Hi all,

I have developed a simple program named Clam Sentinel that runs into the system try and detects file systems changes (copy, modify, add) and scan the files changed with ClamWin (clamscan.exe).
Also detect new units added (like usb pens), and monitor them until the program is closed or until the unit is disconnected.

Is very simple but could help for scan automatically changes.

The project is open source and is hosted on sourceforge:

http://clamsentinel.sourceforge.net/

Today I have released the first version, tested on Windows 98, Windows 2000 and Windows XP.

The code is written with Delphi.

Good enjoy,
Andrea Russo

Venice - Italy

Thank you for your work and for telling us about your project. I will certainly give it a go, and perhaps other ClamWin users will also. I will get back here with results.

Regards,

Hi all,

I have released a new version 1.1.

Now the ClamSentinel.ini file is more user friendly and reports the default values for different operative systems.

It's also possible to specify into the ini file environment values (like %APPDATA%) that are replaced at run time with currents values.

Checks also if files exists (Clamsentinel.ini and ClamWin.conf).

The previous Clamsentinel.ini must be replaced with this new one ini file.

But anybody has tried this program?

I have downloaded the file but I have not installed it yet, although I have configured the .ini file. I intended to try it out tonight but it is almost midnight, and I'm still working on some virus signatures. Perhaps tomorrow.

Regards,

I tried it on Vista but it didn't seem to work. I unzipped the download to a file in the programs directory called ClamSentinel and pined the executable file to the start menu. Below is the config file I made. After a restart, there was no Sentinel icon in the system tray, and there was no scan on a file I downloaded. Even if I have made a mistake, I think you need to make installation more automatic. Most Windows users don't want to bother with configuration themselves. Look at the ClamWin installation--all you need to do is make a couple of choices. Another suggestion, tie the extensions monitored to the extensions already set up in ClamWin's config file. In fact, use ClamWin's config file as much as you can.

Regards,


[Params]
;### Into the pathname all environment variables are replaced with the current value


;### Path of the directory that contains the file ClamWin.conf

;***** on Windows NT/XP/2000, Vista
PathClamWin = C:\Users\Nanette\AppData\Roaming\.clamwin

;***** on Windows 98/ME
;PathClamWin = C:\WINDOWS\Application Data\.clamwin\

;### Directories or drives that you want to monitor
;### note: the program monitor all subfolders
;### note: separate the values with a comma (without ").

DirToScan = c:\,d:\,e:\,f:\,g\

;### File extensions that you want to scan
ExtToScan = ,.avi,.bat,.cmd,.com,.dll,.do**,.exe,.gif,.html,.inf,.jpg,.js,.lnk,.ocx,.pdf,.php,.pif,.png,.pp**,.rtf,.scr,.shs,.swf,.sys,.tmp,.vb*,.wsh,.xl**,.zip,.rar,.tar,.7z,.gz

;### If you want to write a log (1=yes; 0=no)
Log = 1

;### Path for logs files. If empty is used the logfile path defined into ClamWin.conf
PathLog =

;### Directories that you don't want to monitor
;### For example you don't scan the recent folder that changed dinamically very often (case insensitive)
;### note: the program don't scans all subfolders
;### note: separate the values with a comma (without ").

;***** on Windows NT/XP/2000, Vista
NoScan = C:\Malware,C:\ProgramData\.clamwin

;***** on Windows 98/ME
;NoScan = C:\WINDOWS\Recent\

Hi Bob,

I don't have the possibility of to use Vista. I have tested the program on Windows 98SE, Windows XP Home, and Windows 2000.

Ok first unzip the files into a directory and then put a link to the exe (a .lnk file) into the start menu.

If this don't works please try to run the program directly from the program folder and tell me about the result.

The settings into your ClamSentinel.ini seems to be ok.

I will give a look about extensions section into the ClamWin.conf file.

Thanks,
aru

Are you sure of to have all of these units?
Actually the program could have some probems if you sets into the ini file reference to units that not exists.

aru

No, I don't have all of those units--just a couple of them. G is a removable USB that isn't in very often. I'll include only those I have and see what happens. Thanks.

Regards,

Pining the executable file to the Vista Start menu didn't work, so I drug the Sentinel.exe icon
into Programs/Start as a shortcut, which started Sentinel upon a reboot. Sentinel scanned a
couple of test files I placed on the desktop, and I had a system tray notice each time it scanned
them. I put the realtime log file in the Sentinel program directory. When I deleted the test
files, I got two scanning notices in the system tray, and there were two entries in the log file.
You probably don't need to log everything--just when a virus is detected, and you probably
don't need to even scan a delete to the Recycle Bin. You might need to limit the log to keep it
from getting too large and remove early items in it as needed. You also don't need to show the
memory scan on screen unless there is a detection.

You have a good start. However, Clam is kind of slow in scanning real-time because it has to
bring the signatures up again for each scan. To speed it up, you could use the daily signature
database only for Sentinel scans. It is much smaller than the main database, and it contains
signatures for viruses found during the last couple of months, which is probably what users are
most likely to find. You would be taking a chance, however.

You could also do another kind of scan without signatures--a heuristic scan, which would not
need all those signatures. Some time in January, Clam will have PE heuristics. When they do,
you could confine your real-time scans to heuristics only and ignore all the signatures.

I will try some scans with some real viruses tonight--including zipped viruses.

Regards,

Hi GuitarBob.

Thank you for your reply!

It's a good notice that my program works also on Vista.

I have released a new version:

New version 1.2
Fix problem with drive added at run time (like usb pens).
Now checks if drives defined into the ini file exists.

I will try a look about these matterson august when I will return from the holidays in Paris.

Yes, this is a first step, my target was to have an antivirus for my pc with Win98 (I am crazy but I love win98 and want to mantain two pc with this OS).
Actually I use Avast but at the end of this year, like reported into Avast web site, probably it will not works on Win98.

So the only good antivirus free available for Win98 is ClamWin, but the real time scanners configurables with ClamWin don't works on Win98.
The result is my program that adds a "real time" scanner (is not exactly this but...) on my Win98.

Thanks,
aru

For example there is the Recent folder that is written very often by the operative system (for me is for this that when you have deleted the file something has been scanned).
Is for this that I have added into the ini file the possibilty of to exclude some directories:

NoScan = %USERPROFILE%\Recent\

Hovewer seems that if I call clamscan with --log --quite --infected two rows are written into the log: an empty row and a row with -----...., so the only row that is not logged is the rwo that report the path of the scan file "Scanning...".

aru

The test of Clam Sentinel went pretty well as I worked signatures for live viruses. It scanned viruses within zipped files okay. It did not detect PUAs (potentially unwanted applications--hacker tools), however. I have ClamWin configured to detect PUAs, so if you can use the ClamWin config file for this, it should pick them up.

You probably need an on-screen message when Clam Sentinel detects a virus. Otherwise, the user has to go to the log file, and some users will not be able to find it on their computers. Also, Clam Sentinel automatically quarantined any virus it found. You might want to use the infected files option in the ClamWin config file for this, which defaults to Report Only.

The memory scan option is nice, but I don't know if you really need it. It takes quit a bit of time.

I received a message when I plugged in my USB asking if I want to scan it. I scanned it, but there was nothing in the log file about it. My system recognizes the USB as "Y Drive", but Windows Explorer recognizes it as "G Drive." Perhaps this is why there was no log--it's kind of confusing.

You've done a good job! I think if you can use the ClamWin config file and get an on-screen message for real-time detections, and do a little more with the Sentinel log file, it will help the users, and they will have some good extended functionality with ClamWin.

I will continue to use Clam Sentinel and let you know if I find anything else.

Regards,

Hello Aru:

I believe you mentioned that Sentinel doesn't scan in subfolders, is that correct? Of course, you need to be able to scan as deeply as possible, but if you scan a directory and two subdirectories under that, you will take care of most viruses. Tonight I saw an mIRC trojan that dropped many files in C:\Windows\Temp\Spoolsrv, and I don't believe that Sentinel was able to scan them. ClamWin has a Scan In Subdirectories configuration option.

Regards,

Aru, as a fellow DOS, 3.x and 9x/ME enthusiast, I would like very much to lend you my encouragement with this project.

We 98 users truly need someone who appreciates our 98 software.

Best,
Dave

Hi all,

I the new release 1.5 is available from SourceForge.

http://sourceforge.net/projects/clamsentinel/

There are a lot of changes.

A new method for detect filesystem changes (the previous method on some cases don't detect changes like a previous Bob's message); a multithreading structure for to scan more files togheter; a balloon message when a virus is found; the possibility of make a memory scan when the program start; more new settings (pua detection; use daily scan or not; now to set that Clam Sentinel start at startup machine is very simple by a check into the settings.; etc. etc.

A thank you to Francis Chabot that has help me for add new features.

All works on Windows 98, Windows 2000, Windows XP (and Windows 7).

bye,
aru