MoonPoint Support Logo

 


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
December
Sun Mon Tue Wed Thu Fri Sat
           
14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          
2018
Months
Dec


Sun, Oct 23, 2016 10:27 pm

freshclam.exe - Ordinal Not Found

After I upgraded ClamWin to version 0.99.1 on an HP laptop running Microsoft Windows 7 Professional, I saw a window titled "freshclam.exe - Ordinal Not Found" with the message "The ordinal 177 could not be located in the dynamic link library libclamav.dll."

freshclam.exe - Ordinal Not Found

When I right-clicked on the ClamWin icon in the notification area at the lower, right-hand corner of the screen and selected Open ClamWin, I saw the prompt "You have not yet downloaded Virus Definitions Database. Would you like to download it now?" I chose "Yes" and saw the "Ordinal Not Found" message again.

[ More Info ]

[/security/antivirus/clamav] permanent link

Sun, Nov 15, 2009 3:11 pm

ClamWin 0.95.3 Scan of Windows 7 Home Premium Edition Laptop on 2009-11-15

I scanned a laptop running Windows 7 Home Premium Edition with ClamWin Free Antivirus version 0.95.3 on 2009-11-15. ClamWin reported the following:

C:\$WINDOWS.~Q\DATA\Users\admin\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\$WINDOWS.~Q\DATA\Windows\System32\config\systemprofile\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Users\admin\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Users\Liza\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588c6fae4b\excel.cab: W32.Virut.Gen.D-163 FOUND
C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d3b354b1\xlconv.cab: W32.Virut.Gen.D-163 FOUND

But, I believe all of those were false positives.

[ More Info ]

[/security/antivirus/clamav] permanent link

Mon, Apr 16, 2007 7:42 pm

ClamWin No Longer Reporting Opera Infected with Trojan.Bifrose-495

When I scanned opera.exe, the executable for the Opera 8.54 web browser on April 8, 2007 with ClamWin 0.90.1, it reported the file was infected with Trojan.Bifrose-495 (see ClamWin Reporting Opera Infected with Trojan.Bifrose-495). The report appeared to be a false positive and I submitted the file as a false positive using the form at ClamAV Virus Database.

When I opened ClamWin today to see if new virus definitions would result in the file no longer being reported as infected, I saw the message "You have not yet downloaded Virus Definitions Database. Would you like to download it now?" I chose "Yes". ClamWin appeared to download new definitions, but when I selected the file the Scan button was grayed out. I closed and reopened ClamWin. Again I got the message stating that I had not yet downloaded virus definitions. I chose to download them again, but the results were the same. When I exited from the program, right-clicked on the file to scan and chose "Scan with ClamWin Free Antivirus", I saw the message "Virus Definitions Database Not Found! Please download it now."

So I checked the ClamWin website. I found there was a new version, 0.90.1.1 The site had the following information on the new version:

Wednesday, 11 April 2007
This quick-fix release addresses the "Missing Virus Database" Error. Also it includes couple of bug fixes:

I installed the new version. I was then able to scan opera.exe and it now reports that the file is uninfected. Previously ClamWin 0.90.1 was reporting that laplink.exe was also infected. It reported that file was infected with Trojan.Mybot-7604. I felt then that there was a fairly high probabability that the report was another false positive. When I scanned the file with the new version of ClamWin with current virus definitions, that file is now reported as uninfected as well.

[/security/antivirus/clamav] permanent link

Sun, Apr 08, 2007 11:10 pm

ClamWin Reporting Opera Infected with Trojan.Bifrose-495

When I scanned a system with ClamWin 0.90.1, it reported that the executable opera.exe for the Opera web browser was infected with Trojan.Bifrose-495. The system has Opera 8.54 on it.

Checking the definitions timestamp in ClamWin, I saw the following:

ClamAV 0.90.1
Protecting from 107238 Viruses
Virus DB Version: (main: 42, daily: 3049)
Updated: 18:49 08 Apr 2007

I found someone else reporting the same problem on a ClamWin support forum at False Positives. And I found a post, Opera.exe: Trojan.Bifrose-495 FOUND, on an Opera community forum site, where someone posted that ClamAV reported "Trojan.Bifrose-495 FOUND" for opera.exe, though in his case it appeared he had version 7 of Opera on his system. He submitted opera.exe from his system to VirusTotal, which provides a free service allowing you to upload a file for analysis by many different antivirus programs. Only ClamAV and Fortinet identified the file as being suspicious. The other 27 antivirus scanners used by VirusTotal reported it was uninfected. ClamWin is a Windows implementation of ClamAV.

There was also another posting, Trojan.Bifrose-495? in a ClamWin forum where someone stated that ClamWin 0.88.7 reported the same infection for his copy of opera.exe. One of the ClamWin developers, sherpya, responded that it was a false positive. That person also submitted his copy to VirusTotal. The result was the same for him, with only ClamAV reporting the file as infected and Fortinet labelling it as "suspicious".

I found someone else reporting that ClamWin reported Opera was infected with Trojan.Bifrose-495 at Cleaning up a trojan, but the poster didn't appear to consider the possibility that the report may have been a false positive.

I submitted the opera.exe file from my system to VirusTotal also. One of the ClamWin developer's referred the person who posted at False Positives on the ClamWin forum to How can I report a virus that ClamWin doesn't recognise? Or a false positive?, which also suggests submitting the file to VirusTotal , if you suspect that ClamWin is reporting a false positive. The file was scanned by 23 antivirus programs. Only ClamAv and Fortinet reported an issue with the file. ClamAv reported it found "Trojan.Bifrose-495", while Fortinet reported the file as "suspicious".

I also submitted the file to Jotti's Malware Scan, which also provides a free virus scanning service. Of the 17 antivirus programs it uses, only ClamAv reported the file as infected with ClamAv reporting "Found Trojan.Bifrose-495". It scanned the file with Fortinet as well, but reported for Fortinet that "Found nothing" (see report ).

I did submit the file using the on-line form at ClamAV Virus Database as a false positive.

So what does Trojan.Bifrose-495 do? I don't know and could not find any information on it via a Google search. Though I really like ClamWin and ClamAV, using them on many systems, one major advantage I see to a program like Symantec's antivirus software, aside from real-time scanning, is that Symantec will provide you with details on how most of the viruses it identifies work. By looking at the provided details, you can determine, if your system was infected, what the virus or trojan may have done and what other indicators of the infection you should expect to find on the system. ClamAV and thus ClamWin, which is built on ClamAV, provide no virus encyclopedia you can use for reference. If this wasn't a false positive I would certainly like to know how the virus or trojan operates, not just a name for it. Does it allow someone to take remote control of the infected system? Does it send out spam from the system, delete or corrupt files, etc.?

I normally use ClamWin as an adjunct to other antivirus software on a system and don't want real-time scanning capability from it, but really would like to have further details on any infections found. I have found ClamWin identifies malware other antivirus programs sometimes miss and am very appreciative of the work done by the developers for both ClamAV and ClamWin, but, whenever they report an infected file, I often have to submit the file to VirusTotal or Jotti's Malware Scan to attempt to figure out the potential harm that may have been caused by an infection. I look at the names used for the infection by other antivirus programs that also report the submitted file is infected. I then look check virus encyclopedias they may provide or do further searching of the web using the names they use for the malware.

Details for the file I submitted:

Filename:opera.exe
Size:76.5 KB (78,336 bytes)
Created:Saturday, April 15, 2006, 1:34:26 PM
Modified:Friday, March 24, 2006, 5:40:10 PM
File Version:7730
Product Name:Opera Internet Browser
Product Version:8.54
MD5 Sum:40d2e3a6f1c1dbe7825553164a3b86d3
SHA-1 Hash:c9623b9018fb6faebef38af37ff02dad361f774d

The modification date listed on the file when I right-clicked on it and chose Properties was March 24, 2006. I installed Opera 8.54 on the system on April 15, 2006, so the modification date listed is several weeks prior to the software being installed on the system.

I also scanned the file with BitDefender 8 Free Edition, which had virus definitions of April 8, 2007, which is today's date, and Symantec AntiVirus Corporate Edition 8, which had virus definitions from April 4, 2007. Both of those antivirus programs were on the system where I ran the ClamAV scan. Both reported the file was uninfected, so I'm fairly confident at this point that ClamAV's report of the file as infected was a false positive.

References:

  1. False Positives
    Posted February 11, 2006
    ClamWin Free Antivirus Support and Discussion Forums

  2. Opera.exe: Trojan.Bifrose-495 FOUND
    Posted: December 20, 2006
    Forums - Opera Community

  3. Trojan.Bifrose-495?
    January 5, 2007
    ClamWin Free Antivirus Support and Discussion Forums

  4. Cleaning up a trojan
    December 21, 2006
    WebDeveloper.com Forum

[/security/antivirus/clamav] permanent link

Sun, Apr 08, 2007 7:53 pm

LibClamAV Error When Scanning a System with ClamWin 0.90.1

I upgraded ClamWin on a system from version 0.88.4 to 0.90.1, set it to scan all of drive C on the system and then went to bed.

When I checked the results 9 hours later, I was surprised to find ClamWin still running. I also saw lots of error messages similar to the following:


LibClamAV Error: ERROR: failed to create file: c:\docume~1\admini~\locals~1
\temp/clamav-b3e9e513a21a2f87d6834aa7fb84676.00000530.clamtmp/
_becaa_r_ndoaa_geiaa_cemaa_r_behaa_feiaa_heeaa_kdbaa_idhaa_idpaa_ldg
aa_ldoaa_idjaa_D_ideaa_idjaa_ldmaa_

On the Clamwin support forums, I found several references to the problem. At ERROR: failed to create file, shepya, one of the ClamWin developers, responded on November 12 that the problem was due to the OLE2 unpacker that is used by ClamWin attempting to unpack CAB files, but encountering problems when doing so, since the files inside the CAB file have seemingly random names and unpacking them with the OLE2 unpacker would lead to new files being created with the same name as existing files, if ClamWin didn't stop unpacking the files and produce the error message instead. Sherpya stated in his response that ClamWin first tries to unpack the CAB files with a CAB unpacker, but for Installshield CAB files, since Installshield CAB files are not supported, it then passes the file on to the OLE2 unpacker, which can't properly unpack the CAB files. Shepya states the problem is due to Microsoft using the same file signature for both CAB and OLE2 files. File Extension for .CAB also indicates that InstallShield CAB files are not compatible with Microsoft CAB files.

Shepya further stated in a December 11, 2006 posting in the same thread that "since the cab code skips the archive, so it's passed to the ole2 code that doesn't pick the correct filenames to extract and since there are a lof of garbage in file names, clamav tries to sanitize it by replacing invalid chars by a _, this causes a lot of name clashes, but I preferred to warn instead of silent ignoring." ClamWin is using ClamAV for virus scanning; it is a Windows implementation for ClamAV.

There is another thread on the topic at Scan Write Errors. Sherpya states in that one that "m$ decided to make .msi files like ole2 container just like office document, but really they are a sort of cab archives."

And in response to the LIBCLAM AV error posting on April 4, 2007 by cebo, sherpya responds that "these messages are harmless, they will be removed on next release." I certainly hope there is an improvement with the next release.

Previously, when I started ClamWin on this system before going to bed, it would be finished when I checked it in the morning. When I checked the system at 9:00 A.M. after starting it around 11:00 P.M. the previous night, I found the CPU utilization was at about 100%. ClamWin was using over half the CPU time, but Spy Sweeper was also using a considerable amount of CPU time. I stopped Spy Sweeper. Then ClamWin was getting almost all of the CPU time, with the Task Manager showing its CPU utilization fluctuating between 90% and 97%, yet it still did not complete until 7:00 P.M., almost 20 hours after I started it.

I also saw the error message LibClamAV Error: Message is not un uuencoded form during the scan.

References:

  1. ClamWin

  2. ERROR: failed to create file:
    Posted: November 6, 2006
    ClamWin Free Antivirus Support and Discussion Forums

  3. Scan Write Errors
    Posted: October 11, 2006
    ClamWin Free Antivirus Support and Discussion Forums

  4. Cabinet (file format)
    Wikipedia, the free encyclopedia

  5. File Extension for .CAB
    FILExt

  6. Object Linking and Embedding
    Wikipedia, the free encyclopedia

  7. LIBCLAM AV error
    Posted: Wednesday, April 4, 2007
    ClamWin Free Antivirus Support and Discussion Forums

[/security/antivirus/clamav] permanent link

Sun, Apr 08, 2007 12:24 pm

Excluding ClamWin Quarantine Directory When Scanning

While searching for information on error messages I was getting while scanning a system with ClamWin 0.90.1, I found a comment by one of the ClamWin developers, alch, at clamwin is scanning its own quarantine files that in version 1 the quarantined files will be encrypted in such a way that they won't be flagged as infected files on subsequent scans. The response was to a ClamWin user's complaint about the current version's default behavior of scanning files in the quarantine folder, flagging them as infected, and then quarantining them again with a different name. Alch made the statement on March 23, 2007. He also stated version 1 "is in it's final stages of development."

You can exclude ClamWin's quarantine directory from being scanned by ClamWin by following the steps listed in Excluding the Quarantine Directory from a ClamWin scan.

[/security/antivirus/clamav] permanent link

Fri, Mar 02, 2007 1:37 pm

Excluding the Quarantine Directory from a ClamWin scan

Unless you tell it to exclude it's own quarantine directory, ClamWin will scan that directory when you perform a scan of the entire hard disk or any directory that contains the quarantine directory beneath it. When it encounters already quarantined items, ClamWin will put a numerical value at the end as an extension, e.g. "000". A subsequent scan will repeat the process, so a file may then get the extension "000.000".

Clamwin renames quarantined items

I don't want ClamWin to scan its own quarantine directory and report infections for items it quarantined during previous scans. To avoid that result, you can take the following steps (instructions written for ClamWin 0.90, but should apply to other versions as well):

  1. Open ClamWin.
  2. Click on Tools and select Preferences.
  3. Click on the Advanced tab.
  4. Put --exclude-dir=".clamwin\\quarantine" in the Additional Clamscan Command Line Parameters field. Note: you must use two backslashes after "clamwin", because ClamWin treats the entry as a regular expression. In a regular expression, a backslash, "\", has special significance, so you need to "escape" that special significance by putting another backslash in front of any backslash you need to use.

Clamwin
exclude directory

If you wish to exclude multiple directories, you can use multiple --exclude-dir commands separated by spaces, e.g. --exclude-dir=".clamwin\\quarantine" --exclude-dir="BitDefender8\\Quarantine".

To exclude individual files, you can use the exclude command, e.g. exclude="test.exe".

[/security/antivirus/clamav] permanent link

Thu, Mar 30, 2006 11:00 pm

ClamWin Virus Defintions Not Updating

If you try to update the virus defintions for ClamWin by selecting "Download Virus Database Update" and then see "Completed" immediately without new definitions being downloaded, the problem may be due to an incompatibility with the cygwin1.dll required by ClamWin and the cygwin1.dll file in use by some other application on the system, such as OpenSSH for Windows. See Incompatibility between OpenSSH for Windows and ClamWin for instructions on how to fix the problem.

You can determine which processes have the cygwin1.dll DLL loaded with the tasklist command on a Windows XP system.


C:\Program Files\ClamWin\bin>tasklist /m /fi "modules eq cygwin1.dll"

Image Name                   PID Modules
========================= ====== =============================================
sshd.exe                    5276 ntdll.dll, kernel32.dll,
                                 cygcrypto-0.9.7.dll, cygwin1.dll,
                                 ADVAPI32.DLL, RPCRT4.dll, cygz.dll,
                                 ws2_32.dll, msvcrt.dll, WS2HELP.dll,
                                 mswsock.dll, hnetcfg.dll, GDI32.dll,
                                 USER32.dll, wshtcpip.dll, wsock32.dll,
                                 DNSAPI.dll, winrnr.dll, WLDAP32.dll,
                                 Secur32.dll, mpr.dll, uxtheme.dll
switch.exe                  2336 ntdll.dll, kernel32.dll, cygwin1.dll,
                                 ADVAPI32.DLL, RPCRT4.dll, Apphelp.dll,
                                 user32.dll, GDI32.dll
sh.exe                      1192 ntdll.dll, kernel32.dll, cygwin1.dll,
                                 ADVAPI32.DLL, RPCRT4.dll, user32.dll,
                                 GDI32.dll
sh.exe                      3836 ntdll.dll, kernel32.dll, cygwin1.dll,
                                 ADVAPI32.DLL, RPCRT4.dll, Apphelp.dll,
                                 VERSION.dll, user32.dll, GDI32.dll

[/security/antivirus/clamav] permanent link

Mon, Mar 06, 2006 6:04 pm

ClamWin Outlook Integration Problem

A user was receiving an error message when she tried to send email with attachments:


ClamWin

An Error occured reading clamscan report: [Errno 2] No such file or
directory:
u'c:\\docume~1\\beth\locals~1\\temp\\tmpafm-hj\\client_setup_wi
zard_err_jpg - Virus Deleted by ClamWin.txt

ClamWin 0.88 was installed on her system and integrated with Outlook so that it was checking incoming and outgoing email for viruses. I had to disable the Outlook integration to stop the error from occuring.

[ More Information ]

[/security/antivirus/clamav] permanent link

Mon, Feb 13, 2006 11:05 pm

Incompatibility between OpenSSH for Windows and ClamWin

When I attempted to scan a directory with 83 .exe files with ClamWin, the scan completed almost instantly and I saw the message below.

-------------------
Completed
-------------------

I was skeptical that any scan had actually been conducted. I suspected a cygwin.dll incompatibility, since I also had installed OpenSSH for Windows to set up the Windows 2000 Professional system as an SSH server. So I got a command prompt and attempted to run clamscan on one of the files in the directory. The ClamWin application uses clamscan.exe to do the actual scanning for viruses. Sure enough, when I ran clamscan, I received a message, which is shown below, informing me that there was a likely cygwin.dll compatibility problem instructing me to search for multiple versions of cygwin1.dll on the system.


C:\Program Files\Security\AntiVirus\ClamWin\bin>clamscan \zips\11700.exe
C:\Program Files\Security\AntiVirus\ClamWin\bin\clamscan.exe (1356): *** system
shared memory version mismatch detected - 0x75BE0074/0x75BE0084.
This problem is probably due to using incompatible versions of the cygwin DLL.
Search for cygwin1.dll using the Windows Start->Find/Search facility
and delete all but the most recent version.  The most recent version *should*
reside in x:\cygwin\bin, where 'x' is the drive on which you have
installed the cygwin distribution.  Rebooting is also suggested if you
are unable to find another cygwin DLL.

I looked at the versions of cygwin1.dll which came with each application and found the versions shown below. The cygwin1.dll files are in the Clamwin\bin and OpenSSH\bin subdirectories underneath \Program Files, if you installed the applications in the default directories. You can check the version number for the dll files by right-clicking on them and selecting "Properties" and then clicking on the "Version" tab of the window that opens. You will see "File Version" listed near the top of the window then. You will also see "Product Version" listed under the "Item name" section of the version window. You will need to click on "Product Version" to see the value for it. The timestamps on the files also showed the ClamWin version of cygwin1.dll to be a later version.

ProgramProgram VersionCygwin1.dll File Version Product VersionTimestamp
ClamWin0.881005.18.0.01.5.18 July 03, 2005, 11:30:52 AM
OpenSSH3.8.1p1-11005.10.0.01.5.10-cr-0x5e6 Tuesday, May 25, 2004, 9:07:50 PM

Obviously, ClamWin 0.88 has a later version of the DLL file cygwin1.dll than OpenSSH for Windows 3.8.1p1-1. I shouldn't have had a problem if the later version was loaded into memory, so OpenSSH must have started first. Windows won't load another version of a DLL file with the same name as one already loaded.

You can resolve such a problem by overwriting the older version with the newer version. In this case, since OpenSSH for Windows had its copy of cygwin1.dll loaded in memory already, I couldn't overwrite its copy of the dll file without stopping it first. Otherwise I would get an error message "Cannot copy cygwin1: There has been a sharing violation. The source or destination file may be in use." So I stopped OpenSSH with the command net stop opensshd, copied the newer version of the cygwin1.dll file from Clamwin's bin directory to the OpenSSH bin directory, overwriting the existing version, and then restarted OpenSSH with net start opensshd. Note: if you have any SSH connections open, you will need to close those as well in order to overwrite the cygwin1.dll file in the OpenSSH bin directory.

I then rescaned the directory I had been trying to scan with ClamWin earlier. This time it took considerably longer to finish and produced a report at the end indicating the number of directories and files it had scanned. It found 3 infected files in the directory.

[/security/antivirus/clamav] permanent link

Once You Know, You Newegg AliExpress by Alibaba.com

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo