Frequently Asked Questions
Please check through these questions and the forums before submitting feedback.
1. When I restart from the Mac OS X CD/DVD I can't change my password if ClamXav has been installed.
2. Why am I getting a "file not found" error when I have a quarantine folder set?
3. How can I set more than one pattern to ex/include during the scan?
4. Why doesn't the "OK" button work for saving the schedule settings?
5. Why is my Admin password needed to change the schedule settings?
6. I've seen ...... in the update log. What does it mean and should I worry about it?
7. I am running ClamXav to scan my whole startup disk and I'm seeing.....error
7a. How can I scan my entire hard drive properly?
8. Should the engine installer for ClamXav really be adding a ClamAV user and group?
9. Will ClamXav cause conflicts with other AntiVirus scanners?
10. Should I get rid of my other virus scanner and just use ClamXav from now on?
11. Does ClamXav provide support for Opener/Renepo?
12. What is Opener/Renepo?
13. Must I use your bundled version of the ClamAV engine?
14. HELP! ClamXav deleted all my email. What can I do?
15. How do remove ClamXav and the associated engine?
16. Can Mac viruses which pre-date OS X infect Mac OS X in any way?
17. Why am I seeing "Error updating definitions" or "Can't create new file" when I update definitions?
1. When I restart from the Mac OS X CD/DVD I can't change my password if ClamXav has been installed.
Owing to a problem with an old ClamAV Engine Installer, the ClamAV user (which is required to update the virus definitions) didn't get created fully. While it is enough to make ClamXav work, it caused the "Reset Password" utility on the Mac OS X installation disc to crash, leaving users with no way to restore a forgotten administrator password. This was fixed in a subsequent Engine Installer and is no longer an issue. Update to the newest version of the ClamAV engine to sort the problem.
^ TOP2. I'm getting a "file not found" error when I have a quarantine folder set. Why?
In ClamAV 0.80, support for quarantine folders with a space in the name has been broken. It will not work if you have a space anywhere in the path to the folder eg: /Users/mark/Desktop/Suspicious Files/Quarantine will not work. Update to the newest version of the ClamAV engine to sort the problem.
^ TOP3. How can I set more than one pattern to ex/include during the scan?
In a regular expression, the pipe character (sometimes known as the vertical bar) | is used to mean "or". Use this between multiple text patterns, but do not include a space on either side of it.
^ TOP4. In preferences, why doesn't the "OK" button work for saving the schedule settings?
Your admin password is needed to make any changes to your schedule settings and I'd rather not have to ask for it each and every time you open and close the preferences sheet. I'm investigating other ways around this, so hopefully it will change with the next version.
^ TOP5. Why is my Admin password needed to change the schedule settings?
Scheduled scans and updates are performed by a system program called 'cron'. Cron reads the 'crontab' settings file which contains a list of scheduled tasks. For security reasons, root is the only user allowed access to said file, therefore your admin password is required both to read and write to it in order to add a schedule for ClamXav scanning and updating.
^ TOP6. I've seen this in the update log. What does it mean and should I worry about it?
ClamAV update process started at Thu Nov 4 16:33:58 2004
SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
A digital signature is sometimes used to verify that the file which was just downloaded onto your computer is exactly the same as that which was on the server you downloaded it from.
Simplifying it slightly, magic numbers are calculated on each file and compared with the server's calculation. If the two numbers match, you can safely assume the files have not been tampered with on their way to your computer. I chose not to include support for digital signatures as it would involve increasing the size and time of the ClamXav download and would require even more files to be installed on your computer.
If you have a strong desire to have ClamXav check the digital signatures of the virus definition database, then I suggest you install the clamav engine via Fink (download from http://fink.sourceforge.net). FinkCommander can be used to simplify this process somewhat.
I've also seen this in the update log. What does it mean and should I worry about it?
WARNING: Your ClamAV installation is OUTDATED - please update immediately!
WARNING: Current functionality level = xxx, required = yyy
This happens when the folks who develop the ClamAV scanning engine release a more up-to-date version. If you start seeing this, it's a safe bet that there'll be a new version of ClamXav's engine on its way soon. I suggest you use the built-in update check feature of ClamXav to keep on top of new versions of both ClamXav and the scanning engine backend.
7. I am running ClamXav to scan my whole startup disk and got the following error. What does it mean?
ERROR: Can\'t open file /dev/df/3
Mac OS X stores its open file descriptors in /dev/fd/ Because these aren't in fact real files, ClamXav can not scan them and the scanning engine gets confused when it comes across them.
You should no longer see this error with ClamXav 0.9.0 and later.
I am running ClamXav to scan my whole startup disk and it never seems to stop. In fact, "currently checking" shows the same files being checked over and over again.
This happens because of a symlink (a.k.a "alias" in Mac speak) Apple placed inside the hard drive which actually points back to the hard drive itself. When ClamXav hits the symlink during its scan, it dutifully follows it...right back to the start of the disk until it comes across the symlink again....which it follows.... I presume you're seeing a pattern here! We have a never-ending loop.
This reason, and the answer to the previous question, is why scanning the entire startup disk is now prohibited in ClamXav.
^ TOP7a. How can I scan my entire hard drive?
When you click "Choose what to scan...", select your hard drive but don't click "OK" yet. What you have to do is hold down the command key (the one with the Apple symbol) and then select everything you see in there. It should look something like this. Then click "OK" and continue as normal.
^ TOP8. Should the engine installer for ClamXav really be adding a ClamAV user and group?
Yes, the ClamAV back end needs to have its own user and group in order to update the virus definitions. If you want to know why, you'll have to ask the people over at clamav.net
Under Mac OS X 10.4 (Tiger) and later, the ClamAV user/group already exist preconfigured by Apple.
^ TOP9. Will ClamXav cause conflicts with other AntiVirus scanners?
No conflicts have as yet been reported, however having two different scanners checking the same files/folders is a recipe for disaster if one or other of them is set to move infected files into quarantine. If neither is set to move files about, then I don't see there being a problem, however, I do not possess a copy of any virus checker other than ClamXav so I can't really comment on this. If you're worried about it, maybe you could ask in the forums to see if anyone else has succeeded in running more than one scanner at once.
^ TOP10. Should I get rid of my other virus scanner and just use ClamXav from now on?
Have you paid good money for it? If so, and you have no pressing reason to dump your other scanner, then I would honestly have to say "no". You've paid, so you may as well get your money's worth from it! I can not offer anywhere near the same level of user support as the bigger companies. In fact, this is one of the reasons why I'm not charging for ClamXav.
^ TOP11. Does ClamXav provide support for Opener/Renepo?
No.
^ TOP12. I know Opener/Renepo isn't a virus or even a trojan, but what IS it then?
It's little more than a proof of concept. A virus is a self-replicating malicious piece of software designed to destroy files and folders on a computer system. A trojan is a piece of software which pretends to be legitimate and useful but does in fact install other software (unbeknownst to you) which opens up a "back door" to your computer, allowing a hacker to have access to your files and theoretically your entire computer system. In this instance, Opener would be the "other software" Ð or you might call it the "payload".
Whilst "Opener" does in fact perform various tasks to open up "back doors" to your computer, you would have to physically and deliberately install Opener yourself. No-one should do this unless they're deliberately trying to find out what it does. If you (or some other admin user on your computer) don't make a deliberate effort to install Opener yourself, you will not have to worry about it. The key here, as you've probably guessed, is the word "deliberate". Opener/Renepo can not get onto your computer without your knowing about it. Hence, it is not a trojan.
Furthermore, it has no way to replicate itself to other computers, be it via email, CD or even the humble floppy. Hence it is not a worm. It doesn't destroy files on your computer and therefore is not a virus either.
However, that is not to say that it will never become a threat. As it stands, it is currently only a proof of concept, but don't be surprised to see someone at some point in the future using parts of it in their own trojan. Do be vigilant about watching for virus warnings on Mac news websites.
I still don't believe you!
Google for it then!
13. Must I use your bundled version of the ClamAV engine?
No, of course not. ClamXav should work with any recent version of clamav. It works with Fink's distributions (from version 0.75-1 onwards) and the official source from clamav.net (version 0.80 onwards).
If you build and install it into /usr/local/clamXav, you will fool ClamXav into thinking it installed it itself...although there is little to be gained by doing so! If you don't install it there, read these instructions to establish how to let ClamXav know where your installation is.
^ TOP14. HELP! ClamXav deleted all my email. What can I do?
First and foremost, ClamXav did not delete your email. You may, however, have told it to move infected files into quarantine. As all email in one mailbox is treated as a single file, one single infected message is enough to have that entire mailbox removed to the quarantine folder.
Of course, you followed my advice and backed-up your email and important files, didn't you? No problem then, just make sure your email program isn't running and replace your mail folder with the back up.
If you didn't backup, then the only thing I can offer is the following instructions for Apple's Mail client:
Quit Mail program (choose the quit command from the "Mail" menu, it is NOT enough just to close all visible windows)
Backup your mail folder (File->Duplicate) so you can go back to a semi-working state should things go awry again. You'll usually find this folder inside the library of your home folder - in my case, it'd be /Users/mark/Library/Mail
Now, open Mail again and from the File Menu, choose "Import Mailbox". A new window will appear and you should choose "other" as the type of mailbox to import. When requested for the folder containing your mailboxes, select your quarantine folder. That should allow you to import the "mbox" files within that folder and you'll end up with all your email back in Mail.
You'll have to rearrange your messages back into the appropriate mailboxes, and Mail will almost certainly have forgotten that you've read and replied to any of them. However, to all intents and purposes, you should have all your email back.
Eudora is far FAR simpler.
- Choose "Quit" from the "Eudora" menu
- Move the infected mailbox back into your email folder.
- Restart Eudora
Unfortunately, I can't offer any more help than that, so if these tips don't work, I'm afraid you're on your own. I learnt the importance of backups the hard way too!
^ TOP15. How do remove ClamXav and the associated engine?
First, you must download the Engine Remover. When you unzip it (making sure to use either OS X's built-in unzipper or the most recent Stuffit Expander or similar), double click clamavEngineREMOVER.command. This will open up the Terminal where you'll be asked to enter your Admin password. The rest takes care of itself.
Finally, drag the ClamXav application from wherever you installed it, to the trash.
^ TOP16. Can Mac viruses which pre-date OS X infect Mac OS X in any way?
Not directly, no. Mac OS X is unlike any Mac operating system which went before it, and as such, all programs (and that includes viruses) need to be rewritten to a certain extent before they will function. As yet, this hasn't happened for any old world Mac viruses.
On the other hand, if you run OS 9 and OS 9 software inside the classic environment on OS X, then you DO need to consider older viruses as they CAN still infect OS 9 applications/documents.
^ TOP17. Why am I seeing "Error updating definitions", "Can't create new file", "error 57" etc when I update definitions?
There's a problem with permissions in the ClamAV 0.85.1 engine folder. Download the newest ClamAV engine to fix it.