" message--just delete them.

False positives have always been a problem with the Clam AV people. It's designed/used primarily for Linux email servers, and there's not too many false positives on Windows system and application files there. The Qrestore program from the ClamWin developers after many requests and one major false positive incident helped and continues to help a lot. Any additional help will probably have to be done on the Clam AV side unless some C++ programmer wants to design a false positive check for the ClamWin developers:

File is 1 MB or larger
File has a valid digital signature
File has an installation date that is more than a month or so old
File is not in the %appdata% or system folders
Files does not have an extension commonly used by malware--such as exe, dll, etc.
File is properly registered with the Windows OS (look at the Windows properties)
File has a Shannon entropy below 7.50
File has a GUI

Regards,

@jimimaseye: I am subscribed to ClamAV's database mailing list, so with each update, I see what has been done to the database. According to their mailing list, there were FPs fixed in 21360. There was hardly anything added in 21363 and in 21362 was mostly worms and Trojans being added. I wouldn't be lieing about something like this.

Still I find it weird why I am not receiving these FPs on my system.

Well, after all day Friday, most of Saturday, and all day today, I think I have recovered all except one thing (for some reason my MDaemon mail server's anti-spam support is complaining of a missing perl514.dll file that I don't think Clam did anything to, but it was working until Clam took out hundreds of files).

Anyway, I've learned my lesson. Recovering from this was as much effort as recovering from an actual virus, so I will never again let Clam delete or move files, nor unload anything from memory. It is unfortunate, but the impact of this was much too large an effort.

I will still use Clam, but only to tell me what it thinks, not automatically try to address the situation. And, of course, I still appreciate the volunteers that provide this to us ...

I remember this happening at Malwarebytes a few years ago. Exact same situation, too, hundreds of files being quarantined/deleted. I guess it eventually happens to every AV in time. Guess it was just ClamAV's time now.

An argument can be made for excluding .dll files from scanning. They require an executable application to call them before they do anything. If you can detect the malware that runs/calls them before they are called, that's all you need to do.

If you don't want to go this far, an argument might be made for excluding .dll files in program folders from scanning. I'm not sure about .dll in system folders--perhaps there are not too many of them.

Dll files are a bit special--we had to give them special treatment in Clam Sentinel because most false positives we used to get in Clam Sentinel were on .dll files. I have also noticed that detection of .dll malware is a bit short in AVs as a whole--perhaps because of this.

Regards,

UPDATE: the test of the 5 FP's has concluded.


Here we go, 2 weeks after the first FP detection: The above (remaining) FP has now been rectified and scans cleanly (despite being declared malware as the above virus and then by the more recent 'system killing' "Win.Trojan.Bancos-2115"). And this has happened without me using Virustotal. (Of course its possible that someone else night have uploaded and reported Virustotal answers but I wold imagine its a slim chance).

SO what did I conclude:
1, Clam issues untested definitions and are potentially system killing.
2, If your system survives, they can still be somewhat damaging (at best inconvenient and annoying)
3, Referring to Virustotal when reporting FP's doesnt SEEM to make a difference in the speed that FP's are rectified
4, Dont expect any urgency in clam rectifying FP's based on end-user reports (days at best, can take weeks)
5, Expect your same genuine files to be falsely labelled as another virus any time soon
6, ClamAV definitions is only worthy for inline mail scanning and shouldnt be used for any other type of system scan except in REPORT MODE ONLY (and even then dont expect them to be any use as they are usually DAYS behind actual release of viruses). The use of more reliable 3rd party definitions are a must.
7, ClamAV (clamwin) must be supplemented by a more reliable, commercially available, dedicated software solution for realtime and on-demand system protection (if you require such protection)

For me:
A full scan of the same (data) disk now comes out clean. I am now reverting back to using it purely for inline mail scanning only (supplemented with sanesecurity definitions) but will do daily disk scans (report only) for curiosity .

How many days before it, or the other usual files, get detected by another (seemingly random untested) introduced definition. The date of last definition is 14th Feb. Start the clock.....

(Am now going to do a REPORT ONLY scan of the C: for curiosity....)

Given that Clam can't be used for true protection, what is the best solution for my case? I have a Win 2008 server in my home that I have partly because I like tech toys. It is not a Domain Controller, but is my file server, IIS web/ftp server, and mail server (MDaemon). It also is a media server (PlayOn, Plex). I don't use it interactively (ie, I don't develop on it, I don't regularly use its web browser, I rarely use MS Office on it). Most importantly, being out of work means I have little money to pay for a solution. I wouldn't mind a cost in line with Norton/McAfee prices for Windows 10, but because it is a Windows *Server*, they all seem to expect to charge ten or twenty times for licensing on it.

Should I just not worry about it?

Any suggestions would be very welcome!

You can continue to use ClamWin, as I said false positives like this happen to all AVs eventually. As a suggestion, I would set ClamWin to "report only" and use it as a back up. You can use Clam Sentinel, which was designed to work along side ClamWin with a real-time scanning, network scan support and added heuristics. You can download Sentinel from here: https://clamsentinel.sourceforge.net/

(Seems a little perverse for me to be saying this on a Clamwin forum but.....)

I have discussed this on another forum here: https://www.hmailserver.com/forum/viewtopic.php?f=7&t=28500)

As you know most risks come in through browsing or emails and as you dont do that directly on the serve then the risk is extremely minimal. In my opinion, being a home server and considering this, you could use one of the free offerings (such as Avira, AVG or Avast). Some softwares' however' do not allow for use on "business machines" AND they are not able to distinguish the term 'business' from that of being used in a commercial environment from "running on a Server OS' (Ahem...Microsoft.. *cough*) - they dont realise that people like you mihght have a 'server' level OS for pure home use. (Anyway, this rules out Microsoft Defender and some other solutions).

However, I do know that AVAST do a BUSINESS edition for free (yes, FREE! https://www.avast.com/avast-for-business ) if you feel you need to go down that route.

In any case, if you want to be proper protected with a very good highly reliable and well respected, then I would always recommend Bitdefender (the basic AV protection should suffice), and as you are a 'home user' you should be ok with their free edition (consistently rated in the top 2 or 3).

Thanks for the advice!! I'll check these out ...

Bitdefender will always be my first choice for overall system protection - it really is exceptional in speed, unobtrusiveness, integration and detection rate. I use Clamwin+sanesecurity definitions for inline email scanning (for our mail server) because of the Zero-hour response to new threats that sane gives (I havent found anything quicker).

I might have missed something, but what are "sanesecurity definitions" -- is this something that you get separately from ClamWin, but integrate into it?

Yes, exactly. Download and install the windows setup folder (from its website), subscribe and donate to the site if you feel morally correct and willing to do so, and feel safer than without them. (I recommend because Clam definitions are one broken ladder rung up from useless).

A virus product essentially has 2 parts to it: an engine that does the work and definitions that gives the engine what to look for. When you install ClamAV, as all other AV software providers, it by default is also set up to retrieve and use its own definitions. There are other 3rd party definitions for Clam (from other suppliers) that you can also get that are not affiliated with Clam in any way but are written for the Clam engine. sanesecurity.com is one of these providers.

Whichever you use (google "Clam 3rd party signatures") remember that you will rely on them to give you details of how to implement and use...and dont ever go to CLAM for help with those signatures.