When I attempted to scan a directory with 83 .exe files with ClamWin, the scan completed almost instantly and I saw the message below.
-------------------
Completed
-------------------
I was skeptical that any scan had actually been conducted. I suspected a cygwin.dll incompatibility, since I also had installed OpenSSH for Windows to set up the Windows 2000 Professional system as an SSH server. So I got a command prompt and attempted to run clamscan on one of the files in the directory. The ClamWin application uses clamscan.exe to do the actual scanning for viruses. Sure enough, when I ran clamscan, I received a message, which is shown below, informing me that there was a likely cygwin.dll compatibility problem instructing me to search for multiple versions of cygwin1.dll on the system.
C:\Program Files\Security\AntiVirus\ClamWin\bin>clamscan \zips\11700.exe
C:\Program Files\Security\AntiVirus\ClamWin\bin\clamscan.exe (1356): *** system
shared memory version mismatch detected - 0x75BE0074/0x75BE0084.
This problem is probably due to using incompatible versions of the cygwin DLL.
Search for cygwin1.dll using the Windows Start->Find/Search facility
and delete all but the most recent version. The most recent version *should*
reside in x:\cygwin\bin, where 'x' is the drive on which you have
installed the cygwin distribution. Rebooting is also suggested if you
are unable to find another cygwin DLL.I looked at the versions of cygwin1.dll which came with each application and found the versions shown below. The cygwin1.dll files are in the Clamwin\bin and OpenSSH\bin subdirectories underneath \Program Files, if you installed the applications in the default directories. You can check the version number for the dll files by right-clicking on them and selecting "Properties" and then clicking on the "Version" tab of the window that opens. You will see "File Version" listed near the top of the window then. You will also see "Product Version" listed under the "Item name" section of the version window. You will need to click on "Product Version" to see the value for it. The timestamps on the files also showed the ClamWin version of cygwin1.dll to be a later version.
| Program | Program Version | Cygwin1.dll File Version | Product Version | Timestamp |
|---|---|---|---|---|
| ClamWin | 0.88 | 1005.18.0.0 | 1.5.18 | July 03, 2005, 11:30:52 AM |
| OpenSSH | 3.8.1p1-1 | 1005.10.0.0 | 1.5.10-cr-0x5e6 | Tuesday, May 25, 2004, 9:07:50 PM |
Obviously, ClamWin 0.88 has a later version of the DLL file cygwin1.dll than OpenSSH for Windows 3.8.1p1-1. I shouldn't have had a problem if the later version was loaded into memory, so OpenSSH must have started first. Windows won't load another version of a DLL file with the same name as one already loaded.
You can resolve such a problem by overwriting the older version with
the newer version. In this case, since OpenSSH for Windows had its
copy of cygwin1.dll loaded in memory already, I couldn't overwrite
its copy of the dll file without stopping it first. Otherwise I would
get an error message "Cannot copy cygwin1: There has been a sharing
violation. The source or destination file may be in use." So I stopped
OpenSSH with the command net stop opensshd, copied the
newer version of the cygwin1.dll file from Clamwin's bin directory
to the OpenSSH bin directory, overwriting the existing version, and
then restarted OpenSSH with net start opensshd. Note:
if you have any SSH connections open, you will need to close those
as well in order to overwrite the cygwin1.dll file in the OpenSSH
bin directory.
I then rescaned the directory I had been trying to scan with ClamWin earlier. This time it took considerably longer to finish and produced a report at the end indicating the number of directories and files it had scanned. It found 3 infected files in the directory.
