Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Re: From a newbie: ClamAV scans shut down Google Chrome

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


teaquilter at lighthouse

May 13, 2012, 2:49 PM

Post #1 of 7 (1098 views)
Permalink
Re: From a newbie: ClamAV scans shut down Google Chrome

Hi Alain, I haven't been able to browse to the files, for ClamAV web
interface attachment, on the User Identity from which they were flagged.
I've asked for help from my ISP, but no response yet. The only thing I can
think to do is to log on in the UserID where the flagged files exist, and
try to browse to them from there using the link you provide. Sorry this is
mostly new to me. Thanks for your help. Teresa


-----Original Message-----
From: clamav-users-bounces [at] lists
[mailto:clamav-users-bounces [at] lists] On Behalf Of Alain Zidouemba
Sent: Saturday, May 12, 2012 2:25 PM
To: ClamAV users ML
Subject: Re: [clamav-users] From a newbie: ClamAV scans shut down Google
Chrome

Teresa,

Would you mind submitting the files below to
http://www.clamav.net/lang/en/sendvirus/submit-fp/? This will help us fix
the problem you are experiencing.

C:\Users\tkfowler\AppData\Local\Google\Chrome\Application\18.0.1025.168\chro
me.dll

C:\Users\tkfowler\AppData\Local\Google\Chrome\Application\18.0.1025.168\Inst
aller\chrome.7z

Thanks,

- Alain

On Sat, May 12, 2012 at 2:06 PM, Teresa K. Fowler <teaquilter [at] lighthouse
> wrote:

> Dear ClamAV Users List:
>
> For the past several weeks, I've had several viruses
> detected by ClamAV that show as real viruses, not false positives,
> although I haven't had any false positives since the first detection.
> The first detection showed blue false positives and maroon viruses both.
>
> I have tried several times to report as I have done in
> the past via the web interface, but I can't browse to these files as
> they are under another User Identity although detected by my
> Administrative Identity.
>
> I run Windows Vista Home Premium 32 bit SP 2.
>
> These are the files as picked up and pasted from a
> ClamAV scan report 5-6-12. They are maroon bold-faced in the report:
>
>
>
>
> C:\Users\tkfowler\AppData\Local\Google\Chrome\Application\18.0.1025.16
> 8\chro
> me.dll: W32.Virut.Gen.D-148 FOUND
>
>
> C:\Users\tkfowler\AppData\Local\Google\Chrome\Application\18.0.1025.16
> 8\Inst
> aller\chrome.7z: W32.Virut.Gen.D-148 FOUND
>
> C:\Users\tkfowler\AppData\Roaming\.clamwin\quarantine\chrome.7z.infected:
> W32.Virut.Gen.D-148 FOUND
>
> C:\Users\tkfowler\AppData\Roaming\.clamwin\quarantine\chrome.dll.infected:
> W32.Virut.Gen.D-148 FOUND
>
>
> C:\Users\tkfowler\AppData\Roaming\.clamwin\quarantine\chrome.dll.infec
> ted.00
> 0.infected: W32.Virut.Gen.D-148 FOUND
>
>
>
> What happens as I am running a ClamAV scan is all the
> Google Chrome shortcuts are inactivated. When it is done, I can't
> bring up Google Chrome. From Control Panel/Programs, the first time
> Google Chrome already was uninstalled. The other four or five times,
> I've had to uninstall and reinstall. So far, I've been able to get
> back my Favorites, which I use to track research.
>
> Since I like Google Chrome, I haven't been running
> ClamAV very often in the past week, just getting the automatic updates.
>
> I've been running ClamAV for at least 6 years, no
> problems, recommended by my ISP, who uses ClamAV for their email.
> They can't help me with this and haven't heard of it happening to anyone
else.
>
> I haven't tried uninstalling and reinstalling ClamAV;
> not sure if it is a good idea yet. I have run ClamAV in the
> quarantine option, but two files don't show they are quarantined. I
> need to know how to
> proceed: a substitute browser or ClamAV solution? I also run
> MalwareBytes Anti-Malware, SUPER Anti-Spyware Free Edition, both
> recommended by my ISP, and Windows Defender. None of these other
> three have picked up any of the above files. I also wanted to notify
> in case anyone else is experiencing this problem. Hope this isn't
> TMI. Joel Esler, Senior Research Engineer, VRT, OpenSource Community
> Manager, Sourcefire, recommended that I offer this to the group.
> Thanks to all members more experienced than me. Teresa,
> teaquilter [at] lighthouse
>
>
>
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit
> http://wiki.clamav.net http://www.clamav.net/support/ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


teaquilter at lighthouse

May 13, 2012, 3:00 PM

Post #2 of 7 (1039 views)
Permalink
Re: From a newbie: ClamAV scans shut down Google Chrome [In reply to]

Could my culprit be ClamWin? I started out with ClamWin years ago,
following download links recommended by my ISP/computer repair service. I
thought it was the same thing as ClamAV, that ClamAV was the new name, or
ClamWin was the free edition. What I am actually running is ClamWin Free
Antivirus, a.k.a. ClamWin Antivirus. I thought I had the same thing used by
my ISP to scan email. What do I do? Uninstall ClamWin and install ClamAV?
Teresa


-----Original Message-----
From: clamav-users-bounces [at] lists
[mailto:clamav-users-bounces [at] lists] On Behalf Of G.W. Haywood
Sent: Sunday, May 13, 2012 7:34 AM
To: clamav-users [at] lists
Subject: Re: [clamav-users] From a newbie: ClamAV scans shut down Google
Chrome

Hi there,

On Sun, 13 May 2012, Teresa K Fowler wrote:

> For the past several weeks, I've had several viruses detected by
> ClamAV that show as real viruses, not false positives, although I
> haven't had any false positives since the first detection. The first
> detection showed blue false positives and maroon viruses both.
> ...
> I run Windows Vista Home Premium 32 bit SP 2.

Just to clarify things, I suspect that you're running something other than
ClamAV.

You're probably using something like ClamWin. This will have a GUI, with
buttons to click to make life easy for you. It seems that the tool you're
using can produce report documents with interesting bits highlighted in
colour. ClamAV doesn't do anything like that.

ClamAV itself is a simple utility used by other software to examine data.
ClamAV does that, returning to the software which invoked it information
about what it found. It's then up to the software which invoked ClamAV to
do whatever it chooses to do. ClamAV itself when used like this doesn't
interact with the user in any way. It knows nothing about maroon and blue
colours. And it doesn't delete files, nor quarantine them, nor even attempt
to change them in any way.

ClamAV doesn't know the difference between malicious software and a false
positive, although it is possible to tell it to ignore certain patterns -
for example if you have an urgent fix to apply and cannot afford to wait for
the routine false-positive fixing process to take its normal course. Your
anti-virus tool may perhaps not make this ClamAV feature available to you
easily, if at all.

> ... I've been running ClamAV for at least 6 years, no problems,
> recommended by my ISP, who uses ClamAV for their email. They can't
> help me with this and haven't heard of it happening to anyone else.
> I haven't tried uninstalling and reinstalling ClamAV; not sure if it
> is a good idea yet. I have run ClamAV in the quarantine option, but
> two files don't show they are quarantined. I need to know how to
> proceed: a substitute browser or ClamAV solution?

Upgrade? See below.

> I also run MalwareBytes Anti-Malware, SUPER Anti-Spyware Free Edition,
> both recommended by my ISP, and Windows Defender. None of these other
> three have picked up any of the above files. I also wanted to notify
> in case anyone else is experiencing this problem.

Although you must be using something in addition to ClamAV, the ClamAV
engines (if kept up to date) are probably identical with those used by other
users of this mailing list. So it is useful to know about your experiences.
Things like false positives affect all users.

It is important to give full information about the current state of your
ClamAV engine and databases in any report that you make. In this case, as
you seem to be in a minority at least of your ISP's customers, it seems
likely that your ClamAV database or perhaps even ClamAV itself is out of
date and should be upgraded. Unfortunately you probably got your version of
ClamAV not from the originators but from a third party.
The third party likely provided the tool which you're using and ClamAV as a
package. You may need to go to them for the updated package.

Assuming that they have updated their package, upgrading to the latest
version (or uninstalling and reinstalling) should have the desired effect.
If they have not updated it then you may be able to update ClamAV itself,
but over the years there have been changes to the software interface between
ClamAV and the tools which use it, so there is a possibility that this will
not work. Updating the databases alone (without making changes to the
ClamAV engines) may be possible depending on the age of your existing
version of ClamAV.

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


jimlinux at commspeed

May 13, 2012, 11:39 PM

Post #3 of 7 (1033 views)
Permalink
Re: From a newbie: ClamAV scans shut down Google Chrome [In reply to]

On 05/13/2012 03:00 PM, Teresa K. Fowler wrote:
> Could my culprit be ClamWin? I started out with ClamWin years ago,
> following download links recommended by my ISP/computer repair service. I
> thought it was the same thing as ClamAV, that ClamAV was the new name, or
> ClamWin was the free edition. What I am actually running is ClamWin Free
> Antivirus, a.k.a. ClamWin Antivirus. I thought I had the same thing used by
> my ISP to scan email. What do I do? Uninstall ClamWin and install ClamAV?
> Teresa
[snip]


Hi Teresa,
A couple of things, contrary to most corporate mail, this forum uses
bottom posting meaning that you add your comments at the bottom of the
posting rather than on top. Normally non relevant portions are then
snipped out as I have done here. There are two main reasons for this:
Firstly, it reduces the size of the emails
Secondly, it makes logical sense as there is your question / query /
comment is at the top of the email (forum posting) and the response is
at the bottom.

Corporate email tends to top post as the number of people involved are
limited and mostly fixed and the recipients are mostly interested in
just the latest response. Since this is mailing list, you never know who
is going to reply and old "stuff" in the posting is just noise for the
most part.

You are posting to the ClamAV Users Mailing List. Your best solution at
this point is to post to the ClamWin mailing list,
http://www.clamwin.com/content/view/123/90/ where those users will be in
a better position to directly solve your issues. This mailing list is
primarily concerned with the engines (scanning, updating, false
positive, etc) and addressing issues relating to not being able to
compile the software from source code, crashing of the scan engines,
falsely reporting malware in files that are clean, and things like that.
Your problem is specific to ClamWin and it's quarantining of files.

It is a little confusing but .... ClamWin is a 'complete' solution for
the Microsoft Windows platform. ClamAV is at the heart of the various
platform solutions of which ClamWin is one. Each of the 'complete'
solutions are maintained by their own developers using the free and open
source scan technology provided by ClamAV.

Specifically from your original post, you were reporting a problem with
the Google Chrome files being quarantined. That was an example of a
false positive which was corrected a few days ago (I do not remember
exactly when as I was not directly affected by the false positive). If
that is your only "true" issue, updating to the latest signatures and
reinstalling Google Chrome should resolve the issue.

ClamAV itself, is primarily used by mail servers to scan mail before
passing it on to end users or forwarding to other mail servers. ClamAV
just scans files and other streams of data looking for malware. The
ClamAV engines just report if malware was found and do not quarantine,
clean, or do anything else with the files. When using clamscan or other
feature of ClamAV to scan a platform, it is up to the user to decide
what to do with the reported files. Due to the issue this leaves for the
"average" user, other developers have provided more complete solutions
such as ClamWin.

What do I do? Uninstall ClamWin and install ClamAV?

If you choose to go with just ClamAV, then you will have to accept the
responsibility of what to do when a scan reports malware. Nobody but you
can decide if you have the expertise and time to take on this
responsibility. See what the ClamWin support forum can provide before
you make the leap to abandon ClamWin.

I do hope I have clarified things for you, if not just ignore this
posting except for the etiquette of not top posting.

--
Jim Preston


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


teaquilter at lighthouse

May 14, 2012, 12:18 PM

Post #4 of 7 (1037 views)
Permalink
Re: From a newbie: ClamAV scans shut down Google Chrome [In reply to]

-----Original Message-----
From: clamav-users-bounces [at] lists
[mailto:clamav-users-bounces [at] lists] On Behalf Of Jim Preston
Sent: Monday, May 14, 2012 2:39 AM
To: ClamAV users ML
Subject: Re: [clamav-users] From a newbie: ClamAV scans shut down Google
Chrome

On 05/13/2012 03:00 PM, Teresa K. Fowler wrote:
> Could my culprit be ClamWin? I started out with ClamWin years ago,
> following download links recommended by my ISP/computer repair
> service. I thought it was the same thing as ClamAV, that ClamAV was
> the new name, or ClamWin was the free edition. What I am actually
> running is ClamWin Free Antivirus, a.k.a. ClamWin Antivirus. I
> thought I had the same thing used by my ISP to scan email. What do I do?
Uninstall ClamWin and install ClamAV?
> Teresa
[snip]


On 5-14-12 2:39 a.m., Jim Preston wrote:

>Hi Teresa,
>A couple of things, contrary to most corporate mail, this forum uses bottom
posting meaning that you add your comments at the bottom of the posting
rather than on top. Normally non relevant >portions are then snipped out as
I have done here. There are two main reasons for this:
>Firstly, it reduces the size of the emails Secondly, it makes logical
sense as there is your question / query / comment is at the top of the email
(forum posting) and the response is at the >bottom.

>Corporate email tends to top post as the number of people involved are
limited and mostly fixed and the recipients are mostly interested in just
the latest response. Since this is mailing >list, you never know who is
going to reply and old "stuff" in the posting is just noise for the most
part.

>You are posting to the ClamAV Users Mailing List. Your best solution at
this point is to post to the ClamWin mailing list,
http://www.clamwin.com/content/view/123/90/ where those users will be >in a
better position to directly solve your issues. This mailing list is
primarily concerned with the engines (scanning, updating, false positive,
etc) and addressing issues relating to not >being able to compile the
software from source code, crashing of the scan engines, falsely reporting
malware in files that are clean, and things like that.
>Your problem is specific to ClamWin and it's quarantining of files.

>It is a little confusing but .... ClamWin is a 'complete' solution for the
Microsoft Windows platform. ClamAV is at the heart of the various platform
solutions of which ClamWin is one. Each of the 'complete'
solutions are maintained by their own developers using the free and open
source scan technology provided by ClamAV.

>Specifically from your original post, you were reporting a problem with the
Google Chrome files being quarantined. That was an example of a false
positive which was corrected a few days ago (I >do not remember exactly when
as I was not directly affected by the false positive). If that is your only
"true" issue, updating to the latest signatures and reinstalling Google
Chrome should >resolve the issue.

>ClamAV itself, is primarily used by mail servers to scan mail before
passing it on to end users or forwarding to other mail servers. ClamAV just
scans files and other streams of data looking >for malware. The ClamAV
engines just report if malware was found and do not quarantine, clean, or do
anything else with the files. When using clamscan or other feature of ClamAV
to scan a >> >ClamWin.

>What do I do? Uninstall ClamWin and install ClamAV?

>If you choose to go with just ClamAV, then you will have to accept the
responsibility of what to do when a scan reports malware. Nobody but you can
decide if you have the expertise and time to >take on this responsibility.
See what the ClamWin support forum can provide before you make the leap to
abandon ClamWin.

>I do hope I have clarified things for you, if not just ignore this posting
except for the etiquette of not top posting.
>
>--
>Jim Preston

Dear Jim Preston, You have explained everything beautifully, clearly even
for me, a right-brain writer, and sadly NOT a computer engineer. Therefore I
will stay with ClamWin, because I have neither the expertise nor time to go
with ClamAV. Most of these false positives I just wait out, because someone
more computer brilliant than me always reports, and the problem goes away.
This one hung on, and no one else seemed to be talking about it, so I did my
best to contribute. Thank you for clearing up all the remaining issues and
alerting me that the problem has been solved in the past few days. I will
take your advice and update Clamwin to the latest signatures, then reinstall
Google Chrome one more time.

Teresa K. Fowler

PS: Have you considered writing computer texts for non-engineers? You have
a gift for putting your finger on all the elusive background gaps in
knowledge that prevent learning advancement, and for filling in those gaps
everyone else assumes "everyone" knows with clear information delivered in a
friendly, non-condescending tone absent in many tutorials. And without the
jocular yatayatayata of some books such as the "For Dummies" series. Will
you post your above to the Clamwin mailing list? If not, with your
permission, and if you think it is still necessary, I will post a summary
including your response on the list where I might better have started this
journey.

PPS: Do I get bottom posting now? Seems backwards.

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


jimlinux at commspeed

May 14, 2012, 9:41 PM

Post #5 of 7 (1020 views)
Permalink
Re: From a newbie: ClamAV scans shut down Google Chrome [In reply to]

On 05/14/2012 12:18 PM, Teresa K. Fowler wrote:

[snip]
>> I do hope I have clarified things for you, if not just ignore this posting
> except for the etiquette of not top posting.
>> --
>> Jim Preston
> Dear Jim Preston, You have explained everything beautifully, clearly even
> for me, a right-brain writer, and sadly NOT a computer engineer. Therefore I
> will stay with ClamWin, because I have neither the expertise nor time to go
> with ClamAV. Most of these false positives I just wait out, because someone
> more computer brilliant than me always reports, and the problem goes away.
> This one hung on, and no one else seemed to be talking about it, so I did my
> best to contribute. Thank you for clearing up all the remaining issues and
> alerting me that the problem has been solved in the past few days. I will
> take your advice and update Clamwin to the latest signatures, then reinstall
> Google Chrome one more time.
>
> Teresa K. Fowler
>
> PS: Have you considered writing computer texts for non-engineers? You have
> a gift for putting your finger on all the elusive background gaps in
> knowledge that prevent learning advancement, and for filling in those gaps
> everyone else assumes "everyone" knows with clear information delivered in a
> friendly, non-condescending tone absent in many tutorials. And without the
> jocular yatayatayata of some books such as the "For Dummies" series. Will
> you post your above to the Clamwin mailing list? If not, with your
> permission, and if you think it is still necessary, I will post a summary
> including your response on the list where I might better have started this
> journey.
>
> PPS: Do I get bottom posting now? Seems backwards.
>
Yes, you have the bottom posting correct now. Having spent 30 years in
the corporate world, it was weird at first but I like it much better now.

Thanks, I actually spent a great deal of my working career in support so
I have developed a knack for explaining things at at a level I hope the
recipient will understand. Feel free to post any portion of this thread
on the ClamWin forum. Although some of my clients use ClamWin, I am not
signed up on that mailing list at this time.

Best of luck and let me know if updating and reinstalling Chrome works.

--
Jim Preston


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


teaquilter at lighthouse

May 15, 2012, 1:20 PM

Post #6 of 7 (1009 views)
Permalink
Re: From a newbie: ClamAV scans shut down Google Chrome [In reply to]

On 05/15/2012 12:42 AM, Jim Preston wrote:

[snip]
>Best of luck and let me know if updating and reinstalling Chrome works.
>--
>Jim Preston
>
Dear Jim, The first ClamWin full scan I ran with the quarantine preference.
The four quarantined files went away. Google Chrome was inactivated, as you
anticipated. Two flagged files were the two that hadn't gone into
quarantine. I re-ran a ClamWin full scan with the remove preference. It
took away the two flagged files and gave me a "0 infected files" result in
green. Chrome was still inactive. I have now uninstalled it. I will
report back after reinstalling and trying another ClamWin full scan. I'll
try the report only preference; then if needed, quarantine; then if needed,
remove.
>
[snip]
>Feel free to post any portion of this thread on the ClamWin forum. Although
some of my clients use ClamWin, I am not signed up on that mailing list at
this time.
>
Jim, Thanks again. When I get Google Chrome back and can scan with ClamWin
again without false flags/shut downs, I'll report my experience to the
ClamWin list. Yours will be the teaching moments. My career was in community
journalism. I was teaching the use of newswire/page design software run on a
mainframe. Then Page 1 designers went Mac. The regional daily didn't go
PC/Internet until just as I was leaving. We did a whole lot of redesign and
expansion using the old system.

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


james.henrydoss at gmail

May 17, 2012, 7:25 AM

Post #7 of 7 (990 views)
Permalink
Re: From a newbie: ClamAV scans shut down Google Chrome [In reply to]

Hi,

Is there any documentation available (other than user manual) to understand
the clam-AV code design.

Thanks
James Henrydoss


On Tue, May 15, 2012 at 4:20 PM, Teresa K. Fowler <teaquilter [at] lighthouse
> wrote:

> On 05/15/2012 12:42 AM, Jim Preston wrote:
>
> [snip]
> >Best of luck and let me know if updating and reinstalling Chrome works.
> >--
> >Jim Preston
> >
> Dear Jim, The first ClamWin full scan I ran with the quarantine preference.
> The four quarantined files went away. Google Chrome was inactivated, as
> you
> anticipated. Two flagged files were the two that hadn't gone into
> quarantine. I re-ran a ClamWin full scan with the remove preference. It
> took away the two flagged files and gave me a "0 infected files" result in
> green. Chrome was still inactive. I have now uninstalled it. I will
> report back after reinstalling and trying another ClamWin full scan. I'll
> try the report only preference; then if needed, quarantine; then if needed,
> remove.
> >
> [snip]
> >Feel free to post any portion of this thread on the ClamWin forum.
> Although
> some of my clients use ClamWin, I am not signed up on that mailing list at
> this time.
> >
> Jim, Thanks again. When I get Google Chrome back and can scan with ClamWin
> again without false flags/shut downs, I'll report my experience to the
> ClamWin list. Yours will be the teaching moments. My career was in
> community
> journalism. I was teaching the use of newswire/page design software run on
> a
> mainframe. Then Page 1 designers went Mac. The regional daily didn't go
> PC/Internet until just as I was leaving. We did a whole lot of redesign
> and
> expansion using the old system.
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.