I ran a scan with ClamXav and found 15 infected files - Trojan and Phishing. I was told to rerun the scan with Quarantine turned on if I wanted to remove the files, which I di. The second scan found no infected files. I ran a third scan and still no infected files. Where are the infected files. Did ClamXav delete them? If so, what damage has been done to the mailboxes? If all the infected files were in Trash, does that make the situation better?
Hangar 8 wrote:
The first time I ran the scan ClamXav found the 15 infected files and quarantine was not turned on. There was a message to turn quarantine on if I wanted to remove the files
Actually, the message says "You can either deal with them yourself, or scan again with the preferences set to move them into a different folder."
I much prefer to deal with each file individually, rather than allow ClamXav to move anything, especially if I'm scanning e-mail content for malware or phishing. That prevents damage to my mailboxes and also allows me to check to see if the phishing e-mails are correct or false positives. In my case, almost all the phishing e-mails were incorrectly identified as such. As long as it doesn't find too many files I simply control-click / right-click on the identified file, select "Reveal In Finder" for e-mail, "Delete" for files that I'm certain are malware and "Quarantine" for those I'm not sure of and what to research.
at the time, I thought removing them was a good idea. So I reran the scan with quarantine turned on but it found no infected files. ClamXav must have deleted the infected files when I closed the program after the first scan. Is that what it is supposed to do? If so, were they placed in a folder and which one?
When you turned quarantine on in the ClamXav preferences, there was also a button to "Set quarantine folder..." after which it should have listed the path to that folder under "Quarantine infected files to:". In that same preference is another button which will "Open quarantine folder".
All that being said, I was unable to repeat your results. I ran the first scan which identified the test virus, turned quarantine on and the test virus stayed where it was first found. I ran a second scan where it was again identified, the status said "Quarantined" and when I opened the quarantine folder it was there. ClamXav takes great pains to exclude your quarantine folder, so anything that was moved to it will not be subsequently identified. So if those files are not in your quarantine folder, I have no idea where they went. You can look in your trash can, but they should not be there either.
If you remember the names of any of the files you can try finding them using Find Any File (Spotlight will probably not find them).
Lastly, I would encourage you to take future questions like this to the ClamXav Forum where you will find answers to most questions (although not all of this one) and maybe even get faster answers than here.