User profile for user: Gil Dawson
Gil Dawson Author
User level: Level 2
164 points

How can I remove ClamXAV and clamscan?

My MacOS 10.11.6 system's Activity Monitor shows the 'clamscan' process to be using 98+% CPU time and has been running for nearly eight hours of CPU Time. This happens every Sunday morning, I've tried killing it, but it just comes back the next Sunday morning. I'd like to turn it off permanently.


I have a ClamXAV.app file, version 2.8.9.1, that I apparently installed a year and a half ago, 1/28/16. If I launch it, a modal dialog says,


0 Days Remaining In Your Free Trial.


Its makers included a convenient "ClamAV Engine REMOVER.app" file (created 12/19/2009). If I launch it, the Finder puts up a modal dialog which says,


“ClamAV Engine REMOVER.app” is damaged and can’t be opened. You should move it to the Trash.


If I drop the file's icon onto a Script Editor icon, the Finder says the same thing.


HOWEVER, I can read the AppleScript inside this file by looking at it through the preview (rightmost) pane of a Finder window in Column View.

User uploaded file

I can see about six lines of code. Alas, I cannot copy them. But I can scroll them, and so I can read them. So I suppose I could follow along and do what it would do.


My question is: Is there a more elegant way to do this?


--Gil

MacBook Pro, OS X El Capitan (10.11.6), Time Capsule Version 7.6.4

Posted on Jun 18, 2017 4:04 PM

Reply
14 replies
User profile for user: Gil Dawson
Gil Dawson Author
User level: Level 2
164 points

Jul 16, 2017 7:47 PM in response to MadMacs0

MadMacs:


Thank you for your patience.

1) I don't understand how a scan would start by simply opening ClamXAV unless you selected something in the Scan list and pressed the "Scan" icon.

What I was trying to describe was the following log entries:



  • -------------------------------------------------------------------------------
  • Jun 19, 2017, 1:07:12 PM
  • Starting system scan…
  • Live Infections Found: 0
  • -------------------------------------------------------------------------------
  • Jun 19, 2017, 1:09:36 PM
  • Starting system scan…
  • Live Infections Found: 0
  • -------------------------------------------------------------------------------
  • Jun 20, 2017, 12:37:35 PM
  • Starting system scan…
  • Live Infections Found: 0
  • -------------------------------------------------------------------------------
  • Jun 20, 2017, 12:38:34 PM
  • Starting system scan…
  • Live Infections Found: 0


These entries correspond to times that I launched ClamXAV.app, then later closed it. It doesn't seem like a bug.


In order to address 2) and 3) I would need to see exactly what is being detected. You can do that by [...] into a reply here.


OK. Here's the whole thing. [~s are mine.]


  • -------------------------------------------------------------------------------
  • Jul 9, 2017, 3:45:02 AM Scheduled scan of: /Users/gil
  • -------------------------------------------------------------------------------
  • ~/Library/Application Support/.ShoppyTool/ShoppyTool/ShoppyTool: Osx.Malware.Agent-1453758 FOUND
  • ~/Library/Caches/com.Divx.Installer/fsCachedData/CC5C994E-DE0C-4BAC-B35C-ECEDD78 D5F5E: PUA.OSX.ZipCloud.UNOFFICIAL FOUND
  • ~Library/Containers/com.apple.mail/Data/Library/Mail Downloads/0EE55EC7-F986-4331-B338-CE491DCFA43F/UPS_invoice-29043JJA.doc: Doc.Dropper.Agent-1383204 FOUND
  • ----------- SCAN SUMMARY -----------
  • Known viruses: 7265736
  • Engine version: 0.99.2
  • Scanned directories: 49340
  • Scanned files: 288275
  • Infected files: 3
  • Data scanned: 55289.43 MB
  • Data read: 131030.49 MB (ratio 0.42:1)
  • Time: 11116.703 sec (185 m 16 s)
  • -------------------------------------------------------------------------------
  • Jul 16, 2017, 4:38:34 AM Scheduled scan of: /Users/gil
  • -------------------------------------------------------------------------------
  • ~/Library/Application Support/.ShoppyTool/ShoppyTool/ShoppyTool: Osx.Malware.Agent-1453758 FOUND
  • ~/Library/Caches/com.Divx.Installer/fsCachedData/CC5C994E-DE0C-4BAC-B35C-ECEDD78 D5F5E: PUA.OSX.ZipCloud.UNOFFICIAL FOUND
  • ~Library/Containers/com.apple.mail/Data/Library/Mail Downloads/0EE55EC7-F986-4331-B338-CE491DCFA43F/UPS_invoice-29043JJA.doc: Doc.Dropper.Agent-1383204 FOUND
  • ----------- SCAN SUMMARY -----------
  • Known viruses: 7268151
  • Engine version: 0.99.2
  • Scanned directories: 49337
  • Scanned files: 289342
  • Infected files: 3
  • Data scanned: 55473.23 MB
  • Data read: 131171.25 MB (ratio 0.42:1)
  • Time: 45935.091 sec (765 m 35 s)



My interpretation:


On July 9th, ClamScan found three bogies.

On July 16th ClamScan found the same three bogies.

The Quarantine file has nothing in it.

I conclude that ClamScan didn't quarantine the bogies.


How'd I do, coach?


Recall that I had trashed the Quarantine folder's contents over a month ago, then installed a fresh version of ClamXAV.app.


--Gil

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Jun 19, 2017 12:34 PM in response to Gil Dawson

ClamXav FAQ:

How do I uninstall ClamXAV completely?

First of all, quit ClamXAV Sentry (if you use it) and make sure it’s not set to launch at log in. Then simply drag ClamXAV.app to the trash; after a few seconds you’ll see a message asking if you would also like to uninstall the scanning engine. The uninstaller will remove the scanning engine and any schedules you’ve got set up. But we’ll be sorry to see you go.


You can also download the uninstaller directly by clicking: ClamXav Uninstaller.pkg which will start an immediate download.

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Jun 19, 2017 6:21 PM in response to Gil Dawson

Gil Dawson wrote:


Last Sunday, though, I didn't go to church and found it running hours later

Perhaps you were scanning your entire boot drive and that caused a scan of your Time Machine or other backup volume, if attached. Check the ClamXAV FAQ "Why is the scan taking so long?" for details on why that's not recommended and use ClamXAV Preferences->Exclude Files tab, dragging the backup volume into the window to prevent this.

Reply
User profile for user: Gil Dawson
Gil Dawson Author
User level: Level 2
164 points

Jun 29, 2017 6:23 PM in response to MadMacs0

I'm trying out the new Version 2.14/0.99.2 (3295). The Preferences->Exclude Files tab seems to be about files, not disks. I dragged my backup disk to the ClamXAV Preferences window and it disappeared in a puff of smoke. Then my backup disk was unmounted. This is not quite how I pictured it would work.


However, the "Source List" panel of my ClamXAV main window does not have the backup disk in the list, so I suppose this is the right configuration.


Preferences -> Schedule I have set to Update on Sunday at 3:30 am and scan on Sunday at 3:45 am. According to the log, it ran on June 25 (Sunday) at 3:45 am, then again midafternoon on Tuesday (June 27) and again just now today (June 29). These latter two probably correspond to when I launched the app.


It found three bad guys last Sunday.


--Gil

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Jun 29, 2017 6:46 PM in response to Gil Dawson

Gil Dawson wrote:


The Preferences->Exclude Files tab seems to be about files, not disks. I dragged my backup disk to the ClamXAV Preferences window and it disappeared in a puff of smoke.

The exclude list does include mounted volumes, but you need to drag the icon from your desktop to the prefs window, not from the sidebar of a finder window, or click the plus "+" button at the bottom of the Exclude Preferences window and navigate to that mounted volume.

However, the "Source List" panel of my ClamXAV main window does not have the backup disk in the list, so I suppose this is the right configuration.

The source list only contains items that were originally there and items you have selected to scan. Just because something doesn't appear there does not mean it will be excluded.

Preferences -> Schedule I have set to Update on Sunday at 3:30 am and scan on Sunday at 3:45 am. According to the log, it ran on June 25 (Sunday) at 3:45 am, then again midafternoon on Tuesday (June 27) and again just now today (June 29). These latter two probably correspond to when I launched the app.

That all sounds correct. If your computer remains sleeping at the scheduled time on Sunday, then the scan should occur when you wake it up. If the computer is shutdown on Sunday at that time, then there will be no scheduled scan.

Reply
User profile for user: Gil Dawson
Gil Dawson Author
User level: Level 2
164 points

Jul 2, 2017 7:20 AM in response to MadMacs0

It's Sunday morning. clamscan is running 40-60% CPU. The log shows three entries:


1) A scan started at 3:45 and found those same three bad guys


2) Another scan started at 7am, probably when I launched ClamXAV


3) Another scan started at 7:01, probably when I dragged my backup disk's icon from the desktop to ClamXAV -> Preferences -> Exclude files. That worked, although I'm a bit late following your advice.


A few questions:


1) What is the proper way to turn off clamscan until next week? Would Quit from the Activity Monitor mess up anything?


2) Why does clamscan find the same bad guys this week? I thought it would quarantine them and then they'd be gone.


3) I trashed the contents of the Quarantine file a few weeks ago. (It contained mostly .exe files from email attachments.) It's still empty. I thought clamscan would put new bad guys there.

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Jul 2, 2017 11:17 AM in response to Gil Dawson

1) I don't understand how a scan would start by simply opening ClamXAV unless you selected something in the Scan list and pressed the "Scan" icon. I know there is some kind of bug in v2.14 that will stop a scheduled scan if you open ClamXAV while it's running, so could be connected with that. You should report this to the Help Desk. Clamscan should stop on it's own by quitting ClamXAV, but doing so from the Activity Monitor shouldn't damage anything.


In order to address 2) and 3) I would need to see exactly what is being detected. You can do that by clicking in the window that shows the infected items, selecting all <Command>-A, then copy <Command>-C and paste <Command>-V the contents of your clipboard into a reply here. You can also find this information in the scan log by searching for line that ends in "FOUND".


Since you indicate that it previously found email attachments, that probably means it's detecting the emails that had those attachments and it won't move or delete email to prevent mailbox corruption. What it should do is move them to a Quarantine mailbox, so check Apple Mail to see if they are there.


A tip in this area. Before scanning your email, check to see that you've emptied your Trash and Junk mailboxes first. That's where most such items end up.

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Jul 16, 2017 10:35 PM in response to Gil Dawson

With respect to 1), every time the ClamXAV app is opened, it conducts what is called a "Live" or "System" scan, looking only in places where malware is known to install files. It only takes a few seconds and in your case hasn't found anything. If it had there would be entries in the main window for you to take action (ignore, quarantine or delete). To prevent such scans, simply don't launch the ClamXAV app or ClamXAV Sentry.


Since the results you showed me are for a scheduled scan, the only way to act on them if you Quarantine Folder isn't set up would be to follow the path shown and drag the files to the Trash. The other option would be to do a manual scan of your home folder and when they appear in the ClamXAV window, highlight them and choose the "Delete File" icon.


ShoppyTool is Adware which installs itself in you ~/Library/Applications Support/ in an directory that was made invisible by starting the name with a dot ".ShoppyTool". To locate the process, Copy the path "~/Library/Application Support/.ShoppyTool/" without quotes to the clipboard, select "Go to Folder..." from the Finder's Go menu, paste the path into the dialog box and click the Go button. Now drag the entire "Shoppy Tool" folder to the trash to get rid of the executable.


ZipCloud is commercial cloud sync software that has been classified as a Potentially Unwanted Application (PUA) due to the way it often sneaks onto computers bundled with other 3rd party software (in your case it looks like it came with DivX). The main application is easily removed by quitting it then dragging it to the Trash if you still have it in your Applications folder. Perhaps you opted-out of installing it when you installed DivX. In any case, the file that you found is simply a Cache file that was produced when you installed DivX so it's completely harmless, but choosing to delete it would be the best choice to avoid having to see it again.


Doc.Dropper.Agent-1383204 appears to be a Windows only executable e-mail attachment, disguised as "UPS_invoice-29043JJA.doc". The original e-mail was probably deleted, but for some reason (perhaps you tried to open it) a copy was saved. Again this is harmless on a Mac, but you should be able to delete that, as well.


Installing a new copy of ClamXAV should not have changed anything with respect to your Quarantine folder unless you purposely deleted the Quarantine folder itself or your preference files, which are not automatically removed by trashing ClamXAV. If you want to use such a folder, then make sure it's still where it was originally and that it's been set in ClamXAV Quarantine Preferences and enabled with the check box. You can verify that it's all correct by clicking the "Open quarantine folder" there.

Reply
User profile for user: Gil Dawson
Gil Dawson Author
User level: Level 2
164 points

Jul 18, 2017 10:57 AM in response to MadMacs0

Thanks, MadMac--


I appreciate your help.


With respect to 1), every time the ClamXAV app is opened, it conducts what is called a "Live" or "System" scan, looking only in places where malware is known to install files. It only takes a few seconds and in your case hasn't found anything.


Well, now that's explained! Thanks.


Since the results you showed me are for a scheduled scan, the only way to act on them...


Well, I'd prefer that the Quarantine Folder be working.


ShoppyTool...


Thanks for the explanations.


Installing a new copy of ClamXAV should not have changed anything with respect to your Quarantine folder unless you purposely deleted the Quarantine folder itself or your preference files, which are not automatically removed by trashing ClamXAV. If you want to use such a folder, then make sure it's still where it was originally and that it's been set in ClamXAV Quarantine Preferences and enabled with the check box. You can verify that it's all correct by clicking the "Open quarantine folder" there.


I didn't purposely delete it, but...


Just now I launched ClamXAV, waited for the short scan to complete, clicked on Preferences on the right of the top row, and clicked on its Quarantine tab. The checkbox was checked and the path looked right.

I clicked on the button "Open quarantine folder". A Finder window opened, showing the folder -- empty.


That's not right, is it?


Then, by way of experiment, in the ClamXAV window, I clicked on my Home folder and then on Start Scan... It's still running, but already two of the bogies show in the window as "Quarantined" and are, indeed, now in the Quarantine folder. I guess I fixed it inadvertently, huh? That, or something's different in my preferences for scheduled scans.


The scan log is much bigger than the logs (above) from the Sunday morning scheduled scans. It's filled with lots of pairs of entries like these two:


2017-07-18 16:38:47.257 hdiutil[54702:10550790] Error loading /Users/gil/Library/Plug-ins/DiskImages/VirtualPCDiskImagePlugin.bundle/Contents /MacOS/VirtualPCDiskImagePlugin: dlopen(/Users/gil/Library/Plug-ins/DiskImages/VirtualPCDiskImagePlugin.bundle/C ontents/MacOS/VirtualPCDiskImagePlugin, 262): no suitable image found. Did find:

/Users/gil/Library/Plug-ins/DiskImages/VirtualPCDiskImagePlugin.bundle/Contents /MacOS/VirtualPCDiskImagePlugin: mach-o, but wrong architecture


2017-07-18 16:38:47.267 hdiutil[54702:10550790] Cannot find function pointer MacDiskImagePluginFactory for factory 4D08F98C-8968-11D6-8667-0003933E9206 in CFBundle/CFPlugIn 0x7fca924127a0 </Users/gil/Library/Plug-ins/DiskImages/VirtualPCDiskImagePlugin.bundle> (bundle, not loaded)


Perhaps I should delete Virtual PC, as it's long out of date and I no longer use it.


What time zone is this log using? It's 10:48 am PDT here. Did that last entry above happen ten minutes ago or an hour and ten minutes ago?


I sure appreciate your advice, MadMacs.


--Gil

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Jul 18, 2017 11:07 PM in response to Gil Dawson

Glad you got Quarantine working again!


The entries you pointed out are not from the Scan Log. All logs are displayed by the Console utility app, so the window you are seeing probably says "All Messages" at the top and not "clamXav-scan.log".


What it's showing is that the process "hdiutil" which is a utility process that is used to manipulate disk images is trying to deal with something that isn't in the format expected.


I am not at all familiar with Virtual PC, so can't really add anything to what the Console is telling you, but if as you say it's out-of-date and not used, then it would be wise to consult the developer for instructions on the proper way to uninstall it. That's something you should always do for any 3rd party app that didn't come from the App Store.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How can I remove ClamXAV and clamscan?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up