[OPLINTECH] ClamAV for windows

Chad Neeper cneeper at level9networks.com
Wed Mar 24 12:42:01 EDT 2010


I think I mostly agree with Ron. I've been testing it out myself since 
last night. It's a very clean program and simple to use. The main thing 
that would prevent me from using it by itself (right now) is simply that 
it doesn't currently scan numerous file types that are can carry 
malware:  .pdf, .doc, etc. It currently only scans executable files. 
Apparently the others will be added at a later date.

Another feature that I'm not sure about is that, if I manually tell it 
to do a system scan, it doesn't appear to verify the file checksums for 
ALL executables  stored on the drive. As a test, I copied the contents 
of C:\Program Files (1242 *.exe files alone) to two different locations. 
First to C:\Copy of Program Files and then to D:\Program Files. I did a 
scan between each copy. My total Files Scanned count did increase a 
little, but not nearly enough to account for the huge number of 
additional executables I just added.

So...we do not seem to have the option to really do a full scan on the 
hard drive. For instance, if you have it installed on a server 
containing executable programs that are never actually run on the server 
(and hence, not caught by the real-time scanner), but maybe _are_ 
executed over the network on workstations _attached_ to the server, 
ClamAV for Windows running on the server might not check those files. 
That could be a bit of a problem and worth investigating.

http://community.immunet.com/immunet/topics/how_immunet_works_in_details
This is a link to a conversation thread that helps to describe how it 
works. The second commenter (Alfred Huger) works for Immunet and gives a 
description of exactly what the program does. It's a pretty easy read.

All in all, though, I'm with Ron. This looks very promising!

2 cents,
Chad

-----------------------
Chad Neeper
Senior Systems Engineer

Level 9 Networks
740-548-8070 (voice)
866-214-6607 (fax)

--   Full LAN/WAN consulting services   --
-- Specialized in libraries and schools --



Ron Woods wrote:
> I am testing out ClamAv right now and I must say it's a fantastic product
> from what I can tell so far. The next version will include the necessary
> .dll files to perform local scans without an internet connection and support
> for a few more file types.
>
> I really do think this could be a replacement for a commercial Anti-virus
> package, the source code is still GPL according to Sourcefire so that's
> always a benefit. 
>
> -----Original Message-----
> From: oplintech-bounces at oplin.org [mailto:oplintech-bounces at oplin.org] On
> Behalf Of Ed Liddle
> Sent: Tuesday, March 23, 2010 12:27 PM
> To: JKENZIG; OPLINTECH
> Subject: Re: [OPLINTECH] ClamAV for windows
>
> That would be an option. I use clamwin to do scheduled scans, I never
> thought of adding it to the task scheduler in windows. Since Microsoft
> Security Essentials can only be used for home or home office use according
> to their end user license agreement, I only use it in those environments. It
> seems to work quite well. I installed it on my wife's computer at home and
> on a couple of other peoples home machines. 
>  The trend web protection seems similar to the new clam av for windows. They
> both work in a similar pro active fashion in that they utilize the cloud to
> detect malicious things freeing up local resources. Pretty neat ! 
>
> -Ed  
>
>   
>> -----Original Message-----
>> From: JKENZIG [mailto:JKENZIG at cuyahogalibrary.org]
>> Sent: Tuesday, March 23, 2010 11:33 AM
>> To: Ed Liddle; OPLINTECH
>> Subject: RE: [OPLINTECH] ClamAV for windows
>>
>> You could schedule it to scan via task scheduler. Clamwin can notify
>> you
>> so that will solve that issue.  For real time alerts program I use
>> Microsoft Security Essentials along with the trend web protection add
>> on
>> http://free.antivirus.com/web-protection-add-on/
>>
>> Jim Kenzig
>> Cuyahoga County Public Library
>> Administrative Offices
>>
>> From: Ed Liddle [mailto:eliddle at marysvillelib.org]
>> Sent: Tuesday, March 23, 2010 11:28 AM
>> To: JKENZIG; OPLINTECH
>> Subject: RE: [OPLINTECH] ClamAV for windows
>>
>> The portable version like the regular version of Clamwin does not have
>> a
>> real time on access scanner. The new Clam AV for windows version does.
>> The real time scanner is something that I feel is a good feature to
>> have.
>>
>> It is good to know you can use the portable version of clamwin like
>> that. One thing that would be nice for the new Clam AV for windows to
>> have is the ability to e-mail a scan report like Clamwin can.
>>
>> -Ed
>>
>>     
>>> -----Original Message-----
>>> From: JKENZIG [mailto:JKENZIG at cuyahogalibrary.org]
>>> Sent: Tuesday, March 23, 2010 11:09 AM
>>> To: Ed Liddle; OPLINTECH
>>> Subject: RE: [OPLINTECH] ClamAV for windows
>>>
>>> And if you use the portable app version of clamwin you can just copy
>>> the
>>> programs folder out to your workstations with no install required! :
>>>       
>> )
>>     
>>> http://portableapps.com/apps/utilities/clamwin_portable
>>>
>>>
>>> Jim Kenzig
>>> Cuyahoga County Public Library
>>> Administrative Offices
>>> www.cuyahogalibrary.org
>>> Ohio Public Library Information Network (OPLIN)
>>> Board of Trustees member
>>>
>>>
>>> -----Original Message-----
>>> From: oplintech-bounces at oplin.org [mailto:oplintech-
>>>       
>> bounces at oplin.org]
>>     
>>> On Behalf Of Ed Liddle
>>> Sent: Tuesday, March 23, 2010 11:02 AM
>>> To: OPLINTECH
>>> Subject: [OPLINTECH] ClamAV for windows
>>>
>>> Has anyone been testing the NEW Clam AV for windows from here
>>> http://www.clamav.net/lang/en/about/win32/ ?
>>>
>>> I have been looking at it for a free antivirus replacement for our
>>> current Symantec product. It appears to me to be unlike any other
>>> antivirus solution I have seen. It uses the cloud to store AV
>>> definition
>>> files and also to do the scanning. It doesn't seem to scan all stored
>>> files but instead scans program or excutable files when they are
>>> accessed, or files that are downloaded. It requires an internet
>>> connection to work. ClamAV has partnered with Immunet to create Clam
>>>       
>> AV
>>     
>>> for Windows. Unlike previous versions of Clam AV, this version does
>>>       
>> do
>>     
>>> "real time active" scanning. Since the definition files are hosted in
>>> the cloud, I would think they would be most up to date, more so than
>>> relying on downloading definition files at a certain time interval.
>>> When performing a manual scan it is really fast! ( under a minute
>>> fast).
>>>
>>> The downside to it there doesn't seem to be an enterprise version
>>>       
>> that
>>     
>>> can be used to notify admins of virus activity on the computers. The
>>> upside is there are no definition files to download or distribute,
>>> which
>>> is one main benefit to an enterprise solution.
>>> I am testing it on a public machine that has cornerstone enabled on
>>>       
>> it.
>>     
>>> It did detect the cornerstone service file as a virus. I submitted it
>>> to
>>> the Clam AV site as a false positive and added an exception for it in
>>> clam AV.
>>>
>>> Below is from their website that explains a little  bit how it works.
>>> http://www.clamav.net/lang/en/support/faq/faq-win32/
>>> Q7. Will "ClamAV for Windows" send any sensitive data from my
>>>       
>> computer
>>     
>>> to the cloud?
>>>
>>> A7. ClamAV for Windows sends information about the files its scanning
>>> back to the cloud. This information is in the form of SHA hashes and
>>> file heuristics. Currently, this information is only collected for
>>> Windows PE files, or in other terms what most people refer to as
>>> executable files. No information is collected for other types of
>>>       
>> files,
>>     
>>> like Word, Excel, or PDF. Additionally, in some situations the entire
>>> PE
>>> file will be uploaded to the Cloud to determine if it is malicious.
>>>
>>> For a complete overview please see the privacy policy:
>>> http://support.immunet.com/index.php/Immunet:Privacy_policy
>>>
>>>
>>> Let me know what your thoughts/opinions/experiences are on it.
>>>
>>> Thanks in advance !
>>>
>>> -Ed Liddle
>>> _______________________________________________
>>> OPLINTECH mailing list
>>> OPLINTECH at oplin.org
>>> http://mail.oplin.org/mailman/listinfo/oplintech
>>> Search: http://oplin.org/techsearch
>>>       
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at oplin.org
> http://mail.oplin.org/mailman/listinfo/oplintech
> Search: http://oplin.org/techsearch
>
>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at oplin.org
> http://mail.oplin.org/mailman/listinfo/oplintech
> Search: http://oplin.org/techsearch
>
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.oplin.org/pipermail/oplintech/attachments/20100324/6394ed24/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3286 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.oplin.org/pipermail/oplintech/attachments/20100324/6394ed24/smime.bin


More information about the OPLINTECH mailing list