I am using ClamWin with German Win98SE/KernelEx on a historical PC (DFI K6BV3+ Motherboard, AMD K6-3+ @550MHz, 768MB RAM, 160GB HDD) which is actually optimized for DOS Games (2 real ISA sound cards, 3Dfx Voodoo 1 graphics card etc.). As firewall I am running ZoneAlarm AntiVirus 6.1.744.001 (with its outdated antivirus part disabled). The start sequence is controlled through StartRight (finishes ZoneAlarm initialization before starting the antivirus).

Previously I had Avast 4.8 AntiVirus, which turned unbearably slow (booting 20 minutes, Avast updates >30 min), so I uninstalled it and switched to ClamWin 0.98.6 with Clam Sentinel 1.22.

- Thunderbird crashes ClamWin

Much worse is, when I run the ClamWin virus scan (which takes many hours per 16GB partition) and it finds my Mozilla Thunderbird e-mail folder (contains some 10000 e-mails of over a decade), it first complains about plenty of ancient phishing mails (they are scam, not malware! There is no harmful code in it, thus an antivirus should not care about them unless manually requested to do so.) Even worse, once it finds the biggest(?) of my e-mail-folders, it completely locks up and freezes my PC. I can only move the mouse pointer, but neither icons nor systray nor screen redraw responds. With ctrl-alt-del I see the taskmanager and can kill ClamWin. If I do so, the PC works again but I not even get a ClamWin log file, so I can only photograph the error by digicam. When I don't and exit taskmanager and then press ctrl-alt-del again, I instead get a popup requester that ClamWin has used up all resources. (I can kill it also from here.)

Thunderbird 2.0.0.24 (20100228) stores all e-mails inside a single file (one per folder) in subfolders of "\Windows\Anwendungsdaten\Thunderbird\Profiles" (in English version likely "\Windows\Application Data\Thunderbird\Profiles")

Also Avast 4.8 had displayed an anormaly scanning this folder:

E:\WINDOWS\Anwendungsdaten\Thunderbird\Profiles\c9spw8g1.default\Mail\Local Folders\=CO=Windler (kein Spam)\p layingit.FONTDIV#4025862408

"Prüfung nicht möglich. Die Datei ist eine Dekomprimierungsbombe."
(i.e "Testing impossible. The file is an decompression bomb.")

The strange thing is that a subfolder named "p layingit.FONTDIV#4025862408" does not exist, and even copying the contents of the folder into a new one and deleting the old (to get rid of potentially invisible folders) did not change Avast's behaviour. (ClamWin choked by a different mail folder.)

I suspect that a bug in Thunderbird always corrupts the last accessed(?) e-mail folder file and fixes this during next start, because Thunderbird itself has no problem to access them. With "Dekomprimierungsbombe" (decompression bomb, uncompression bomb) Avast certainly does not refer those deadly vacuum bombs of Putin, but a kind of faulty recursive pointer somewhere in the internal directory tree inside a compressed file, that causes an infinite loop during decompression and so eats up all memory. The FAT32 file system on that partition is not corrupt (at least scandisk doesn't complain).

Please urgently fix this! The freeze makes ClamWin almost useless to me since I can not scan my main partition. Avast at least handled the situation without a lockup. And please make ClamWin update the log file on disk every few seconds or after each read file (changeable in preferences if it would be too slow) and not only after a finished (it never will...) virus scan.

- exclude directories fails

I tried everything to exclude the corrupted e-mail folder files or their path, but ClamWin simply ignores it and scans it anyway (causing a crash). This may have to do with the lack of regular expression support in Win98SE. Please use a different (and easier to use) solution to exclude directories.

ClamWin also alerts plenty of false-positive code found in documents those are not executable. E.g. renamed WAV sound files .wa~ made trouble. There are likely many others I couldn't identify due to the crash.

- ClamWin shutdown fails

When I want to shutdown Win98SE I often get a popup requester that ClamWin has to quit first (I click ok), which however never happens, so I have to kill it ungently with Process Explorer or the taskmanager to shutdown Windoze. I suspect that Sentinel somehow prevents ClamWin from shutdown because it runs a 2nd copy in memory. Why is it so important to shutdown ClamWin cleanly? Can't it just write the log files to disk and stall like other programs?


other flaws:

- Please add a pause/resume button to the virus scan window.

The virus scan can take many hours and strongly slows down (or completely freezes, see above) my PC. Thus make it possible to pause and resume, because I e.g. may fail to bid on eBay auctions when the PC is occupied with a scan. Although I only start it manually, the need of aborting the entire scan (which takes hours to repeat) can not be a proper solution.

- Please make scan targets saveable.

Setting up proper combinations of selected and excluded directories (to avoid crash or false positive data-only files) can be time consuming and complicated. Please make the manual selection saveable as scan jobs and allow to exclude certain drives (e.g. CD burner to prevent buffer-underruns) permanently.

- Please change the animation.

The animation to the left of the virus scan window keeps running while the scan hasn't yet begun (it takes minutes to load the virus database into RAM). Please start the animation only during scan and stop it while paused or loading from disk or whatever, because it feels like scam when it pretends to scan but actually doesn't. Please also animate the tray icon (or make it change colour) during background scan (run by Sentinel) to inform the user that it is on and currently working (and so see whether e.g. a browser slowdown is caused by it).

- icon colour

During first start (after update?), the button background in Win98SE sometimes appears pink instead of default, which looks ugly.

Code:

MAY THE SOFTWARE BE WITH YOU! *============================================================================* I                  CYBERYOGI Christian Oliver(=CO=) Windler                  I I         (teachmaster of LOGOLOGIE - the first cyberage-religion!)          I I                                      !                                     I *=============================ABANDON=THE=BRUTALITY==========================*                       {http://weltenschule.de/e_index.html}

I am not to sure if the developers are going to want to dedicate time on fixing issues happening on older operating systems, since they have been long time abandon by now. Also, Avast 4.8 is about 7-8 years old now and has been adandon also, no longer getting virus signatures anymore.

That being said, ClamWin does not officially support Thunderbird, so that's probably the issue you are having with Thunderbird and ClamWin.

Your other requests will be up to the developers. Thank you for using ClamWin and taking the time to write use some suggestions.

Knowledgeable users are encouraged to develop add-ins and other extensions to ClamWin--especially those using ClamWin in a business or network environment. ClamWin developer time and resources are very limited, and this is a nice way to give back for using a free, open source antivirus program. Contact the ClamWin developers if interested.

Regards,

I do not request you to develop a dedicated Thunderbird plugin, but only a method to prevent the crash (i.e. fix the decompression bug by escaping infinite loops, which also may happen in other files and constitutes a potential trick for viruses to prevent ClamWin from scanning) and make the directory exclusion work properly.

ClamWin is the only antivirus suitable for Win98SE (others are flooded with bloat code or prevent execution on it) and because most competitors are considered more effective, Windows 98 users do constitute a major fraction of its fanbase. While Avast 4.8 was officially abandoned, it definitely did still receive antivirus database updates. It only became way too slow (adding them all by linear search?) to be bearable under Win98SE.

The infinite loop issue should be reported to ClamAV. You can report that issue here: https://www.clamav.net/contact.html Remember that ClamWin runs off the ClamAV engine so whatever happens with ClamAV happens with ClamWin.

You should also test the ClamWin version .98.7 which is still in beta phase and see if some of your issues may be fixed already.

nice discussion is going on, it is really helpful. thanks alot for your suggestions
https://cleaningbeasts.com/roomba-650-review/

This thread is four years old now and may not be relevant anymore.

Regards,

I am still running this Win98SE machine online and the system works well, although the harddisk is full to the brim and makes random slowdowns (depending on ClamWin update version??). The lockup bug seems to be gone.

ClamWin Preferences/Filters

blocked paths because of crash:

E:\\WINDOWS\\Anwendungsdaten\\Thunderbird\\Profiles\\c9spw8g1.default\\ImapMail\\.*
E:\\WINDOWS\\Anwendungsdaten\\Thunderbird\\Profiles\\c9spw8g1.default\\Mail\\.*
E:\\WINDOWS\\Anwendungsdaten\\Thunderbird\\Profiles\\c9spw8g1.default\\News\\.*

2019-01-16 I rescanned these folder paths without causing lockup, so blocking is not necessary anymore.

e:\WINDOWS\Anwendungsdaten\Thunderbird\Profiles\c9spw8g1.default\Mail\Local Folders\old.sbd\old.eBay: Email.Phishing.DblDom-54 FOUND
e:\WINDOWS\Anwendungsdaten\Thunderbird\Profiles\c9spw8g1.default\Mail\Local Folders\=CO=Windler (kein Spam).sbd\gesendet: Email.Phishing.Auction-297 FOUND

it found some random old e-mail attachment phish inside those huge folders.

----------- SCAN SUMMARY -----------
Known viruses: 6780989
Engine version: 0.99.4
Scanned directories: 31
Scanned files: 206
Infected files: 2
Data scanned: 460.09 MB
Data read: 1003.30 MB (ratio 0.46:1)
Time: 2325.050 sec (38 m 45 s)


However ClamWin detected on my main partition plenty of false positive files. The scan (9.56 of 16GB FAT32) took almost a whole day.

e:\WINDOWS\Anwendungsdaten\Mozilla\Profiles\=CO= Windler-1\jzfjw4dz.slt\ImapMail\imap.aim.com\Spam: Win.Worm.Warezov-207 FOUND

some random e-mail spam folder content (malware may be real).

There were many false-positive (tested on VirusTotal etc.), so I will put these into another thread.

False positives should be checked with Virus Total. If Clam AV (scan engine used by ClamWin) detects them and other major AVs do not detect them, then report the false positive(s) to Clam Av using the contact link on their main web page. They should fix the false positive. Virus Total also notifies the AVs if they make a false positive detection.

I am glad that ClamWin is working better for you. Make sure that you are using the current version of Thunderbird and ClamWin (.99.4). Remember that the developers of ClamWin merely prepare a Windows port from the Clam AV C++ Linux source code. All scanning and virus detection capability come from the Clam AV source code. Also, ClamWin is not a real-time scanner (it's an on-demand scanner), so for the best protection, you should be using a real-time antivirus program along with ClamWin as backup. There is also no certainty that ClamWin will last forever--it is heavily dependent upon the two developers and basically they are the only resources it has.

Finally, you should consider replacing your Windows 98 computer with one that has a current version of Windows. Hardly anyone is supporting Win 98 any more, and it is getting too hard for a project like ClamWin to do so also. Newer computers/OSs have much more capability. Re: scanning, you do not have to scan the entire computer--malware usually hides in the system/appdata-user folders. You also do not have to scan every file--just the 50 or so extensions that are most used by malware (Google for them).

Regards,

I have done this now.

Use the current version of Thunderbird? I am running Thunderbird 2.0.0.24. This is Win98SE! It can not handle anything newer. At least the lockup is gone. I don't worry about bad e-mail attachments. It won't execute them automatically and I neither have original MS Office nor Acrobat Reader, so scripts won't get executed anyway. I report stinky phishes to PayPal or police.

I run ClamWin Sentinel next to it, but it slows down the machine so badly, that I usually turn it off after a while when the browser (Opera 12.02) is running. Sentinel also takes about 10 minutes to finish its startup and memory scan.

and backdoors. Although I own Win10 crap (on Thinkpad X61t and T61) I trust it way less than Win98SE. May be I install a 2nd mainboard with modern CPU and some kind of Linux as the main OS. The 160GB harddisk is getting too small to hold the tons of tech info (music keyboard hardware, schematics etc.).

I always wait a year or so after a new Windows OS comes out to make sure they get the worst bugs out of it. I started with Win 98SE but went to XP after the AVs started to withdraw support for Win 98. Replaced it with Win XP, which I think was the best new version of Windows. Don't understand why they didn't just continue to improve it instead of coming out with new Win OS versions that had bugs, and they continue to do so. It's too bad Microsoft uses the OS as a marketing tool.

Personally, I do not think that ClamWin will be around much longer. If it does, it will not be worth running. As for Clam Sentinel, I worked with Andrea Russo to develop the heuristics (note the special thank you to Robert Scroggins). The heuristics are based on malware that existed up to about 2014, and it mostly targeted Windows executable files. Lots of malware writers then were sloppy and made mistakes. The current version of malware writers are mostly very professional--much more knowledgeable. But if you get a sloppy one, Clam Sentinel should still catch it.

Regards,

Well, the good thing is that neither Win98SE nor my CPU (AMD-K6-3+@550MHz) supports techniques of that "advanced" malware. There is no hardware virtualization inside DOS-age hardware, so any trojan attempting to use that will crash. I am aware that early AMD CPUs had strange bugs those can make it crash by reading certain illegal op-codes (even within part of data that is not executed but only accessed); my OS anyway catches exceptions and emulates certain op-codes through FineSSE, so I doubt that generic viruses can and ever will attempt to use this. Perhaps hackers can play Spectre tricks on it (AFAIK it does already have pipelining), but unless perfectly optimized for that particular CPU model, the conclusions are useless.

It is a good question, whether a software running a Spectre attack inside a Transmeta Crusoe CPU could understand its inner working to escape The Matrix. But a Crusoe CPU is such old and oddball that certainly nobody will write malware against its firmware - except for educational purpose.

Yes, you are right--few malware writers would mess with Win 98 any more--they can't make much money that way. But there is no significant development for the OS, and you miss out on lots of new capability. Plus...you are not supporting the Microsoft marketing machine!

Regards,