I have a website and my host used CalmAV and detected 11 files with infected code. I downloaded the website to my Win 10 desktop (I run Xampp on it) and scanned the directory of this site. ClamWIN did not flag ANY infections.

Am I missing something?

Hello ebohatch.

Did you make sure that both ClamWin and ClamAV are using the most up-to-date signatures? If not, please update both of them are run a scan again and then report back here.

Thank you for using ClamAV and ClamWin.

My web hosting runs ClamAV, I assume they are running the latest (they ran it yesterday morning and found numerous infections).
On my desktop system ClamWin just updated its DB.
I am running ClamWin 0.99 (uploaded and installed yesterday) the About ClamWin lists the following:
ClamAV 0.99
Protecting from 4298780 Viruses
Virus DB Version: (main: 55; daily:21455)
Updated 16:37 08 Mar 2016


I just ran this against the website folders with KNOWN infections and it stated 0 infections found.

Perhaps the Clam AV detections were false positives that were later corrected by signature. Sometimes Clam AV gets a false positive on a file in the Windows folder but ClamWin has some protection against this. See if you can update a couple of those known infections to Virus Total and see what the AVs there say--especially Clam AV.

I secretly suspect there is some Clam AV signature detection capability that is not in ClamWin, but so far we haven't proven anything.

Regards,

Even if that was the case, Bob, ClamWin would have still detected them and marked them as false positive. Even if they are just false positive, this still proves that there are missing functionality in ClamWin.

I just went to Virus Total and had them scan an infected file. They did not detect anything. BUT IT IS DEFINITELY INFECTED. I can send you the infected script and you can evaluate it.

RRK: Perhaps ClamWin processed a corrected update after the Clam AV detections were first made. Nothing would be detected then.

EBO: send a zipped file containing the malware (use password: infected) to rscrogg@gmail.com, and I will look at it. Usually, if something is infected, at least one of the AVs on Virus Total should detect it--unless it is very new. The older it is, the more AVs should detect it. Of course, most AVs do a better job at detecting Windows PE file malware than they do the other stuff--JS, Office, HTML, etc..

Regards,

Sent you the zipped file. I just re-ran the script at Virus Total, mis-read how it works. There are now 3 sites that have flagged it.
But ClamWin still doesn't flag it.

Yes, I sent you an email with my results. Clam AV doesn't detect it. Dr. Web, Ikarus, and Microsoft detect it. ClamWin doesn't detect it because Clam AV doesn't detect it--appears there is no Clam AV signature for it yet. It appears to be a new file. Most AVs don't do well at detecting PHP malware. I'm sure more AVs will start detecting it in a little while. You can send it to Clam AV maybe to speed things up.

Regards,