[OPLINTECH] ClamAV for windows

Wed Mar 24 18:02:41 EDT 2010

They are supposed to be adding system/folder scan functionality in the 2.0 version according to their forums/
http://community.immunet.com/immunet/topics/can_you_scan_folders_with_immunet_protect

http://community.immunet.com/immunet/topics/no_full_system_scan

http://community.immunet.com/immunet/topics/clamav_immunet_clamwin_online_offline_protection

Info is also a little fuzzy if the current version will auto update to the 2.0 version
http://community.immunet.com/immunet/topics/clamav_auto_updater

I think there are some privacy concerns about uploading information from non-executable files to the “cloud” for scanning.  I would be curious how it determines if a file is executable or not, whether it looks at the file or just the extension.  Either way it looks like it should get better with the 2.0 release.

-Ed Liddle

From: oplintech-bounces at oplin.org [mailto:oplintech-bounces at oplin.org] On Behalf Of Chad Neeper
Sent: Wednesday, March 24, 2010 12:42 PM
To: oplintech at oplin.org
Subject: Re: [OPLINTECH] ClamAV for windows

I think I mostly agree with Ron. I've been testing it out myself since last night. It's a very clean program and simple to use. The main thing that would prevent me from using it by itself (right now) is simply that it doesn't currently scan numerous file types that are can carry malware:  .pdf, .doc, etc. It currently only scans executable files. Apparently the others will be added at a later date.

Another feature that I'm not sure about is that, if I manually tell it to do a system scan, it doesn't appear to verify the file checksums for ALL executables  stored on the drive. As a test, I copied the contents of C:\Program Files (1242 *.exe files alone) to two different locations. First to C:\Copy of Program Files and then to D:\Program Files. I did a scan between each copy. My total Files Scanned count did increase a little, but not nearly enough to account for the huge number of additional executables I just added.

So...we do not seem to have the option to really do a full scan on the hard drive. For instance, if you have it installed on a server containing executable programs that are never actually run on the server (and hence, not caught by the real-time scanner), but maybe _are_ executed over the network on workstations _attached_ to the server, ClamAV for Windows running on the server might not check those files. That could be a bit of a problem and worth investigating.

http://community.immunet.com/immunet/topics/how_immunet_works_in_details
This is a link to a conversation thread that helps to describe how it works. The second commenter (Alfred Huger) works for Immunet and gives a description of exactly what the program does. It's a pretty easy read.

All in all, though, I'm with Ron. This looks very promising!

2 cents,
Chad

-----------------------

Chad Neeper

Senior Systems Engineer

Level 9 Networks

740-548-8070 (voice)

866-214-6607 (fax)

--   Full LAN/WAN consulting services   --

-- Specialized in libraries and schools --

Ron Woods wrote:

I am testing out ClamAv right now and I must say it's a fantastic product

from what I can tell so far. The next version will include the necessary

.dll files to perform local scans without an internet connection and support

for a few more file types.

I really do think this could be a replacement for a commercial Anti-virus

package, the source code is still GPL according to Sourcefire so that's

always a benefit.

-----Original Message-----

From: oplintech-bounces at oplin.org<mailto:oplintech-bounces at oplin.org> [mailto:oplintech-bounces at oplin.org] On

Behalf Of Ed Liddle

Sent: Tuesday, March 23, 2010 12:27 PM

To: JKENZIG; OPLINTECH

Subject: Re: [OPLINTECH] ClamAV for windows

That would be an option. I use clamwin to do scheduled scans, I never

thought of adding it to the task scheduler in windows. Since Microsoft

Security Essentials can only be used for home or home office use according

to their end user license agreement, I only use it in those environments. It

seems to work quite well. I installed it on my wife's computer at home and

on a couple of other peoples home machines.

 The trend web protection seems similar to the new clam av for windows. They

both work in a similar pro active fashion in that they utilize the cloud to

detect malicious things freeing up local resources. Pretty neat !

-Ed

-----Original Message-----

From: JKENZIG [mailto:JKENZIG at cuyahogalibrary.org]

Sent: Tuesday, March 23, 2010 11:33 AM

To: Ed Liddle; OPLINTECH

Subject: RE: [OPLINTECH] ClamAV for windows

You could schedule it to scan via task scheduler. Clamwin can notify

you

so that will solve that issue.  For real time alerts program I use

Microsoft Security Essentials along with the trend web protection add

on

http://free.antivirus.com/web-protection-add-on/

Jim Kenzig

Cuyahoga County Public Library

Administrative Offices

From: Ed Liddle [mailto:eliddle at marysvillelib.org]

Sent: Tuesday, March 23, 2010 11:28 AM

To: JKENZIG; OPLINTECH

Subject: RE: [OPLINTECH] ClamAV for windows

The portable version like the regular version of Clamwin does not have

a

real time on access scanner. The new Clam AV for windows version does.

The real time scanner is something that I feel is a good feature to

have.

It is good to know you can use the portable version of clamwin like

that. One thing that would be nice for the new Clam AV for windows to

have is the ability to e-mail a scan report like Clamwin can.

-Ed

-----Original Message-----

From: JKENZIG [mailto:JKENZIG at cuyahogalibrary.org]

Sent: Tuesday, March 23, 2010 11:09 AM

To: Ed Liddle; OPLINTECH

Subject: RE: [OPLINTECH] ClamAV for windows

And if you use the portable app version of clamwin you can just copy

the

programs folder out to your workstations with no install required! :

)

http://portableapps.com/apps/utilities/clamwin_portable

Jim Kenzig

Cuyahoga County Public Library

Administrative Offices

www.cuyahogalibrary.org<http://www.cuyahogalibrary.org>

Ohio Public Library Information Network (OPLIN)

Board of Trustees member

-----Original Message-----

From: oplintech-bounces at oplin.org<mailto:oplintech-bounces at oplin.org> [mailto:oplintech-

bounces at oplin.org<mailto:bounces at oplin.org>]

On Behalf Of Ed Liddle

Sent: Tuesday, March 23, 2010 11:02 AM

To: OPLINTECH

Subject: [OPLINTECH] ClamAV for windows

Has anyone been testing the NEW Clam AV for windows from here

http://www.clamav.net/lang/en/about/win32/ ?

I have been looking at it for a free antivirus replacement for our

current Symantec product. It appears to me to be unlike any other

antivirus solution I have seen. It uses the cloud to store AV

definition

files and also to do the scanning. It doesn't seem to scan all stored

files but instead scans program or excutable files when they are

accessed, or files that are downloaded. It requires an internet

connection to work. ClamAV has partnered with Immunet to create Clam

AV

for Windows. Unlike previous versions of Clam AV, this version does

do

"real time active" scanning. Since the definition files are hosted in

the cloud, I would think they would be most up to date, more so than

relying on downloading definition files at a certain time interval.

When performing a manual scan it is really fast! ( under a minute

fast).

The downside to it there doesn't seem to be an enterprise version

that

can be used to notify admins of virus activity on the computers. The

upside is there are no definition files to download or distribute,

which

is one main benefit to an enterprise solution.

I am testing it on a public machine that has cornerstone enabled on

it.

It did detect the cornerstone service file as a virus. I submitted it

to

the Clam AV site as a false positive and added an exception for it in

clam AV.

Below is from their website that explains a little  bit how it works.

http://www.clamav.net/lang/en/support/faq/faq-win32/

Q7. Will "ClamAV for Windows" send any sensitive data from my

computer

to the cloud?

A7. ClamAV for Windows sends information about the files its scanning

back to the cloud. This information is in the form of SHA hashes and

file heuristics. Currently, this information is only collected for

Windows PE files, or in other terms what most people refer to as

executable files. No information is collected for other types of

files,

like Word, Excel, or PDF. Additionally, in some situations the entire

PE

file will be uploaded to the Cloud to determine if it is malicious.

For a complete overview please see the privacy policy:

http://support.immunet.com/index.php/Immunet:Privacy_policy

Let me know what your thoughts/opinions/experiences are on it.

Thanks in advance !

-Ed Liddle

_______________________________________________

OPLINTECH mailing list

OPLINTECH at oplin.org<mailto:OPLINTECH at oplin.org>

http://mail.oplin.org/mailman/listinfo/oplintech

Search: http://oplin.org/techsearch

_______________________________________________

OPLINTECH mailing list

OPLINTECH at oplin.org<mailto:OPLINTECH at oplin.org>

http://mail.oplin.org/mailman/listinfo/oplintech

Search: http://oplin.org/techsearch

_______________________________________________

OPLINTECH mailing list

OPLINTECH at oplin.org<mailto:OPLINTECH at oplin.org>

http://mail.oplin.org/mailman/listinfo/oplintech

Search: http://oplin.org/techsearch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.oplin.org/pipermail/oplintech/attachments/20100324/78a2bda8/attachment-0001.html