> It's not a bug nor a known problem. You didn't install/configure ClamAV > properly.
I did install it properly as there isn't much to do wrong, when downloading the NSIS-based installer and just click "OK" everywhere. And I found the "problem". Look at this: P:\_virii>c:\clamav-devel\bin\clamscan p:\\_virii p:\\_virii/Clean.dot.virus: WM.Buero.A FOUND p:\\_virii/Happy99.exe.virus: Trojan.Happy99.SKA FOUND p:\\_virii/Hotvir.arj.virus: OK p:\\_virii/Hotvir.zip.virus: WM.Buero.A FOUND p:\\_virii/Makro.arj.virus: OK p:\\_virii/Nopde.doc.virus: WM.Nop.A FOUND p:\\_virii/Nopde.zip.virus: OK p:\\_virii/Normal.dot.virus: WM.Buero.A FOUND p:\\_virii/Pack.zip.virus: Zip module failure p:\\_virii/Pretty Park.exe.virus: W32.PrettyPark FOUND p:\\_virii/profil CW.DOC.virus: W97M.Ethan FOUND p:\\_virii/profil CW_mit Passwort.zip.virus: OK p:\\_virii/Profilcw.doc.virus: W97M.Ethan FOUND ----------- SCAN SUMMARY ----------- Known viruses: 39349 Engine version: devel-20050725 Scanned directories: 1 Scanned files: 13 Infected files: 8 Data scanned: 0.12 MB Time: 2.193 sec (0 m 2 s) P:\_virii>c:\clamav-devel\bin\clamscan /cygdrive/p/_virii/Clean.dot.virus: WM.Buero.A FOUND /cygdrive/p/_virii/Happy99.exe.virus: OK /cygdrive/p/_virii/Hotvir.arj.virus: OK /cygdrive/p/_virii/Hotvir.zip.virus: WM.Buero.A FOUND /cygdrive/p/_virii/Makro.arj.virus: OK /cygdrive/p/_virii/Nopde.doc.virus: WM.Nop.A FOUND /cygdrive/p/_virii/Nopde.zip.virus: OK /cygdrive/p/_virii/Normal.dot.virus: WM.Buero.A FOUND /cygdrive/p/_virii/Pack.zip.virus: Zip module failure /cygdrive/p/_virii/Pretty Park.exe.virus: W32.PrettyPark FOUND /cygdrive/p/_virii/profil CW.DOC.virus: W97M.Ethan FOUND /cygdrive/p/_virii/profil CW_mit Passwort.zip.virus: OK /cygdrive/p/_virii/Profilcw.doc.virus: W97M.Ethan FOUND ----------- SCAN SUMMARY ----------- Known viruses: 39349 Engine version: devel-20050725 Scanned directories: 1 Scanned files: 13 Infected files: 7 Data scanned: 0.12 MB Time: 1.483 sec (0 m 1 s) So there seems to be a problem and something is done different, when the file is passed to the scanner as cygwin path or as native windows path. Comparing the debug output it does find the virus directly after recognizing it as executable file. The other one starts priting informations about the file. Here is everything from the recognition point: native: LibClamAV debug: Recognized DOS/W32 executable/library/driver file LibClamAV debug: Trojan.Happy99.SKA found in descriptor 4. p:\\_virii\\happy99/Happy99.exe.virus: Trojan.Happy99.SKA FOUND cygwin path: LibClamAV debug: Recognized DOS/W32 executable/library/driver file LibClamAV debug: Calculated MD5 checksum: 78124c7632d29011c29894c55be4be58 LibClamAV debug: e_lfanew == 256 LibClamAV debug: Machine type: 80386 LibClamAV debug: NumberOfSections: 4 LibClamAV debug: TimeDateStamp: Wed Nov 3 15:07:27 1909 LibClamAV debug: SizeOfOptionalHeader: 224 LibClamAV debug: MajorLinkerVersion: 2 LibClamAV debug: MinorLinkerVersion: 25 LibClamAV debug: SizeOfCode: 2560 LibClamAV debug: SizeOfInitializedData: 5632 LibClamAV debug: SizeOfUninitializedData: 0 LibClamAV debug: AddressOfEntryPoint: 0x10000 LibClamAV debug: SectionAlignment: 65536 LibClamAV debug: FileAlignment: 512 LibClamAV debug: MajorSubsystemVersion: 3 LibClamAV debug: MinorSubsystemVersion: 10 LibClamAV debug: SizeOfImage: 327680 LibClamAV debug: SizeOfHeaders: 1024 LibClamAV debug: Subsystem: Win32 GUI LibClamAV debug: NumberOfRvaAndSizes: 16 LibClamAV debug: ------------------------------------ LibClamAV debug: Section 0 LibClamAV debug: Section name: CODE LibClamAV debug: VirtualSize: 4096 LibClamAV debug: VirtualAddress: 0x10000 LibClamAV debug: SizeOfRawData: 2560 LibClamAV debug: PointerToRawData: 0x600 (1536) LibClamAV debug: Section contains executable code LibClamAV debug: Section's memory is executable LibClamAV debug: ------------------------------------ LibClamAV debug: Section 1 LibClamAV debug: Section name: DATA LibClamAV debug: VirtualSize: 4096 LibClamAV debug: VirtualAddress: 0x20000 LibClamAV debug: SizeOfRawData: 4096 LibClamAV debug: PointerToRawData: 0x1000 (4096) LibClamAV debug: Section's memory is writeable LibClamAV debug: ------------------------------------ LibClamAV debug: Section 2 LibClamAV debug: Section name: .idata LibClamAV debug: VirtualSize: 4096 LibClamAV debug: VirtualAddress: 0x30000 LibClamAV debug: SizeOfRawData: 1024 LibClamAV debug: PointerToRawData: 0x2000 (8192) LibClamAV debug: Section's memory is writeable LibClamAV debug: ------------------------------------ LibClamAV debug: Section 3 LibClamAV debug: Section name: .reloc LibClamAV debug: VirtualSize: 4096 LibClamAV debug: VirtualAddress: 0x40000 LibClamAV debug: SizeOfRawData: 512 LibClamAV debug: PointerToRawData: 0x2400 (9216) LibClamAV debug: ------------------------------------ LibClamAV debug: EntryPoint offset: 0x600 (1536) /cygdrive/p/_virii/happy99/Happy99.exe.virus: OK > I'm 95% sure that the answer to your problem is in the FAQ, so it's not > a problem of lack of documentation either. It's not in the FAQ. _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
