Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

From a newbie: ClamAV scans shut down Google Chrome

  

 
ClamAV users RSS feed   Index | Next | Previous | View Threaded


teaquilter at lighthouse

May 12, 2012, 11:06 AM

Post #1 of 6 (725 views)
Permalink
From a newbie: ClamAV scans shut down Google Chrome
Dear ClamAV Users List:

For the past several weeks, I've had several viruses
detected by ClamAV that show as real viruses, not false positives, although
I haven't had any false positives since the first detection. The first
detection showed blue false positives and maroon viruses both.

I have tried several times to report as I have done in the
past via the web interface, but I can't browse to these files as they are
under another User Identity although detected by my Administrative Identity.

I run Windows Vista Home Premium 32 bit SP 2.

These are the files as picked up and pasted from a ClamAV
scan report 5-6-12. They are maroon bold-faced in the report:



C:\Users\tkfowler\AppData\Local\Google\Chrome\Application\18.0.1025.168\chro
me.dll: W32.Virut.Gen.D-148 FOUND

C:\Users\tkfowler\AppData\Local\Google\Chrome\Application\18.0.1025.168\Inst
aller\chrome.7z: W32.Virut.Gen.D-148 FOUND

C:\Users\tkfowler\AppData\Roaming\.clamwin\quarantine\chrome.7z.infected:
W32.Virut.Gen.D-148 FOUND

C:\Users\tkfowler\AppData\Roaming\.clamwin\quarantine\chrome.dll.infected:
W32.Virut.Gen.D-148 FOUND

C:\Users\tkfowler\AppData\Roaming\.clamwin\quarantine\chrome.dll.infected.00
0.infected: W32.Virut.Gen.D-148 FOUND



What happens as I am running a ClamAV scan is all the Google
Chrome shortcuts are inactivated. When it is done, I can't bring up Google
Chrome. From Control Panel/Programs, the first time Google Chrome already
was uninstalled. The other four or five times, I've had to uninstall and
reinstall. So far, I've been able to get back my Favorites, which I use to
track research.

Since I like Google Chrome, I haven't been running ClamAV
very often in the past week, just getting the automatic updates.

I've been running ClamAV for at least 6 years, no problems,
recommended by my ISP, who uses ClamAV for their email. They can't help me
with this and haven't heard of it happening to anyone else.

I haven't tried uninstalling and reinstalling ClamAV; not
sure if it is a good idea yet. I have run ClamAV in the quarantine option,
but two files don't show they are quarantined. I need to know how to
proceed: a substitute browser or ClamAV solution? I also run MalwareBytes
Anti-Malware, SUPER Anti-Spyware Free Edition, both recommended by my ISP,
and Windows Defender. None of these other three have picked up any of the
above files. I also wanted to notify in case anyone else is experiencing
this problem. Hope this isn't TMI. Joel Esler, Senior Research Engineer,
VRT, OpenSource Community Manager, Sourcefire, recommended that I offer this
to the group. Thanks to all members more experienced than me. Teresa,
teaquilter [at] lighthouse





_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


azidouemba at sourcefire

May 12, 2012, 11:25 AM

Post #2 of 6 (698 views)
Permalink
Re: From a newbie: ClamAV scans shut down Google Chrome [In reply to]
Teresa,

Would you mind submitting the files below to
http://www.clamav.net/lang/en/sendvirus/submit-fp/? This will help us fix
the problem you are experiencing.

C:\Users\tkfowler\AppData\Local\Google\Chrome\Application\18.0.1025.168\chro
me.dll

C:\Users\tkfowler\AppData\Local\Google\Chrome\Application\18.0.1025.168\Inst
aller\chrome.7z

Thanks,

- Alain

On Sat, May 12, 2012 at 2:06 PM, Teresa K. Fowler <teaquilter [at] lighthouse
> wrote:

> Dear ClamAV Users List:
>
> For the past several weeks, I've had several viruses
> detected by ClamAV that show as real viruses, not false positives, although
> I haven't had any false positives since the first detection. The first
> detection showed blue false positives and maroon viruses both.
>
> I have tried several times to report as I have done in the
> past via the web interface, but I can't browse to these files as they are
> under another User Identity although detected by my Administrative
> Identity.
>
> I run Windows Vista Home Premium 32 bit SP 2.
>
> These are the files as picked up and pasted from a ClamAV
> scan report 5-6-12. They are maroon bold-faced in the report:
>
>
>
>
> C:\Users\tkfowler\AppData\Local\Google\Chrome\Application\18.0.1025.168\chro
> me.dll: W32.Virut.Gen.D-148 FOUND
>
>
> C:\Users\tkfowler\AppData\Local\Google\Chrome\Application\18.0.1025.168\Inst
> aller\chrome.7z: W32.Virut.Gen.D-148 FOUND
>
> C:\Users\tkfowler\AppData\Roaming\.clamwin\quarantine\chrome.7z.infected:
> W32.Virut.Gen.D-148 FOUND
>
> C:\Users\tkfowler\AppData\Roaming\.clamwin\quarantine\chrome.dll.infected:
> W32.Virut.Gen.D-148 FOUND
>
>
> C:\Users\tkfowler\AppData\Roaming\.clamwin\quarantine\chrome.dll.infected.00
> 0.infected: W32.Virut.Gen.D-148 FOUND
>
>
>
> What happens as I am running a ClamAV scan is all the Google
> Chrome shortcuts are inactivated. When it is done, I can't bring up Google
> Chrome. From Control Panel/Programs, the first time Google Chrome already
> was uninstalled. The other four or five times, I've had to uninstall and
> reinstall. So far, I've been able to get back my Favorites, which I use to
> track research.
>
> Since I like Google Chrome, I haven't been running ClamAV
> very often in the past week, just getting the automatic updates.
>
> I've been running ClamAV for at least 6 years, no problems,
> recommended by my ISP, who uses ClamAV for their email. They can't help me
> with this and haven't heard of it happening to anyone else.
>
> I haven't tried uninstalling and reinstalling ClamAV; not
> sure if it is a good idea yet. I have run ClamAV in the quarantine option,
> but two files don't show they are quarantined. I need to know how to
> proceed: a substitute browser or ClamAV solution? I also run MalwareBytes
> Anti-Malware, SUPER Anti-Spyware Free Edition, both recommended by my ISP,
> and Windows Defender. None of these other three have picked up any of the
> above files. I also wanted to notify in case anyone else is experiencing
> this problem. Hope this isn't TMI. Joel Esler, Senior Research Engineer,
> VRT, OpenSource Community Manager, Sourcefire, recommended that I offer
> this
> to the group. Thanks to all members more experienced than me. Teresa,
> teaquilter [at] lighthouse
>
>
>
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


ged at jubileegroup

May 13, 2012, 4:33 AM

Post #3 of 6 (684 views)
Permalink
Re: From a newbie: ClamAV scans shut down Google Chrome [In reply to]
Hi there,

On Sun, 13 May 2012, Teresa K Fowler wrote:

> For the past several weeks, I've had several viruses detected by
> ClamAV that show as real viruses, not false positives, although I
> haven't had any false positives since the first detection. The
> first detection showed blue false positives and maroon viruses both.
> ...
> I run Windows Vista Home Premium 32 bit SP 2.

Just to clarify things, I suspect that you're running something other
than ClamAV.

You're probably using something like ClamWin. This will have a GUI,
with buttons to click to make life easy for you. It seems that the
tool you're using can produce report documents with interesting bits
highlighted in colour. ClamAV doesn't do anything like that.

ClamAV itself is a simple utility used by other software to examine
data. ClamAV does that, returning to the software which invoked it
information about what it found. It's then up to the software which
invoked ClamAV to do whatever it chooses to do. ClamAV itself when
used like this doesn't interact with the user in any way. It knows
nothing about maroon and blue colours. And it doesn't delete files,
nor quarantine them, nor even attempt to change them in any way.

ClamAV doesn't know the difference between malicious software and a
false positive, although it is possible to tell it to ignore certain
patterns - for example if you have an urgent fix to apply and cannot
afford to wait for the routine false-positive fixing process to take
its normal course. Your anti-virus tool may perhaps not make this
ClamAV feature available to you easily, if at all.

> ... I've been running ClamAV for at least 6 years, no problems,
> recommended by my ISP, who uses ClamAV for their email. They can't
> help me with this and haven't heard of it happening to anyone else.
> I haven't tried uninstalling and reinstalling ClamAV; not sure if it
> is a good idea yet. I have run ClamAV in the quarantine option, but
> two files don't show they are quarantined. I need to know how to
> proceed: a substitute browser or ClamAV solution?

Upgrade? See below.

> I also run MalwareBytes Anti-Malware, SUPER Anti-Spyware Free
> Edition, both recommended by my ISP, and Windows Defender. None of
> these other three have picked up any of the above files. I also
> wanted to notify in case anyone else is experiencing this problem.

Although you must be using something in addition to ClamAV, the ClamAV
engines (if kept up to date) are probably identical with those used by
other users of this mailing list. So it is useful to know about your
experiences. Things like false positives affect all users.

It is important to give full information about the current state of
your ClamAV engine and databases in any report that you make. In this
case, as you seem to be in a minority at least of your ISP's customers,
it seems likely that your ClamAV database or perhaps even ClamAV itself
is out of date and should be upgraded. Unfortunately you probably got
your version of ClamAV not from the originators but from a third party.
The third party likely provided the tool which you're using and ClamAV
as a package. You may need to go to them for the updated package.

Assuming that they have updated their package, upgrading to the latest
version (or uninstalling and reinstalling) should have the desired
effect. If they have not updated it then you may be able to update
ClamAV itself, but over the years there have been changes to the
software interface between ClamAV and the tools which use it, so there
is a possibility that this will not work. Updating the databases
alone (without making changes to the ClamAV engines) may be possible
depending on the age of your existing version of ClamAV.

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


azidouemba at sourcefire

May 17, 2012, 7:32 AM

Post #4 of 6 (636 views)
Permalink
Re: From a newbie: ClamAV scans shut down Google Chrome [In reply to]
James,

In terms of documentation, at this point you have:

- the source code
- Creating Signatures for ClamAV www.clamav.net/doc/latest/signatures.pdf
- ClamAV user manual www.clamav.net/doc/latest/clamdoc.pdf
- ClamAV bytecode compiler user manual
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0CFcQFjAA&url=http%3A%2F%2Fgit.clamav.net%2Fgitweb%3Fp%3Dclamav-bytecode-compiler.git%3Ba%3Dblob_plain%3Bf%3Ddocs%2Fuser%2Fclambc-user.pdf&ei=Ygu1T5XOOcKe6AGwpbkL&usg=AFQjCNEUh5FUYwoKqF3pbLG5Be-6hBk5Rw&sig2=yl-jhFgf42ax-hsTY43eiA
- VRT blog vrt-blog.snort.org/
- ClamAV blog blog.clamav.net/

Thanks,
- Alain

On Thu, May 17, 2012 at 10:25 AM, james henrydoss
<james.henrydoss [at] gmail> wrote:
>
> Hi,
>
> Is there any documentation available (other than user manual) to understand
> the clam-AV code design.
>
> Thanks
> James Henrydoss
>
>
> On Tue, May 15, 2012 at 4:20 PM, Teresa K. Fowler <teaquilter [at] lighthouse
> > wrote:
>
> > On 05/15/2012 12:42 AM, Jim Preston wrote:
> >
> > [snip]
> > >Best of luck and let me know if updating and reinstalling Chrome works.
> > >--
> > >Jim Preston
> > >
> > Dear Jim, The first ClamWin full scan I ran with the quarantine preference.
> > The four quarantined files went away.  Google Chrome was inactivated, as
> > you
> > anticipated.  Two flagged files were the two that hadn't gone into
> > quarantine.  I re-ran a ClamWin full scan with the remove preference.  It
> > took away the two flagged files and gave me a "0 infected files" result in
> > green.  Chrome was still inactive.  I have now uninstalled it.  I will
> > report back after reinstalling and trying another ClamWin full scan.  I'll
> > try the report only preference; then if needed, quarantine; then if needed,
> > remove.
> > >
> > [snip]
> > >Feel free to post any portion of this thread on the ClamWin forum.
> > Although
> > some of my clients use ClamWin, I am not signed up on that mailing list at
> > this time.
> > >
> > Jim, Thanks again.  When I get Google Chrome back and can scan with ClamWin
> > again without false flags/shut downs, I'll report my experience to the
> > ClamWin list. Yours will be the teaching moments. My career was in
> > community
> > journalism. I was teaching the use of newswire/page design software run on
> > a
> > mainframe. Then Page 1 designers went Mac. The regional daily didn't go
> > PC/Internet until just as I was leaving.  We did a whole lot of redesign
> > and
> > expansion using the old system.
> >
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> > http://www.clamav.net/support/ml
> >
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


tkojm at clamav

May 17, 2012, 7:33 AM

Post #5 of 6 (637 views)
Permalink
Re: From a newbie: ClamAV scans shut down Google Chrome [In reply to]
On Thu, 17 May 2012 10:25:50 -0400 james henrydoss
<james.henrydoss [at] gmail> wrote:

> Hi,
>
> Is there any documentation available (other than user manual) to understand
> the clam-AV code design.

Source code.

--
oo ..... Tomasz Kojm <tkojm [at] clamav>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Thu May 17 16:32:01 CEST 2012
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Jens.Schleusener at t-online

May 17, 2012, 11:44 AM

Post #6 of 6 (634 views)
Permalink
Re: From a newbie: ClamAV scans shut down Google Chrome [In reply to]
On Thu, 17 May 2012, Tomasz Kojm wrote:

> On Thu, 17 May 2012 10:25:50 -0400 james henrydoss
> <james.henrydoss [at] gmail> wrote:
>
>> Hi,
>>
>> Is there any documentation available (other than user manual) to understand
>> the clam-AV code design.
>
> Source code.

... and studying the source code may be supplemented by Doxygen generated
source code documentation (that can cross reference documentation and code
and may offer dependency graphs), available for e.g. at

http://fossies.org/dox/clamav

Jens
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.