Reviewing Logs for ClamWin

When malware is detected, ClamWin does not seem to write alerts to the operating system logs. On the positive side, ClamWin does log information in text files. Also, ClamWin can be configured to send an E-Mail, and that may help with alerting systems.

Checking logs may be one option to figure out if bad things have been detected on a computer. Another approach to notice detected problems may be to simply check the quarantine folder to see whether or not it is empty.

Logs used by ClamWin

Looking just at the Windows 7 and Windows XP operating systems, there are at least 4 locations where log files may be found.

Simple/Quick Examples
Windows 7
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\User>echo "%USERPROFILE%"
C:\Users\User

C:\Users\User>dir "%USERPROFILE%\..\All Users\.clamwin\log\ClamScanLog.txt"

 Volume in drive ? is ?
 Volume Serial Number is ????-????
 Directory of ?:\...\All Users\.clamwin\log

File Not Found

C:\Users\User>echo %AllUsersProfile%
C:\ProgramData

C:\>dir "%AllUsersProfile%\.clamwin\Log\ClamScanLog.txt"

 Volume in drive ? is ?
 Volume Serial Number is ????-????
 Directory of ?:\ProgramData\.clamwin\log

File Not Found

C:\>

except, one or more of the “File Not Found” results could look more like this, instead:

MM/DD/YYYY  hh:mm ?M            ??,???  ClamScanLog.txt
               1 File(s)         ??,??? bytes
               0 Dir(s)  ??,???,???,??? bytes free

Logs may be located under the folder specified by the operating system environmental variable %AllUsersProfile%. In Windows Vista, %AllUsersProfile% may refer to “C:\ProgramData” which may be a location with the “Hidden” attribute set. MS KB 926333 notes that %AllUsersProfile% may be set to “C:\Documents and Settings\All Users” (in Windows XP).

Underneath the location specified by %AllUsersProfile%, Windows XP users may want to check underneath an “Application Data” folder, which may also be known as %APPDATA%.

Then, users of ClamWin (whether using XP or a different operating system) may find the program's data in a folder called “.clamwin”.

From this location, logs may show up in a subdirectory called “log”.

(A forum post about ClamWin's log location notes %AllUsersProfile%\.clamwin\log\ClamScanLog.txt although that location doesn't specify the “Application Data” subdirectory).

ClamWin log files addon

For ClamWin's report, check for the presense of a ClamScanLog.txt in the log directory underneath the .clamwin folder mentioned above, and also look in C:\Users\All Users\.clamwin\log\ for a ClamScanLog.txt. Note that it is possible for neither file to exist during a scan or while scan results are being shown by the program. Again, the word “ FOUND” in all capital letters (coming right after a space) may be a telltale sign. Also, any line that starts with “Infected files: ” and has something other than a zero on the rest of that line is an indicator that there is a problem.

Log files used by Clam Sentinel

Making ClamWin real-time describes an add-on named Clam Sentinel, which this documentation refers to.

For Clam Sentinel, the reporting from real-time scans may be called ClamSentinel_RealTimeLog.txt and be located in the location where ClamWin stores its log files. Also, the logs may be visible by bringing up the Clam Sentinel menu (by right-clicking on the icon in the “system tray”/“message notification area”) and choosing the option called “Logs”. Searching this for the word “ FOUND” (in all capital letters right after a space and at the end of a line of text) may be the most surefire way to notice when malware was detected. (Note: to avoid a false detection from the “Windows Community Foundation” related to Microsoft's .NET Framework, do not just do a case-insentive search for “found”.) If files are getting quarantined and renamed, another indicator may be to search the logs for the extension “.infected” Other search terms of possible interest are “LibClamAV Warning: ”, “LibClamAV Error:

Other options for logs

The standard operating system logs in Microsoft Windows do not tend to be heavily used by ClamWin or Clam Sentinel.

However, an Info event with the source “Application Popup” has been known to say “Applicaiton popup: ClamWin.exe - Unable To Locate Component : This application has failed to start because libclamav.dll was not found. Re-installing the application may fix this problem. ” This had Event ID 26, and there was a similar message for freshclam.exe. Automated solutions that parse operating system logs may want to alert technical staff if one (or both) of those messages end up being noticed.