You can still access the results of a scan in such cases, though, because when you exit from viewing the scan results, the program automatically appends the results to C:\ProgramData\.clamwin\log\ClamScanLog.txt. The ProgamData directory is a hidden directory that you won't see in the Windows File Explorer unless you have configured it to display hidden files and folders. You can see the directory is present if you open a command prompt window and issue the command dir /ah — the "/ah" tells the dir command to display files and folders with the attribute "hidden." E.g.:

C:\>dir /ah
 Volume in drive C is OS
 Volume Serial Number is 4445-F6ED

 Directory of C:\

08/21/2022  07:38 PM    <DIR>          $Recycle.Bin
07/08/2017  03:45 PM    <DIR>          $Windows.~WS
02/14/2024  10:43 AM    <DIR>          $WinREAgent
10/30/2015  02:18 AM                 1 BOOTNXT
08/21/2022  01:01 PM               112 bootTel.dat
02/28/2024  03:54 PM    <DIR>          Config.Msi
11/04/2011  01:20 AM            30,425 dell.sdr
07/14/2009  12:08 AM    <JUNCTION>     Documents and Settings [C:\Users]
03/03/2024  11:51 PM             8,192 DumpStack.log.tmp
03/04/2024  03:51 PM     6,373,736,448 hiberfil.sys
01/30/2012  09:36 PM    <DIR>          MSOCache
03/03/2024  11:51 PM     8,589,934,592 pagefile.sys
03/03/2024  09:48 AM    <DIR>          ProgramData
10/11/2023  09:00 AM    <DIR>          Recovery
03/03/2024  11:51 PM       268,435,456 swapfile.sys
01/28/2012  08:26 PM    <DIR>          System Recovery
03/04/2024  08:00 PM    <DIR>          System Volume Information
               7 File(s) 15,232,145,226 bytes
              10 Dir(s)  795,701,448,704 bytes free

C:\>>

Though the log file containing scan results is beneath a hidden directory, you can access it from a text editor such as Windows Notepad by typing in the directory path and file name, i.e., C:\ProgramData\.clamwin\log\ClamScanLog.txt when you choose Open to open a file, or you could open it from a command prompt window as shown below.

C:\&>notepad C:\ProgramData\.clamwin\log\ClamScanLog.txt

C:\&>

The ClamScanLog.txt file will contain the results of all scans run on the system, unless it was edited to remove prior results, with the results of the latest scan at the bottom of the file.

[/security/antivirus/clamav] permanent link

When I right-clicked on the ClamWin icon in the notification area at the lower, right-hand corner of the screen and selected Open ClamWin, I saw the prompt "You have not yet downloaded Virus Definitions Database. Would you like to download it now?" I chose "Yes" and saw the "Ordinal Not Found" message again.

[ More Info ]

[/security/antivirus/clamav] permanent link

C:\$WINDOWS.~Q\DATA\Users\admin\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\$WINDOWS.~Q\DATA\Windows\System32\config\systemprofile\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Users\admin\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Users\Liza\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588c6fae4b\excel.cab: W32.Virut.Gen.D-163 FOUND
C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d3b354b1\xlconv.cab: W32.Virut.Gen.D-163 FOUND

But, I believe all of those were false positives.

[ More Info ]

[/security/antivirus/clamav] permanent link

When I opened ClamWin today to see if new virus definitions would result in the file no longer being reported as infected, I saw the message "You have not yet downloaded Virus Definitions Database. Would you like to download it now?" I chose "Yes". ClamWin appeared to download new definitions, but when I selected the file the Scan button was grayed out. I closed and reopened ClamWin. Again I got the message stating that I had not yet downloaded virus definitions. I chose to download them again, but the results were the same. When I exited from the program, right-clicked on the file to scan and chose "Scan with ClamWin Free Antivirus", I saw the message "Virus Definitions Database Not Found! Please download it now."

So I checked the ClamWin website. I found there was a new version, 0.90.1.1 The site had the following information on the new version:

Wednesday, 11 April 2007
This quick-fix release addresses the "Missing Virus Database" Error. Also it includes couple of bug fixes:

• Fixed file creation errors during scanning of OLE and MSI files
• Added description message when a "Can't Open File" error occurs
• Setup now installs virus definitions database

I installed the new version. I was then able to scan opera.exe and it now reports that the file is uninfected. Previously ClamWin 0.90.1 was reporting that laplink.exe was also infected. It reported that file was infected with Trojan.Mybot-7604. I felt then that there was a fairly high probabability that the report was another false positive. When I scanned the file with the new version of ClamWin with current virus definitions, that file is now reported as uninfected as well.

[/security/antivirus/clamav] permanent link

Checking the definitions timestamp in ClamWin, I saw the following:

ClamAV 0.90.1
Protecting from 107238 Viruses
Virus DB Version: (main: 42, daily: 3049)
Updated: 18:49 08 Apr 2007

I found someone else reporting the same problem on a ClamWin support forum at False Positives. And I found a post, Opera.exe: Trojan.Bifrose-495 FOUND, on an Opera community forum site, where someone posted that ClamAV reported "Trojan.Bifrose-495 FOUND" for opera.exe, though in his case it appeared he had version 7 of Opera on his system. He submitted opera.exe from his system to VirusTotal, which provides a free service allowing you to upload a file for analysis by many different antivirus programs. Only ClamAV and Fortinet identified the file as being suspicious. The other 27 antivirus scanners used by VirusTotal reported it was uninfected. ClamWin is a Windows implementation of ClamAV.

There was also another posting, Trojan.Bifrose-495? in a ClamWin forum where someone stated that ClamWin 0.88.7 reported the same infection for his copy of opera.exe. One of the ClamWin developers, sherpya, responded that it was a false positive. That person also submitted his copy to VirusTotal. The result was the same for him, with only ClamAV reporting the file as infected and Fortinet labelling it as "suspicious".

I found someone else reporting that ClamWin reported Opera was infected with Trojan.Bifrose-495 at Cleaning up a trojan, but the poster didn't appear to consider the possibility that the report may have been a false positive.

I submitted the opera.exe file from my system to VirusTotal also. One of the ClamWin developer's referred the person who posted at False Positives on the ClamWin forum to How can I report a virus that ClamWin doesn't recognise? Or a false positive?, which also suggests submitting the file to VirusTotal , if you suspect that ClamWin is reporting a false positive. The file was scanned by 23 antivirus programs. Only ClamAv and Fortinet reported an issue with the file. ClamAv reported it found "Trojan.Bifrose-495", while Fortinet reported the file as "suspicious".

I also submitted the file to Jotti's Malware Scan, which also provides a free virus scanning service. Of the 17 antivirus programs it uses, only ClamAv reported the file as infected with ClamAv reporting "Found Trojan.Bifrose-495". It scanned the file with Fortinet as well, but reported for Fortinet that "Found nothing" (see report ).

I did submit the file using the on-line form at ClamAV Virus Database as a false positive.

So what does Trojan.Bifrose-495 do? I don't know and could not find any information on it via a Google search. Though I really like ClamWin and ClamAV, using them on many systems, one major advantage I see to a program like Symantec's antivirus software, aside from real-time scanning, is that Symantec will provide you with details on how most of the viruses it identifies work. By looking at the provided details, you can determine, if your system was infected, what the virus or trojan may have done and what other indicators of the infection you should expect to find on the system. ClamAV and thus ClamWin, which is built on ClamAV, provide no virus encyclopedia you can use for reference. If this wasn't a false positive I would certainly like to know how the virus or trojan operates, not just a name for it. Does it allow someone to take remote control of the infected system? Does it send out spam from the system, delete or corrupt files, etc.?

I normally use ClamWin as an adjunct to other antivirus software on a system and don't want real-time scanning capability from it, but really would like to have further details on any infections found. I have found ClamWin identifies malware other antivirus programs sometimes miss and am very appreciative of the work done by the developers for both ClamAV and ClamWin, but, whenever they report an infected file, I often have to submit the file to VirusTotal or Jotti's Malware Scan to attempt to figure out the potential harm that may have been caused by an infection. I look at the names used for the infection by other antivirus programs that also report the submitted file is infected. I then look check virus encyclopedias they may provide or do further searching of the web using the names they use for the malware.

Details for the file I submitted:

The modification date listed on the file when I right-clicked on it and chose Properties was March 24, 2006. I installed Opera 8.54 on the system on April 15, 2006, so the modification date listed is several weeks prior to the software being installed on the system.

I also scanned the file with BitDefender 8 Free Edition, which had virus definitions of April 8, 2007, which is today's date, and Symantec AntiVirus Corporate Edition 8, which had virus definitions from April 4, 2007. Both of those antivirus programs were on the system where I ran the ClamAV scan. Both reported the file was uninfected, so I'm fairly confident at this point that ClamAV's report of the file as infected was a false positive.

References:

1. False Positives
   Posted February 11, 2006
   ClamWin Free Antivirus Support and Discussion Forums


2. Opera.exe: Trojan.Bifrose-495 FOUND
   Posted: December 20, 2006
   Forums - Opera Community


3. Trojan.Bifrose-495?
   January 5, 2007
   ClamWin Free Antivirus Support and Discussion Forums


4. Cleaning up a trojan
   December 21, 2006
   WebDeveloper.com Forum

[/security/antivirus/clamav] permanent link

I upgraded ClamWin on a system from version 0.88.4 to 0.90.1, set it to scan all of drive C on the system and then went to bed.

When I checked the results 9 hours later, I was surprised to find ClamWin still running. I also saw lots of error messages similar to the following:

LibClamAV Error: ERROR: failed to create file: c:\docume~1\admini~\locals~1
\temp/clamav-b3e9e513a21a2f87d6834aa7fb84676.00000530.clamtmp/
_becaa_r_ndoaa_geiaa_cemaa_r_behaa_feiaa_heeaa_kdbaa_idhaa_idpaa_ldg
aa_ldoaa_idjaa_D_ideaa_idjaa_ldmaa_

On the Clamwin support forums, I found several references to the problem. At ERROR: failed to create file, shepya, one of the ClamWin developers, responded on November 12 that the problem was due to the OLE2 unpacker that is used by ClamWin attempting to unpack CAB files, but encountering problems when doing so, since the files inside the CAB file have seemingly random names and unpacking them with the OLE2 unpacker would lead to new files being created with the same name as existing files, if ClamWin didn't stop unpacking the files and produce the error message instead. Sherpya stated in his response that ClamWin first tries to unpack the CAB files with a CAB unpacker, but for Installshield CAB files, since Installshield CAB files are not supported, it then passes the file on to the OLE2 unpacker, which can't properly unpack the CAB files. Shepya states the problem is due to Microsoft using the same file signature for both CAB and OLE2 files. File Extension for .CAB also indicates that InstallShield CAB files are not compatible with Microsoft CAB files.

Shepya further stated in a December 11, 2006 posting in the same thread that "since the cab code skips the archive, so it's passed to the ole2 code that doesn't pick the correct filenames to extract and since there are a lof of garbage in file names, clamav tries to sanitize it by replacing invalid chars by a _, this causes a lot of name clashes, but I preferred to warn instead of silent ignoring." ClamWin is using ClamAV for virus scanning; it is a Windows implementation for ClamAV.

There is another thread on the topic at Scan Write Errors. Sherpya states in that one that "m$ decided to make .msi files like ole2 container just like office document, but really they are a sort of cab archives."

And in response to the LIBCLAM AV error posting on April 4, 2007 by cebo, sherpya responds that "these messages are harmless, they will be removed on next release." I certainly hope there is an improvement with the next release.

Previously, when I started ClamWin on this system before going to bed, it would be finished when I checked it in the morning. When I checked the system at 9:00 A.M. after starting it around 11:00 P.M. the previous night, I found the CPU utilization was at about 100%. ClamWin was using over half the CPU time, but Spy Sweeper was also using a considerable amount of CPU time. I stopped Spy Sweeper. Then ClamWin was getting almost all of the CPU time, with the Task Manager showing its CPU utilization fluctuating between 90% and 97%, yet it still did not complete until 7:00 P.M., almost 20 hours after I started it.

I also saw the error message LibClamAV Error: Message is not un uuencoded form during the scan.

References:

1. ClamWin


2. ERROR: failed to create file:
   Posted: November 6, 2006
   ClamWin Free Antivirus Support and Discussion Forums


3. Scan Write Errors
   Posted: October 11, 2006
   ClamWin Free Antivirus Support and Discussion Forums


4. Cabinet (file format)
   Wikipedia, the free encyclopedia


5. File Extension for .CAB
   FILExt


6. Object Linking and Embedding
   Wikipedia, the free encyclopedia


7. LIBCLAM AV error
   Posted: Wednesday, April 4, 2007
   ClamWin Free Antivirus Support and Discussion Forums

[/security/antivirus/clamav] permanent link

You can exclude ClamWin's quarantine directory from being scanned by ClamWin by following the steps listed in Excluding the Quarantine Directory from a ClamWin scan.

[/security/antivirus/clamav] permanent link

I don't want ClamWin to scan its own quarantine directory and report infections for items it quarantined during previous scans. To avoid that result, you can take the following steps (instructions written for ClamWin 0.90, but should apply to other versions as well):

1. Open ClamWin.
2. Click on Tools and select Preferences.
3. Click on the Advanced tab.
4. Put --exclude-dir=".clamwin\\quarantine" in the Additional Clamscan Command Line Parameters field. Note: you must use two backslashes after "clamwin", because ClamWin treats the entry as a regular expression. In a regular expression, a backslash, "\", has special significance, so you need to "escape" that special significance by putting another backslash in front of any backslash you need to use.

If you wish to exclude multiple directories, you can use multiple --exclude-dir commands separated by spaces, e.g. --exclude-dir=".clamwin\\quarantine" --exclude-dir="BitDefender8\\Quarantine".

To exclude individual files, you can use the exclude command, e.g. exclude="test.exe".

[/security/antivirus/clamav] permanent link

You can determine which processes have the cygwin1.dll DLL loaded with the tasklist command on a Windows XP system.

C:\Program Files\ClamWin\bin>tasklist /m /fi "modules eq cygwin1.dll"

Image Name                   PID Modules
========================= ====== =============================================
sshd.exe                    5276 ntdll.dll, kernel32.dll,
                                 cygcrypto-0.9.7.dll, cygwin1.dll,
                                 ADVAPI32.DLL, RPCRT4.dll, cygz.dll,
                                 ws2_32.dll, msvcrt.dll, WS2HELP.dll,
                                 mswsock.dll, hnetcfg.dll, GDI32.dll,
                                 USER32.dll, wshtcpip.dll, wsock32.dll,
                                 DNSAPI.dll, winrnr.dll, WLDAP32.dll,
                                 Secur32.dll, mpr.dll, uxtheme.dll
switch.exe                  2336 ntdll.dll, kernel32.dll, cygwin1.dll,
                                 ADVAPI32.DLL, RPCRT4.dll, Apphelp.dll,
                                 user32.dll, GDI32.dll
sh.exe                      1192 ntdll.dll, kernel32.dll, cygwin1.dll,
                                 ADVAPI32.DLL, RPCRT4.dll, user32.dll,
                                 GDI32.dll
sh.exe                      3836 ntdll.dll, kernel32.dll, cygwin1.dll,
                                 ADVAPI32.DLL, RPCRT4.dll, Apphelp.dll,
                                 VERSION.dll, user32.dll, GDI32.dll

[/security/antivirus/clamav] permanent link

ClamWin

An Error occured reading clamscan report: [Errno 2] No such file or
directory:
u'c:\\docume~1\\beth\locals~1\\temp\\tmpafm-hj\\client_setup_wi
zard_err_jpg - Virus Deleted by ClamWin.txt

ClamWin 0.88 was installed on her system and integrated with Outlook so that it was checking incoming and outgoing email for viruses. I had to disable the Outlook integration to stop the error from occuring.

[ More Information ]

[/security/antivirus/clamav] permanent link