4 Replies Latest reply: Jan 17, 2012 4:50 AM by MadMacs0
Hangar 8 Level 1 Level 1 (0 points)

I ran a scan with ClamXav and found 15 infected files - Trojan and Phishing. I was told to rerun the scan with Quarantine turned on if I wanted to remove the files, which I di. The second scan found no infected files. I ran a third scan and still no infected files. Where are the infected files. Did ClamXav delete them? If so, what damage has been done to the mailboxes? If all the infected files were in Trash, does that make the situation better?


MacBook Pro, Mac OS X (10.6.8)
  • ds store Level 7 Level 7 (30,315 points)

    "Quarantine" means to do just that, remove the files to a Quarantine folder and neutered.

     

    Read ClamXav documentation where they went.

     

    http://www.clamxav.com/

  • Hangar 8 Level 1 Level 1 (0 points)

    The first time I ran the scan ClamXav found the 15 infected files and quarantine was not turned on. There was a message to turn quarantine on if I wanted to remove the files which, at the time, I thought removing them was a good idea. So I reran the scan with quarantine turned on but it found no infected files. ClamXav must have deleted the infected files when I closed the program after the first scan. Is that what it is supposed to do? If so, were they placed in a folder and which one?

  • MadMacs0 Level 5 Level 5 (4,605 points)

    Hangar 8 wrote:

     

    The first time I ran the scan ClamXav found the 15 infected files and quarantine was not turned on. There was a message to turn quarantine on if I wanted to remove the files

    Actually, the message says "You can either deal with them yourself, or scan again with the preferences set to move them into a different folder."

     

    I much prefer to deal with each file individually, rather than allow ClamXav to move anything, especially if I'm scanning e-mail content for malware or phishing. That prevents damage to my mailboxes and also allows me to check to see if the phishing e-mails are correct or false positives. In my case, almost all the phishing e-mails were incorrectly identified as such.  As long as it doesn't find too many files I simply control-click / right-click on the identified file, select "Reveal In Finder" for e-mail, "Delete" for files that I'm certain are malware and "Quarantine" for those I'm not sure of and what to research.

    at the time, I thought removing them was a good idea. So I reran the scan with quarantine turned on but it found no infected files. ClamXav must have deleted the infected files when I closed the program after the first scan. Is that what it is supposed to do? If so, were they placed in a folder and which one?

    When you turned quarantine on in the ClamXav preferences, there was also a button to "Set quarantine folder..." after which it should have listed the path to that folder under "Quarantine infected files to:". In that same preference is another button which will "Open quarantine folder".

     

    All that being said, I was unable to repeat your results. I ran the first scan which identified the test virus, turned quarantine on and the test virus stayed where it was first found.  I ran a second scan where it was again identified, the status said "Quarantined" and when I opened the quarantine folder it was there. ClamXav takes great pains to exclude your quarantine folder, so anything that was moved to it will not be subsequently identified. So if those files are not in your quarantine folder, I have no idea where they went. You can look in your trash can, but they should not be there either.

     

    If you remember the names of any of the files you can try finding them using Find Any File (Spotlight will probably not find them).

     

    Lastly, I would encourage you to take future questions like this to the ClamXav Forum where you will find answers to most questions (although not all of this one) and maybe even get faster answers than here.

  • MadMacs0 Level 5 Level 5 (4,605 points)

    ds store wrote:

     

    "Quarantine" means to do just that, remove the files to a Quarantine folder and neutered.

    Your use of the term neutered has been bothering me, so I thought I'd best return and comment.

     

    By moving the suspected file to a Quarantine you may be rendering it harmless, but there is nothing to stop you from opening an executable or an e-mail, webpage, etc. containing malware, so I would caution that it still needs to be analyzed and disposed of, if necessary to be totally safe in the future. I know that some AV software has the ability to prevent the launch or access to quarantined files (e.g. VirusBarrier) by some mechanism that is still a mystery to me, but that's not true of ClamXav.