You are here

ClamWin: Symantec AV Detection

9 posts / 0 new
Last post
dhartsoc
Offline
Last seen: 7 years 9 months ago
Joined: 2008-11-12 10:18
ClamWin: Symantec AV Detection

Ran into a problem today with Symantec AV detecting a deleting virus signatures from ClamWin Portable.

Symantec AV v. 10.1.4.4000 ; Update 6/17 rev. 3

ClamWin Portable v. 0.95.1 ; Update v. (main:51 ; daily:9484

W32.ICRBot was what Symantec detected.

I realize this is really a problem for Symantec. Just wanted to report this occurring.

Tim Clark
Tim Clark's picture
Offline
Last seen: 12 years 11 months ago
Joined: 2006-06-18 13:55
Just so we can

Just so we can have some more information,
When and what did it delete ?
Was CWP running, was it during the scan or right away on launch, or was CWP not even running yet.

Did Norton list the name and/or path to the file it deleted.

Tim

Things have got to get better, they can't get worse, or can they?

pbr
Offline
Last seen: 5 months 3 weeks ago
Joined: 2009-06-21 09:23
Similar experience

I had a similar experience. I had downloaded the new 0.95.2 version of ClamWinPortable and — paranoid that I am — after scanning the file with Symantec and SpyBot, scanned it with the 0.95.1 version which it was going to replace. Up popped a Symantec window:

Severity: High
Activity: Auto-Protect has detected W32.IRCBot
Status: Blocked
Date & Time: 6/19/2009 9:15:30 PM

The path listed was:

c:\documents and settings\[***}\local settings\temp\clamav9fb767c47c87f27d33ac0a45466107ea.00000fc0.clamtmp

The Symantec definitions version was 2009.06.19.004.

Fwiw, just prior to that (I found out by digging into View Recent History) there was this:

Severity: Low
Activity: clamscan.exe made 68 modifications to your computer
Status: Detected
Date & Time: 6:19/2009 9:15:29 PM

I'm assuming that it is a Symantec glitch, but still...

Oh, by the way, hi. I've been lurking in the shadows for a couple years. First posting.

Tim Clark
Tim Clark's picture
Offline
Last seen: 12 years 11 months ago
Joined: 2006-06-18 13:55
Thank you for all that

Thank you for all that information it helps.

Here's what I want you to do. Run your Norton AV on the ClamWinPoratable directory itself. If I am right you will see that it has no problem.

Here is what I think is happening, as this is what happens on my machine.

Norton is not having a problem with ClamWinPortable itself, it is having a problem with a temporary file being created by CWP while it is scanning another file.

File abc.exe is a compacted file.
Norton Finds no problem with abc.exe
CWP finds no problems with abc.exe
-->BUT

Things have got to get better, they can't get worse, or can they?

pbr
Offline
Last seen: 5 months 3 weeks ago
Joined: 2009-06-21 09:23
Re: Thank you for all that

I did some of what you suggested. Norton says my CWP is clean. (Ohhh no no no, I'm not going to scan my pc with CWP, uh-uh. I tried that once; Norton kept blocking CWP out. For that matter, I once did a scan of someone else's AV-less computer with Clam; I think it took overnight. I'm pretty certain that my rig is clean. In any event it's not acting weird...or at least not any weirder than usual. %-/)

I suspect you're right about it having something to do with the creation of the temp file. It's just odd that this is the only time I've had this happen. In point of fact, I replaced 0.95.1 with 0.95.2 on my stick that very night and used it to scan something I downloaded this morning. Nothing happened, no popups from Norton.

Oh, and forget about the fwiw in my first letter. Apparently that's customary behavior for Norton. (I checked Recent History after doing this last CWP scan and found another "clamscan.exe made X number of modifications to your computer" note. They're all in the same directory — c:\documents and settings\[***]\local settings\temp\.)

Tim Clark
Tim Clark's picture
Offline
Last seen: 12 years 11 months ago
Joined: 2006-06-18 13:55
Thanks for the update

I'm glad to hear you are not seeing this problem in 0.95.2 I will download and update tomorrow [modem ya'know Sad ] But as I said above, on my system this only happens on about 6 files. The fact that you tested it and it did not happen does not mean it will not happen on other files.

Yes, that is normal behavior.
Norton calls it "modifications to your computer" but that is a bit misleading.
CWP is merely creating and deleting tmp files as it unpacks things during scanning. Those files are gone when scanning is done and CWP shuts down.

Tim

Things have got to get better, they can't get worse, or can they?

ottosykora
Offline
Last seen: 20 hours 32 min ago
Joined: 2007-10-11 17:48
this is correct

and by design so.
One antivirus software can not scann other antivirus software. Since each antivirus software needs to keep virus signatures ready to be able to find the actual viruses, it will be clearly detected by other antivirus which will search exactly for those signatures of viruses.

So running two antiviruses against each other will result in described problems if those antivirus are operational.

This is not a bug, it is a feature!

Otto Sykora
Basel, Switzerland

Tim Clark
Tim Clark's picture
Offline
Last seen: 12 years 11 months ago
Joined: 2006-06-18 13:55
Otto

This is not what I think to be the quite the case here.
If you read my post above I think you will see that if you actually scan CWP with Norton there will be no problem.

But your basic principle is valid, 2 AV running at the same time can cause results which are confusing.

Tim

Things have got to get better, they can't get worse, or can they?

ottosykora
Offline
Last seen: 20 hours 32 min ago
Joined: 2007-10-11 17:48
well yes and no

since all av manufacturers are aware of the fact that they can not keep the sigs free floating around, they are compressed and encrypted. First they want not others to be simply able to copy the database, and also they want try to prevent such problems and also with the amount of sigs to be stored today, those dtabases are becoming very big so heavy compression is needed.
If the antivirus 1 can scan antivirus 2 and nothing happens, either antivirus 1 is junk or antivirus 2 has very good encryption and compression on its database so no one can recognize what it is and can not see any single signature in it.

Once the database is going to be used, it has to be unpacked to some extend, it will try to unpack also files to be scanned, place them into some temp place in ram or other place, then compare the sigs against those files and all this should be theoretically cleaned away again after all those ops finished. Therefore when one antivirus runs and other does real time scanning, it will all not work in general since every time the database is handled it is supposed to give alarm.
But then the cleaning after all ops are done? Well it cleans all, but... Abt the same way as portable apps will clean all after shutdown Wink ? It will clean, but nothing can be perfect in such case.

It is rather normal that running real time av will give alarm for example during update precedure on other av. Avast will give alarm during update precedure ov Clamwin, while it will not particularly care about if the database is unused sitting next to its exe chief.

Same did KAV, but had to teach it to leave this one out in kind of block list.

Otto Sykora
Basel, Switzerland

Log in or register to post comments