MoonPoint Support Logo

 

Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
April
Sun Mon Tue Wed Thu Fri Sat
 
16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        
2024
Months
AprMay Jun
Jul Aug Sep
Oct Nov Dec


Mon, Mar 04, 2024 9:46 pm

Accessing ClamWin scan results when the option to save a report is grayed out

I ran a scan with ClamWin, a free and open-source antivirus program for Microsoft Windows systems, on a user's system recently when she thought the system might be infected with malware. I ran the ClamWin scan after I scanned the system with McAfee AntiVirus, the active antivirus program on the system providing real-time protection, which did not find any malware. The scan, which ran for many hours, flagged many files as containing malware. It was difficult to note the names and locations of files flagged as containing malware when they were flagged as the results would scroll quickly by as the program went on to scan other files. As I assumed I would be able to save the results to a file when the scan completed, that did not concern me. However, when the scan completed I was unable to save the results to a file because the button that would allow me to save the results was grayed out.

You can still access the results of a scan in such cases, though, because when you exit from viewing the scan results, the program automatically appends the results to C:\ProgramData\.clamwin\log\ClamScanLog.txt. The ProgamData directory is a hidden directory that you won't see in the Windows File Explorer unless you have configured it to display hidden files and folders. You can see the directory is present if you open a command prompt window and issue the command dir /ah — the "/ah" tells the dir command to display files and folders with the attribute "hidden." E.g.:

C:\>dir /ah
 Volume in drive C is OS
 Volume Serial Number is 4445-F6ED

 Directory of C:\

08/21/2022  07:38 PM    <DIR>          $Recycle.Bin
07/08/2017  03:45 PM    <DIR>          $Windows.~WS
02/14/2024  10:43 AM    <DIR>          $WinREAgent
10/30/2015  02:18 AM                 1 BOOTNXT
08/21/2022  01:01 PM               112 bootTel.dat
02/28/2024  03:54 PM    <DIR>          Config.Msi
11/04/2011  01:20 AM            30,425 dell.sdr
07/14/2009  12:08 AM    <JUNCTION>     Documents and Settings [C:\Users]
03/03/2024  11:51 PM             8,192 DumpStack.log.tmp
03/04/2024  03:51 PM     6,373,736,448 hiberfil.sys
01/30/2012  09:36 PM    <DIR>          MSOCache
03/03/2024  11:51 PM     8,589,934,592 pagefile.sys
03/03/2024  09:48 AM    <DIR>          ProgramData
10/11/2023  09:00 AM    <DIR>          Recovery
03/03/2024  11:51 PM       268,435,456 swapfile.sys
01/28/2012  08:26 PM    <DIR>          System Recovery
03/04/2024  08:00 PM    <DIR>          System Volume Information
               7 File(s) 15,232,145,226 bytes
              10 Dir(s)  795,701,448,704 bytes free

C:\>>

Though the log file containing scan results is beneath a hidden directory, you can access it from a text editor such as Windows Notepad by typing in the directory path and file name, i.e., C:\ProgramData\.clamwin\log\ClamScanLog.txt when you choose Open to open a file, or you could open it from a command prompt window as shown below.

C:\&>notepad C:\ProgramData\.clamwin\log\ClamScanLog.txt

C:\&>

The ClamScanLog.txt file will contain the results of all scans run on the system, unless it was edited to remove prior results, with the results of the latest scan at the bottom of the file.

[/security/antivirus/clamav] permanent link

Sun, Oct 23, 2016 10:27 pm

freshclam.exe - Ordinal Not Found

After I upgraded ClamWin to version 0.99.1 on an HP laptop running Microsoft Windows 7 Professional, I saw a window titled "freshclam.exe - Ordinal Not Found" with the message "The ordinal 177 could not be located in the dynamic link library libclamav.dll."

freshclam.exe - Ordinal Not Found

When I right-clicked on the ClamWin icon in the notification area at the lower, right-hand corner of the screen and selected Open ClamWin, I saw the prompt "You have not yet downloaded Virus Definitions Database. Would you like to download it now?" I chose "Yes" and saw the "Ordinal Not Found" message again.

[ More Info ]

[/security/antivirus/clamav] permanent link

Sun, Nov 15, 2009 3:11 pm

ClamWin 0.95.3 Scan of Windows 7 Home Premium Edition Laptop on 2009-11-15

I scanned a laptop running Windows 7 Home Premium Edition with ClamWin Free Antivirus version 0.95.3 on 2009-11-15. ClamWin reported the following:

C:\$WINDOWS.~Q\DATA\Users\admin\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\$WINDOWS.~Q\DATA\Windows\System32\config\systemprofile\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Users\admin\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Users\Liza\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588c6fae4b\excel.cab: W32.Virut.Gen.D-163 FOUND
C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d3b354b1\xlconv.cab: W32.Virut.Gen.D-163 FOUND

But, I believe all of those were false positives.

[ More Info ]

[/security/antivirus/clamav] permanent link

Mon, Apr 16, 2007 7:42 pm

ClamWin No Longer Reporting Opera Infected with Trojan.Bifrose-495

When I scanned opera.exe, the executable for the Opera 8.54 web browser on April 8, 2007 with ClamWin 0.90.1, it reported the file was infected with Trojan.Bifrose-495 (see ClamWin Reporting Opera Infected with Trojan.Bifrose-495). The report appeared to be a false positive and I submitted the file as a false positive using the form at ClamAV Virus Database.

When I opened ClamWin today to see if new virus definitions would result in the file no longer being reported as infected, I saw the message "You have not yet downloaded Virus Definitions Database. Would you like to download it now?" I chose "Yes". ClamWin appeared to download new definitions, but when I selected the file the Scan button was grayed out. I closed and reopened ClamWin. Again I got the message stating that I had not yet downloaded virus definitions. I chose to download them again, but the results were the same. When I exited from the program, right-clicked on the file to scan and chose "Scan with ClamWin Free Antivirus", I saw the message "Virus Definitions Database Not Found! Please download it now."

So I checked the ClamWin website. I found there was a new version, 0.90.1.1 The site had the following information on the new version:

Wednesday, 11 April 2007
This quick-fix release addresses the "Missing Virus Database" Error. Also it includes couple of bug fixes:

I installed the new version. I was then able to scan opera.exe and it now reports that the file is uninfected. Previously ClamWin 0.90.1 was reporting that laplink.exe was also infected. It reported that file was infected with Trojan.Mybot-7604. I felt then that there was a fairly high probabability that the report was another false positive. When I scanned the file with the new version of ClamWin with current virus definitions, that file is now reported as uninfected as well.

[/security/antivirus/clamav] permanent link

Sun, Apr 08, 2007 11:10 pm

ClamWin Reporting Opera Infected with Trojan.Bifrose-495

When I scanned a system with ClamWin 0.90.1, it reported that the executable opera.exe for the Opera web browser was infected with Trojan.Bifrose-495. The system has Opera 8.54 on it.

Checking the definitions timestamp in ClamWin, I saw the following:

ClamAV 0.90.1
Protecting from 107238 Viruses
Virus DB Version: (main: 42, daily: 3049)
Updated: 18:49 08 Apr 2007

I found someone else reporting the same problem on a ClamWin support forum at False Positives. And I found a post, Opera.exe: Trojan.Bifrose-495 FOUND, on an Opera community forum site, where someone posted that ClamAV reported "Trojan.Bifrose-495 FOUND" for opera.exe, though in his case it appeared he had version 7 of Opera on his system. He submitted opera.exe from his system to VirusTotal, which provides a free service allowing you to upload a file for analysis by many different antivirus programs. Only ClamAV and Fortinet identified the file as being suspicious. The other 27 antivirus scanners used by VirusTotal reported it was uninfected. ClamWin is a Windows implementation of ClamAV.

There was also another posting, Trojan.Bifrose-495? in a ClamWin forum where someone stated that ClamWin 0.88.7 reported the same infection for his copy of opera.exe. One of the ClamWin developers, sherpya, responded that it was a false positive. That person also submitted his copy to VirusTotal. The result was the same for him, with only ClamAV reporting the file as infected and Fortinet labelling it as "suspicious".

I found someone else reporting that ClamWin reported Opera was infected with Trojan.Bifrose-495 at Cleaning up a trojan, but the poster didn't appear to consider the possibility that the report may have been a false positive.

I submitted the opera.exe file from my system to VirusTotal also. One of the ClamWin developer's referred the person who posted at False Positives on the ClamWin forum to How can I report a virus that ClamWin doesn't recognise? Or a false positive?, which also suggests submitting the file to VirusTotal , if you suspect that ClamWin is reporting a false positive. The file was scanned by 23 antivirus programs. Only ClamAv and Fortinet reported an issue with the file. ClamAv reported it found "Trojan.Bifrose-495", while Fortinet reported the file as "suspicious".

I also submitted the file to Jotti's Malware Scan, which also provides a free virus scanning service. Of the 17 antivirus programs it uses, only ClamAv reported the file as infected with ClamAv reporting "Found Trojan.Bifrose-495". It scanned the file with Fortinet as well, but reported for Fortinet that "Found nothing" (see report ).

I did submit the file using the on-line form at ClamAV Virus Database as a false positive.

So what does Trojan.Bifrose-495 do? I don't know and could not find any information on it via a Google search. Though I really like ClamWin and ClamAV, using them on many systems, one major advantage I see to a program like Symantec's antivirus software, aside from real-time scanning, is that Symantec will provide you with details on how most of the viruses it identifies work. By looking at the provided details, you can determine, if your system was infected, what the virus or trojan may have done and what other indicators of the infection you should expect to find on the system. ClamAV and thus ClamWin, which is built on ClamAV, provide no virus encyclopedia you can use for reference. If this wasn't a false positive I would certainly like to know how the virus or trojan operates, not just a name for it. Does it allow someone to take remote control of the infected system? Does it send out spam from the system, delete or corrupt files, etc.?

I normally use ClamWin as an adjunct to other antivirus software on a system and don't want real-time scanning capability from it, but really would like to have further details on any infections found. I have found ClamWin identifies malware other antivirus programs sometimes miss and am very appreciative of the work done by the developers for both ClamAV and ClamWin, but, whenever they report an infected file, I often have to submit the file to VirusTotal or Jotti's Malware Scan to attempt to figure out the potential harm that may have been caused by an infection. I look at the names used for the infection by other antivirus programs that also report the submitted file is infected. I then look check virus encyclopedias they may provide or do further searching of the web using the names they use for the malware.

Details for the file I submitted:

Filename:opera.exe
Size:76.5 KB (78,336 bytes)
Created:Saturday, April 15, 2006, 1:34:26 PM
Modified:Friday, March 24, 2006, 5:40:10 PM
File Version:7730
Product Name:Opera Internet Browser
Product Version:8.54
MD5 Sum:40d2e3a6f1c1dbe7825553164a3b86d3
SHA-1 Hash:c9623b9018fb6faebef38af37ff02dad361f774d

The modification date listed on the file when I right-clicked on it and chose Properties was March 24, 2006. I installed Opera 8.54 on the system on April 15, 2006, so the modification date listed is several weeks prior to the software being installed on the system.

I also scanned the file with BitDefender 8 Free Edition, which had virus definitions of April 8, 2007, which is today's date, and Symantec AntiVirus Corporate Edition 8, which had virus definitions from April 4, 2007. Both of those antivirus programs were on the system where I ran the ClamAV scan. Both reported the file was uninfected, so I'm fairly confident at this point that ClamAV's report of the file as infected was a false positive.

References:

  1. False Positives
    Posted February 11, 2006
    ClamWin Free Antivirus Support and Discussion Forums

  2. Opera.exe: Trojan.Bifrose-495 FOUND
    Posted: December 20, 2006
    Forums - Opera Community

  3. Trojan.Bifrose-495?
    January 5, 2007
    ClamWin Free Antivirus Support and Discussion Forums

  4. Cleaning up a trojan
    December 21, 2006
    WebDeveloper.com Forum

[/security/antivirus/clamav] permanent link

Sun, Apr 08, 2007 7:53 pm

LibClamAV Error When Scanning a System with ClamWin 0.90.1

I upgraded ClamWin on a system from version 0.88.4 to 0.90.1, set it to scan all of drive C on the system and then went to bed.

When I checked the results 9 hours later, I was surprised to find ClamWin still running. I also saw lots of error messages similar to the following:


LibClamAV Error: ERROR: failed to create file: c:\docume~1\admini~\locals~1
\temp/clamav-b3e9e513a21a2f87d6834aa7fb84676.00000530.clamtmp/
_becaa_r_ndoaa_geiaa_cemaa_r_behaa_feiaa_heeaa_kdbaa_idhaa_idpaa_ldg
aa_ldoaa_idjaa_D_ideaa_idjaa_ldmaa_

On the Clamwin support forums, I found several references to the problem. At ERROR: failed to create file, shepya, one of the ClamWin developers, responded on November 12 that the problem was due to the OLE2 unpacker that is used by ClamWin attempting to unpack CAB files, but encountering problems when doing so, since the files inside the CAB file have seemingly random names and unpacking them with the OLE2 unpacker would lead to new files being created with the same name as existing files, if ClamWin didn't stop unpacking the files and produce the error message instead. Sherpya stated in his response that ClamWin first tries to unpack the CAB files with a CAB unpacker, but for Installshield CAB files, since Installshield CAB files are not supported, it then passes the file on to the OLE2 unpacker, which can't properly unpack the CAB files. Shepya states the problem is due to Microsoft using the same file signature for both CAB and OLE2 files. File Extension for .CAB also indicates that InstallShield CAB files are not compatible with Microsoft CAB files.

Shepya further stated in a December 11, 2006 posting in the same thread that "since the cab code skips the archive, so it's passed to the ole2 code that doesn't pick the correct filenames to extract and since there are a lof of garbage in file names, clamav tries to sanitize it by replacing invalid chars by a _, this causes a lot of name clashes, but I preferred to warn instead of silent ignoring." ClamWin is using ClamAV for virus scanning; it is a Windows implementation for ClamAV.

There is another thread on the topic at Scan Write Errors. Sherpya states in that one that "m$ decided to make .msi files like ole2 container just like office document, but really they are a sort of cab archives."

And in response to the LIBCLAM AV error posting on April 4, 2007 by cebo, sherpya responds that "these messages are harmless, they will be removed on next release." I certainly hope there is an improvement with the next release.

Previously, when I started ClamWin on this system before going to bed, it would be finished when I checked it in the morning. When I checked the system at 9:00 A.M. after starting it around 11:00 P.M. the previous night, I found the CPU utilization was at about 100%. ClamWin was using over half the CPU time, but Spy Sweeper was also using a considerable amount of CPU time. I stopped Spy Sweeper. Then ClamWin was getting almost all of the CPU time, with the Task Manager showing its CPU utilization fluctuating between 90% and 97%, yet it still did not complete until 7:00 P.M., almost 20 hours after I started it.

I also saw the error message LibClamAV Error: Message is not un uuencoded form during the scan.

References:

  1. ClamWin

  2. ERROR: failed to create file:
    Posted: November 6, 2006
    ClamWin Free Antivirus Support and Discussion Forums

  3. Scan Write Errors
    Posted: October 11, 2006
    ClamWin Free Antivirus Support and Discussion Forums

  4. Cabinet (file format)
    Wikipedia, the free encyclopedia

  5. File Extension for .CAB
    FILExt

  6. Object Linking and Embedding
    Wikipedia, the free encyclopedia

  7. LIBCLAM AV error
    Posted: Wednesday, April 4, 2007
    ClamWin Free Antivirus Support and Discussion Forums

[/security/antivirus/clamav] permanent link

Sun, Apr 08, 2007 12:24 pm

Excluding ClamWin Quarantine Directory When Scanning

While searching for information on error messages I was getting while scanning a system with ClamWin 0.90.1, I found a comment by one of the ClamWin developers, alch, at clamwin is scanning its own quarantine files that in version 1 the quarantined files will be encrypted in such a way that they won't be flagged as infected files on subsequent scans. The response was to a ClamWin user's complaint about the current version's default behavior of scanning files in the quarantine folder, flagging them as infected, and then quarantining them again with a different name. Alch made the statement on March 23, 2007. He also stated version 1 "is in it's final stages of development."

You can exclude ClamWin's quarantine directory from being scanned by ClamWin by following the steps listed in Excluding the Quarantine Directory from a ClamWin scan.

[/security/antivirus/clamav] permanent link

Fri, Mar 02, 2007 1:37 pm

Excluding the Quarantine Directory from a ClamWin scan

Unless you tell it to exclude it's own quarantine directory, ClamWin will scan that directory when you perform a scan of the entire hard disk or any directory that contains the quarantine directory beneath it. When it encounters already quarantined items, ClamWin will put a numerical value at the end as an extension, e.g. "000". A subsequent scan will repeat the process, so a file may then get the extension "000.000".

Clamwin renames quarantined items

I don't want ClamWin to scan its own quarantine directory and report infections for items it quarantined during previous scans. To avoid that result, you can take the following steps (instructions written for ClamWin 0.90, but should apply to other versions as well):

  1. Open ClamWin.
  2. Click on Tools and select Preferences.
  3. Click on the Advanced tab.
  4. Put --exclude-dir=".clamwin\\quarantine" in the Additional Clamscan Command Line Parameters field. Note: you must use two backslashes after "clamwin", because ClamWin treats the entry as a regular expression. In a regular expression, a backslash, "\", has special significance, so you need to "escape" that special significance by putting another backslash in front of any backslash you need to use.

Clamwin
exclude directory

If you wish to exclude multiple directories, you can use multiple --exclude-dir commands separated by spaces, e.g. --exclude-dir=".clamwin\\quarantine" --exclude-dir="BitDefender8\\Quarantine".

To exclude individual files, you can use the exclude command, e.g. exclude="test.exe".

[/security/antivirus/clamav] permanent link

Thu, Mar 30, 2006 11:00 pm

ClamWin Virus Defintions Not Updating

If you try to update the virus defintions for ClamWin by selecting "Download Virus Database Update" and then see "Completed" immediately without new definitions being downloaded, the problem may be due to an incompatibility with the cygwin1.dll required by ClamWin and the cygwin1.dll file in use by some other application on the system, such as OpenSSH for Windows. See Incompatibility between OpenSSH for Windows and ClamWin for instructions on how to fix the problem.

You can determine which processes have the cygwin1.dll DLL loaded with the tasklist command on a Windows XP system.


C:\Program Files\ClamWin\bin>tasklist /m /fi "modules eq cygwin1.dll"

Image Name                   PID Modules
========================= ====== =============================================
sshd.exe                    5276 ntdll.dll, kernel32.dll,
                                 cygcrypto-0.9.7.dll, cygwin1.dll,
                                 ADVAPI32.DLL, RPCRT4.dll, cygz.dll,
                                 ws2_32.dll, msvcrt.dll, WS2HELP.dll,
                                 mswsock.dll, hnetcfg.dll, GDI32.dll,
                                 USER32.dll, wshtcpip.dll, wsock32.dll,
                                 DNSAPI.dll, winrnr.dll, WLDAP32.dll,
                                 Secur32.dll, mpr.dll, uxtheme.dll
switch.exe                  2336 ntdll.dll, kernel32.dll, cygwin1.dll,
                                 ADVAPI32.DLL, RPCRT4.dll, Apphelp.dll,
                                 user32.dll, GDI32.dll
sh.exe                      1192 ntdll.dll, kernel32.dll, cygwin1.dll,
                                 ADVAPI32.DLL, RPCRT4.dll, user32.dll,
                                 GDI32.dll
sh.exe                      3836 ntdll.dll, kernel32.dll, cygwin1.dll,
                                 ADVAPI32.DLL, RPCRT4.dll, Apphelp.dll,
                                 VERSION.dll, user32.dll, GDI32.dll

[/security/antivirus/clamav] permanent link

Mon, Mar 06, 2006 6:04 pm

ClamWin Outlook Integration Problem

A user was receiving an error message when she tried to send email with attachments:


ClamWin

An Error occured reading clamscan report: [Errno 2] No such file or
directory:
u'c:\\docume~1\\beth\locals~1\\temp\\tmpafm-hj\\client_setup_wi
zard_err_jpg - Virus Deleted by ClamWin.txt

ClamWin 0.88 was installed on her system and integrated with Outlook so that it was checking incoming and outgoing email for viruses. I had to disable the Outlook integration to stop the error from occuring.

[ More Information ]

[/security/antivirus/clamav] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo