Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

How To Clean Infected Files

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


cwilliams at ideorlando

Sep 10, 2008, 8:13 AM

Post #1 of 13 (9884 views)
Permalink
How To Clean Infected Files

I used clamscan for the 1st time manually yesterday and it took some
time to recursively scan my users home directory where email is stored.

It found many infected files so my question is how do I force clamscan
to clean or remove all the problem files it found?

----------- SCAN SUMMARY -----------
Known viruses: 416284
Engine version: 0.94
Scanned directories: 25494
Scanned files: 914188
Infected files: 1266
Data scanned: 169328.71 MB
Time: 36408.332 sec (606 m 48 s)

--
Carlos Williams <cwilliams [at] ideorlando>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


bperry.volatile at gmail

Sep 10, 2008, 8:44 AM

Post #2 of 13 (9806 views)
Permalink
Re: How To Clean Infected Files [In reply to]

Read the documentation or the man page, I am sure it has all the info you
need :-).

On Wed, Sep 10, 2008 at 10:13 AM, Carlos Williams
<cwilliams [at] ideorlando>wrote:

> I used clamscan for the 1st time manually yesterday and it took some
> time to recursively scan my users home directory where email is stored.
>
> It found many infected files so my question is how do I force clamscan
> to clean or remove all the problem files it found?
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 416284
> Engine version: 0.94
> Scanned directories: 25494
> Scanned files: 914188
> Infected files: 1266
> Data scanned: 169328.71 MB
> Time: 36408.332 sec (606 m 48 s)
>
> --
> Carlos Williams <cwilliams [at] ideorlando>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>



--
http://www.volatileminds.net
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


rberber at prodigy

Sep 10, 2008, 8:46 AM

Post #3 of 13 (9808 views)
Permalink
Re: How To Clean Infected Files [In reply to]

Carlos Williams wrote:

> I used clamscan for the 1st time manually yesterday and it took some
> time to recursively scan my users home directory where email is stored.
>
> It found many infected files so my question is how do I force clamscan
> to clean or remove all the problem files it found?

http://www.clamav.net/support/faq/

$ clamscan -h

Clam AntiVirus Scanner 0.94
(C) 2002 - 2007 ClamAV Team - http://www.clamav.net/team

...
--remove Remove infected files. Be careful!
...
--
René Berber

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


cwilliams at ideorlando

Sep 10, 2008, 9:41 AM

Post #4 of 13 (9811 views)
Permalink
Re: How To Clean Infected Files [In reply to]

Brandon Perry wrote:
> Read the documentation or the man page, I am sure it has all the info you
> need :-).

I found:

--remove
Remove infected files. Be careful.

Why is this dangerous or does it have a caveat warning?

The man page does not specify for whatever reason. I assume I run:

$ clamscan -r /home --remove


--
Carlos Williams <cwilliams [at] ideorlando>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


bperry.volatile at gmail

Sep 10, 2008, 9:43 AM

Post #5 of 13 (9807 views)
Permalink
Re: How To Clean Infected Files [In reply to]

Because you are removing the file, not just the virus. ClamAV can't
disinfect as there is no need to.

On Wed, Sep 10, 2008 at 11:41 AM, Carlos Williams
<cwilliams [at] ideorlando>wrote:

> Brandon Perry wrote:
> > Read the documentation or the man page, I am sure it has all the info you
> > need :-).
>
> I found:
>
> --remove
> Remove infected files. Be careful.
>
> Why is this dangerous or does it have a caveat warning?
>
> The man page does not specify for whatever reason. I assume I run:
>
> $ clamscan -r /home --remove
>
>
> --
> Carlos Williams <cwilliams [at] ideorlando>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>



--
http://www.volatileminds.net
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


tkojm at clamav

Sep 10, 2008, 9:47 AM

Post #6 of 13 (9804 views)
Permalink
Re: How To Clean Infected Files [In reply to]

On Wed, 10 Sep 2008 12:41:39 -0400
Carlos Williams <cwilliams [at] ideorlando> wrote:

> Brandon Perry wrote:
> > Read the documentation or the man page, I am sure it has all the info you
> > need :-).
>
> I found:
>
> --remove
> Remove infected files. Be careful.
>
> Why is this dangerous or does it have a caveat warning?

It will for example remove complete mboxes and not just the infected
messages inside them. Be careful ;-)

--
oo ..... Tomasz Kojm <tkojm [at] clamav>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Wed Sep 10 18:44:21 CEST 2008
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


cswiger at mac

Sep 10, 2008, 9:47 AM

Post #7 of 13 (9805 views)
Permalink
Re: How To Clean Infected Files [In reply to]

On Sep 10, 2008, at 9:41 AM, Carlos Williams wrote:
> --remove
> Remove infected files. Be careful.
>
> Why is this dangerous or does it have a caveat warning?

It's got a caveat because it's going to delete anything which matches
it's signatures-- and even things with URLs which happen to trigger
the phishing heuristics, if you've got that option enabled. For the
case of container files like the mbox format, you'd rather delete
individual messages containing a virus rather than all of the messages
in that mbox file.

If possible, you should restore any virusized filed from backups and
then re-check to make sure you've cleaned up everything...

Regards,
--
-Chuck

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


cwilliams at ideorlando

Sep 10, 2008, 10:01 AM

Post #8 of 13 (9807 views)
Permalink
Re: How To Clean Infected Files [In reply to]

Tomasz Kojm wrote:
> On Wed, 10 Sep 2008 12:41:39 -0400
> Carlos Williams <cwilliams [at] ideorlando> wrote:
>
>> Brandon Perry wrote:
>>> Read the documentation or the man page, I am sure it has all the info you
>>> need :-).
>> I found:
>>
>> --remove
>> Remove infected files. Be careful.
>>
>> Why is this dangerous or does it have a caveat warning?
>
> It will for example remove complete mboxes and not just the infected
> messages inside them. Be careful ;-)

What if I am using Maildir/ style mailboxes? Will it still delete /
remove the users entire Maildir directory rather than just the infected
files? I would hope this simply removes/deletes the files deemed
"infected" and not the directory.

--
Carlos Williams <cwilliams [at] ideorlando>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


tkojm at clamav

Sep 10, 2008, 10:06 AM

Post #9 of 13 (9808 views)
Permalink
Re: How To Clean Infected Files [In reply to]

On Wed, 10 Sep 2008 13:01:48 -0400
Carlos Williams <cwilliams [at] ideorlando> wrote:

> What if I am using Maildir/ style mailboxes? Will it still delete /
> remove the users entire Maildir directory rather than just the infected
> files? I would hope this simply removes/deletes the files deemed
> "infected" and not the directory.

It won't remove any directories just the infected files

--
oo ..... Tomasz Kojm <tkojm [at] clamav>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Wed Sep 10 19:05:20 CEST 2008
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


tkojm at clamav

Sep 10, 2008, 10:15 AM

Post #10 of 13 (9804 views)
Permalink
Re: How To Clean Infected Files [In reply to]

On Wed, 10 Sep 2008 19:06:46 +0200
Tomasz Kojm <tkojm [at] clamav> wrote:

> On Wed, 10 Sep 2008 13:01:48 -0400
> Carlos Williams <cwilliams [at] ideorlando> wrote:
>
> > What if I am using Maildir/ style mailboxes? Will it still delete /
> > remove the users entire Maildir directory rather than just the infected
> > files? I would hope this simply removes/deletes the files deemed
> > "infected" and not the directory.
>
> It won't remove any directories just the infected files

Anyway, you should rather use --move and --log to quarantine the files. The log
file will help you to localize moved files in case you want to recover them (the
move command may change some file names and add suffixes to avoid overwriting
files in the quarantine directory but it will preserve the ownership, mtime, etc.)

--
oo ..... Tomasz Kojm <tkojm [at] clamav>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Wed Sep 10 19:07:43 CEST 2008
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


uhlar at fantomas

Sep 11, 2008, 2:53 AM

Post #11 of 13 (9777 views)
Permalink
Re: How To Clean Infected Files [In reply to]

On 10.09.08 11:43, Brandon Perry wrote:
> Because you are removing the file, not just the virus. ClamAV can't
> disinfect as there is no need to.

Sctually, some viruses append javascript code at the end offile they are
modifying. Cleaning that would help (although I don't know until when...)

--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


cwilliams at ideorlando

Sep 11, 2008, 5:13 AM

Post #12 of 13 (9777 views)
Permalink
Re: How To Clean Infected Files [In reply to]

Matus UHLAR - fantomas wrote:
> On 10.09.08 11:43, Brandon Perry wrote:
>> Because you are removing the file, not just the virus. ClamAV can't
>> disinfect as there is no need to.
>
> Sctually, some viruses append javascript code at the end offile they are
> modifying. Cleaning that would help (although I don't know until when...)

So would I be correct in running the following command to simply remove
files which are labeled "infected"?

$clamscan -r /home --remove


--
Carlos Williams <cwilliams [at] ideorlando>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


bperry.volatile at gmail

Sep 11, 2008, 7:27 AM

Post #13 of 13 (9782 views)
Permalink
Re: How To Clean Infected Files [In reply to]

>
>
> $clamscan -r /home --remove
>

This is correct.

>
>
> --
> Carlos Williams <cwilliams [at] ideorlando>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>



--
http://www.volatileminds.net
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.