Hello Guys!

First of all, sorry for my bad English, I'm Brazilian.

I'm a ClamWin user for some years by now, and I love the Open Source community, and I want to see this project grows and help on that =)

I'm not a C developer (when I read the code generally I can understand what it does, but no way I could write that on my own... how you can do it guys? I understand why it took too long for ClamWin gain a real time scanner - I know it is far from being an easy task). Most part of the time I develop VBScript/AutoIt to automate stuff - the most "complex" project that I've worked were into a Registry Class for VBS and C# (if someone is interested, I post all my stuff on GitHub: https://github.com/coldscientist). I already develop some stuff on Web development (PHP), because it can run into practically any platform and doesn't require installation. But I would like to help with what I know.

Development is far from being my specialty (I work as IT manager), but as an IT manager, I see that most commercial AV solutions have a console for centrally management the AV solution. I already worked on the Municipal Secretary of Education (an office available in most Brazilian cities that take care of schools for child education) and into the military, and sadly, most of the government institutions (at least, on my country) have little budget to invest on IT security or management. Most partly of the time the IT just put out the fire, there is little to no budget to innovation, centralized solutions are practically non existent, legacy software is into everywhere [some institutions have been migrating to Ubuntu some time by now, but there is some specific software that only runs into Windows, and even worse, as there is no budget to licensing newer versions of Windows, seeing Windows XP into operation nowadays are still common]). Most IT managers that I knew from this institutions breaks the EULA and install Avast or any other AV that is free for non-commercial use. Even solutions that are free for commercial use (like Comodo) doesn't offer a free management solution (of course not! They need living!).

There is more than 90 municipal child schools into my city, most of them AV unmanaged... There is a lot of fellow mates into the Brazilian arms that are AV unmanaged... I read into the forums that there is some people that uses ClamWin in non-profit organizations (about 30 computers), and I could even find posts where there is people using it into 200 computers at a time! WOW! 30 is already enough, imagine 200... it should be an admin overhead! And I don't think that the situation into development countries are too much different that ours on Brazil! And I would like to change that!

Most of the cases of AV infections that I found out could be easily avoided following simple security cares (like using Windows Update and keeping the AV updated). But when I worked into that institutions I never had found a way to see the security status of the computers. I found out ClamWin Server at SourceForge sometime ago (https://sourceforge.net/projects/clamwinweb/) but I could not figure out how to install it (appears like a Tomcat application), and it appears discontinued a long time ago.

Now that you all know my motivations, I want to show you what I'm working...





The source code of WebAdmin and ClamWinCli and the "wish list" of the project available at https://github.com/coldscientist/clamwin-wa

Actually, the API works unencrypted and it only obtains the proxy "tab" from the Server. I'll extend it soon to allow all the configuration through the WebAdmin.

I developed it thinking on ClamSentinel on mind, but I found out it was discontinued, =( ClamSentinel still works, but it would be amazing if it could detect malicious code before they're run through Windows Explorer (it only intercepts copy/delete/move operations, not "execute" ones). I found out that one of the moderators of this forum - GuitarBob - already worked on the project, maybe we can extend it to allow that... ClamSentinel, even discontinued, is still used in many institutions of my country with ClamWin. I found out ClamMon (http://forums.clamwin.com/viewtopic.php?t=1476&start=0), but it is not available to download anymore - I'm not sure if the ClamMon were infected or if the file hosting service providing the file were. The author doesn't have the source code anymore. I know that ClamMon weren't perfect, but I would love studying it source code to discover how it works, maybe we could extend it. GuitarBob appears to have been making some tests with it, maybe he still have the source code of ClamMon. Ariad (https://blog.didierstevens.com/programs/ariad/) looks promising too, but I don't even know how to start to adapt the code of Ariad to check the file with ClamWin, and I had performance constraints about it - I'm not a C developer, so I don't know how to optimize the code to not compromise the performance. Tweaking the ClamSentinel source code appears to be a better approach right now (at least for me), as it is Delphi, a higher level language, it's easier to understand and build.

I already sent a e-mail to xqrzd to know how he is going into his project (Hazard Shield). Would be amazing automate ClamWin through "ClamWin WebAdmin" with a "real time" scanner (or anything like that minimally scans files that users open through Windows Explorer on the fly - most environments with Active Directory with non-admin users are hard to compromise the full system)! =)

My intention is add Quarentine support to ClamWin WebAdmin, so we could restore files from quarentine though it. I would like to add Active Directory support, allow remote installation of ClamWin though WMI/PSexec (I'm not sure how I'll do it, but we'll found a way!), allow custom configurations for different groups of computers, see the update status, see the last results from scanning of ClamWin.

There is many features on the plans (and, as ClamWin real time scanner, without roadmap dates!). I'm opening to suggestions, testings and the contribution of all of you! I still have security concerns, as I do not have the knowledge enough right now to protect the REST API encrypting it (I think into a PKI infrastructure to protect and authenticate the communication, or OAuth, I don't know, need help on this guys!). But the REST API works (it can set the proxy dynamically though the server to the client) and the source code is pure PHP (WebAdmin)/Python (Client). I really wants to keep it simple to allow more people contribute on it.

I know guys... It is far from perfect, but it's what we've have the moment. XD

Hello! Your post is very interesting. I will suggest to the ClamWin developers to read it--they do not often monitor this forum now. Perhaps they can provide some direction. ClamWin badly needs to be upgraded/improved. There have been some attempts to do so, but not much work ever gets done. You might consider using a combination GUI/console manager. It would be a good first step toward improvement.

Developer Andrea Russo abandoned the Clam Sentinel project in 2014. It was developed back in 2012. I was a sigmaker working on Clam AV then, and I helped him on heuristics and testing. Clam Sentinel still works, but it does not detect very much of the new malware that has been developed since 2012 (much of it is JS/html/script based now--not just Windows executables). Clam Sentinel can also not handle some of the new Clam AV signatures--like Yara sigs. I looked at some of the Clam Sentinel source code, but it was too much for me. I still use Clam Sentinel in case a Windows executable malware gets past my commercial real-time scanner.

Please let us know if there is anything a few ClamWin users (non-programmers) can do to help you.

Regards,

Hello GuitarBob!

Thanks for your suggestions. I agree about ClamWin. But as I read into a older post: I like the nostalgia feeling it gives. But would be amazing upgrade the UI. I want to help with I can, but I want the commitment from the developers: as a community, it is important that someone could continue maintaining the code if something happens to me and I could not maintain it anymore (I don't need to die, just marry! Pessimist says that it's exactly the same thing, but I don't believe it XD). Reading the UI source code, apparently it was made using wxPython.

I think that before thinking on changing the UI, it is necessary to take a important step: the compatibility with Legacy windows versions should be left into account? I think that anything before Windows XP/Server 2003 is useless. Most legacy applications that are compatible with Windows 2000 runs into XP/Server 2003, and no one should use Windows 9x/3.11 into a daily base. Exist better alternatives to legacy systems, like Puppy Linux, and Wine is mature enough to support the majority legacy applications. It's cool seeing ClamWin as an alternative to protect legacy systems, but it makes harder to fix bugs into these versions that (as I read into another post, I think that were alch who replied it) we are not interested into support. Most AV vendors doesn't offer support for legacy versions of Windows because of this.

Most AV vendors (Avast, ESET, Norton, BitDefender) uses sciter (https://sciter.com/) as UI. It's free into it's binary form, but I think it goes against the idea of Open Source. So I though into htmlPy as an alternative: http://amol-mandhane.github.io/htmlPy/

Most conventional UIs are locked down into the widgets that they provide (as wxPython, Windows Forms). Using a HTML front-end allows the beautiful interfaces that we see on Avast, ESET, Norton, allowing full customization and, at the same time, allows segregate the UI logical (HTML) from the backend logical (Python). But htmlPy only supports Python 2.6 and up, that only supports Windows 2000 and up. But I really wants to talk with ClamWin devs about it, principally alch, because he first developed the UI. We can develop some prototypes (maybe we can use Mockplus) to show up to community and suggest changes. The problem is that we never get a consensus, XD

We can wrap the UI to Pyc (https://github.com/clamwin/pyc) to show definition status, and reads the reports to show the recent threats detected at the scan and allow people take action about it from there into the main window. Allow fast and full verification presets, and to take actions to individual threats after scanning (like removing, add to exceptions, etc). There is so many things (and work!) to do, but I really think that changing the program UI to a modern one would attract the attention from the media to the project, and would help the developer community to grow! We may find a Windows Sysinternals/Kernel developer and we finally develop a functional file system driver to provide real time scan. It would be a killer feature to who uses Windows Server and it's absence of a free AV solution.

Yara sigs looks promising, and doesn't appears to difficult to implement (as read at https://blog.nviso.be/2017/02/14/hunting-with-yara-rules-and-clamav/), as ClamAV support them (I don't know if ClamWin build of clamscan.exe supports it). I downloaded the ClamSentinel sourcecode and, from what I've seen so far, the detection logical is at "Sentinel.pas" file and the ClamWin scan logical are at "UClamWinScanner.pas". It would be easy (in theory, from what I've read on the post above) to adapt the ClamSentinel code to run custom YARA sigs if ClamWin supports it (only adapt the code at "UClamWinScanner.pas"). But ClamWin doesn't run known YARA sigs on it's own when ClamSentinel calls it? Developing custom yara sigs to deploy at ClamSentinel can be a little intensive process, ClamSentinel already scams script files (JS, VBS)... so I don't know if it worth it: it will be released soon or later into a ClamAV update. Maybe we could add a pattern to detect scripts that uses Base64 encoding to obfuscate it's code to detect it as suspicious and send it to quarantine.

I know that ClamAV is not exactly a daily-base AV. I read into a post here on the forums that it took 17 months for them to analyze a sample, and in average 3 weeks to add signatures to known viruses. XD But most of the infections that I've found so far were infections that ClamAV could detect built-in, and most of them could be avoided if Windows were fully updated through Windows Update. Into a Active Directory environment, users running without Administrator permissions are hard to get infected with system-wide viruses (only ones that uses system vulnerabilities/buffer overflow to get it in). I believe that ClamAV is enough for commercial environments, if you're using it with combination of a Proxy server, and Snort, and SmartScreen (IE)/Google Chrome to avoid known malicious sites. I've read somewhere that ClamAV are working to work with Snort rulesets, it would give an overall protection. Maybe in the future we can work around it to develop a HIPS (Host Intrusion Prevention System), a killer feature that I know that Comodo has (but I don't know if they use Snort or other engine), but it would require a lot of work, and I have no knowledge to keep it going.

Another thing: We could share the ClamSentinel source code through GitHub. Even discontinued, more people can study and help into the code, as it's still used by many people as a resident protection for ClamWin.

And yes, the help of the community is important a lot, principally non-devs! It's important that even then can use the program without reading the docs, so a Easy-to-Use interface is essential. Requesting features to ClamWin WebAdmin, issuing bugs through GitHub Issue tracker, it all helps! I'll add extended information to install ClamWin WebAdmin, but actually it can be run into XAMPP (https://www.apachefriends.org/pt_br/index.html). Just download the repository as ZIP (or use GitHub Desktop to automatically sync changes on source code) and extract it to C:\xampp\htdocs\clamwin-wa. Now, open xampp-control.exe (available at C:\xampp) and start Apache. Access "http://localhost/clamwin-wa/dashboard.php" through your favorite web browser to access the WebUI.

Hello:

I think that marriage would assure you continuing life for a long time! Good luck with it!

The ClamWin developers have not shown much interest in further development for a long time. They are essentially just passing through some (not all) of the new code that is developed by Clam AV. Perhaps this could be a way to light a fire under them!

Some users would like a new UI. Personally, I like the Clam Sentinel UI--via the system tray menu. It probably requires much less code. There is nothing wrong with nostalgia though--just because something is new/up-to-date, that does not mean it is any good.

A lot of work on ClamWin was done via Python, and I think it may be holding it back some. Perhaps that is why the developers do not pass through all the Clam AV code.

Yes, ClamWin seems able to handle the Yara detections, but Yara may be a bit slow if you are using a real-time scanner. Clam Sentinel can't do anything with Yara but give an error message.

When I was a sigmaker at Clam AV (owned by Sourcefire), they did not devote much effort/resources to Clam AV. It is not much of a revenue producer, and a few people only worked on it in their spare time (mistake because user experiences are a good source of intelligence--Panda does a lot with it). I think that Cisco is a bit better, but it is still not a revenue producer for them. In fact--when Clam AV was self-owned, Cisco used it on hundreds of machines, but did not give one penny to support it.

I expect one of the ClamWin developers will read these posts, and you will hear from them.

I think we have a similar philosophy, but I am not a programmer, and I am not sure I want to put for the effort to be one. Let me know if I can help you, however. My personal email is rscrogg at gmail dot com.

There is nothing wrong with your English!

Regards,

Yes! I do believe that it should motivate not only them, but the media and, principally (and the only motive that matters after all), the community that uses and believes in ClamWin! I think that they would take a fright seeing ClamWin with a new UI after an update! =)

About Clam Sentinel, maybe it should be rewrite into Python and drop support to Windows 9x (VxD driver), as it's hard to provide support (it requires a special build process and a virtual machine to test the driver, and would be need to learn how to build it, and sincerely, I'm not sure that someone into the community would like to provide support for it). The file that process the ClamWin scan call of ClamSentinel could be wrapped into PYC (Python AV oficial extension of ClamWin) if it would be ported to Python and would unify the logical of ClamWin, Outlook Add-on and ClamSentinel, as well it's GUI. And would be more simple for developers contribute to the project (they only need to know Python, and it's unify the development). In fact, my dream would be adapt Ariad code (a file system mini-filter driver written in C) to support on-access scan built-in into ClamWin and add basic heuristic from ClamSentinel to ClamWin code (even it being a bit outdated) and let ClamSentinel rest in piece. In fact, the language it were developed (Delphi 6) was discontinued for years (at 2003) and no one should develop newer apps through it. =( But I'm happy that Andrea Russo, you and a lot of people worked on it to make it possible! The development language doesn't matter in the end, the important is to see it working, and it ClamSentinel does his work very well taking in count it's release date and it's capabilities. It's one of the fewer projects to develop a real-time scan for ClamWin that became something real, and I'm grateful for that.

For Ariad works well, it would be necessary run ClamWin as a service and we send the files to scan to this service, instead of calling clamscan manually (as ClamSentinel does) to avoid loading the DB all the time. I just don't know how to start. I need to learn how to send sockets through C and read output from it. The logical to deny access to the file is already present into Ariad. We just need to figure it out how to make it scan the file and, if it is infected, deny the access/send it to quarantine, or allow it if user has set a exception for it. I know that writing here on the forum is easier, it may took months (or years) to make all of it that I wrote on the post and I don't know if my way of thinking is right, so here enters the (real) C devs to discuss, but I really don't pretend to give up from it. ClamWin will be kept on my machine always, and everyday that I see a database update I will remember it, even if took years for me to learn C, I'll learn enough to figure it out how Ariad works and adapt it (or we develop a new GUI to ClamWin and releases ClamWin WebAdmin and, with the donations increases [as I believe it will!], hire a developer to do it for us! Or maybe some C dev with free time may believe on it and donate it's time to make it possible) =D

What happens exactly with ClamSentinel and Yara? Can you send a sample and step-by-step to reproduce the symptom? What OS are you using? Reading the ClamSentinel code, I could find specific code to some versions of Windows (Windows 8, 7, etc.). There is no condition to Windows 10 (as ClamSentinel was abandoned before it). But I'm not sure it causes any trouble (at least, I could not find anyone talking about it). I just need to learn how to build the Delphi code. It's looks like a lot with VB, maybe I can give a look to figure out what's going on. About the less code of the UI: in fact, you're right, it's always desired. Most the code I've found so far were a few lines of loading icons and tooltips. I could not find the menu UI yet though. It's good, because it means that the UI logical is separate from the detection logical! But I think that maybe would be good to receive a message before sending the files to quarantine automatically. As nostalgia, I liked the Avast 4 one (http://1.bp.blogspot.com/-f5oeAtVrp3I/TkB4fKNmVOI/AAAAAAAAAUc/eRacyk2sMNE/s1600/avast_eicar.png), that looks like your PC has found a Bomb and that sound, OMG! Looks like the PC were going to explode! I had fear from it when I was a child and receive that message when I were chatting at MSN Messenger! And that Winamp interface that Avast had at the time... looks like a media player XD Maybe the dialog could be an optional feature, and still provides a way to make ClamSentinel quarantine files automatically for those who likes how ClamSentinel works does today. A way to unify the ClamWin and ClamSentinel quarantine would be good. Other thing that could be improved at ClamSentinel code is quarantine: it could add an exception to the file automatically before releasing it of quarantine. It's so funny seeing it quarantine the file that you released a second ago. XD I know it's not hard to do it now, but for an average user (even with the message at the Quarantine informing about it), it's not so intuitive.

From what I've read on the net, before ClamAV being acquired by SourceFire, it were a project of five people. It's impressing what them done! Cisco developed Immunet (an AV based on ClamAV engine) but (even it being apparently free until version 5) never opened the code of it. Now it's releasing AMP for Endpoints, a commercial solution that still uses ClamAV engine as closed-source. But still, I thank them to still provide signatures and ClamAV development alive. But even if the project were "abandoned" by Cisco into the future, I think that the community would embrace it, as most mail servers still uses it for protection, and a lot of students would like to put it's hand on the code to learn on it (principally those who studies IT Security). There is some commercial enterprises that uses ClamAV into their product to provide mail protection, like Astaro Gateway (now Sophos UTM), Barracuda Next-Gen Firewall, and others. But even having big companies using it, it's sad being too little features being added to ClamAV project through the years. As you, I believe that ClamAV doesn't receive the attention it deserves. =(

I'm not exactly a programmer too. I started to figure it out starting with Batch scripts to automate some stuffs on Windows, than I would like to hide the batch cmd window and to use less workarounds instead of calling EXEs and parses it output so I started working with COM objects directly through VBScript, so VBScript were limited because it could not call .NET APIs and I started working into C#, and now I'm starting working with Python because I always wanted to learn it because it's cross platform but never find a project that I really would develop something useful through it... until now. I always seen new releases of ClamWin and never though that the community (principally devs) were so little, but I understand it. The things changes into the life of everyone and the free time is less, and the ClamWin project offer practically no revenue (I believe), it's a miracle to have this project alive and I'm grateful to everyone that still believes on it, in special alch and sherpya, you, and others that actively works into ClamAV code to port it to Windows and replying questions into the community. Without the help and specialties of everyone, it would never be possible. Maybe I'll never learn enough to keep the ClamAV code port into C, but I can help with the knowledge that I have acquired through the years to work into the UI and the Python part of the code.

Into a first moment, I want to build ClamWin GUI successfully, then I want to start working in a port of it to htmlPy (I don't believe that wxPython is the way to go now... but it's a thing that should be discussed with alch and serphya I believe, but even if I could not contact them, I'll try to start developing a new UI and posting the progress into the forums and GitHub, maybe opening polls to vote into the prototypes and suggestions of menus and UI features here on the forums - one thing I know, I don't want to do it on my own - even if I were the only one programming into it, the opinion of everyone is important) and release the executable to replaces the ClamTray that comes with ClamWin for beta testers that would want to test the new interface. As it is approved and tested, we can commit the changes to ClamWin UI code to the master branch and make it available to all users into the next update. And I really really really wants to get your help (and the help of community) to test the new UI into it's beta stage!

One thing that I would like to do is porting the EXE installer to MSI using Wix Toolkit. Even with NSIS and other open source alternatives, it's a pain trying to deploy EXEs into commercial environments (Active Directory), and Windows Installer is de facto the standard to installation of software into the Windows platform. =) Some complains that an MSI installer would make impossible install ClamWin into machines started on Safe Mode, but if the viruses is expert enough it will prevent the ClamWin loads anyway or infect it's EXE before letting it be loaded (Sality does it - kill ClamWin executable and infect it). Running ClamAV engine through UBCD Live (http://www.ultimatebootcd.com/ubcdlive.html) is a better alternative, and the PortableApps community can continue it's efforts to support ClamWin Portable as it does today. After the machine is clean, it can installed normally through MSI. If installing through MSI were really a problem, Kaspersky would never provide a MSI installer for it's AV.

I'm happy that you can understand what I wrote. But it would be a disaster if I try to talk in English, there is little to no one people to train the conversation, it's funny when I try to sing a English song, I laugh every time I try. XD I just started learning English because most IT docs are in English, songs, musics, films, almost everything in the word holds the US flag, it's hard living without it. But the US will never stole my hearth, it's a Brazilian one already.

The Sentinel real-time scan and the heuristics are the most important features. Andrea Russo put in an undocumented option to run Sentinel by itself with heuristics only, but you need to install ClamWin initially. You can uninstall it after that.

I am sure that Andrea would appreciate that you like Clam Sentinel. We worked very hard on the heuristics for 3 months--about 30 different versions!

A user made a post on the ClamWin forum some time ago telling how to install ClamWin as a service. I have never done it because it is somewhat involved.

A question to ask before much new work is donw is: Is ClamWin worth it to keep using it.

I will get some Yara sigs and let you see the Clam Sentinel error message. There may be the same problem with all non-Clam AV signatures.

I use Win 8.1 on my laptop, and Windows 10 on my wife's computer. Sentinel used to work okay on Win 10 until MS did a Patch Tuesday a year or so ago. It will still work if you install it as an administrator.

The Clam Sentinel Quarantine Recover is much better than the ClamWin QRestore program, It needs to be incorporated into ClamWin.

The last project Sourcefire had the original Clam AV team work on was an admin control panel for AMP. They left after that.

If all you do is develop an new GUI/admin panel for ClamWin, that would still be great!

It certainly looks like Chinese might be the language of the future!

Regards,

I will try to see if I can find this option into the ClamSentinel code (to run it into heuristics mode only).

From what I've seen into the ClamSentinel code, it uses hard-coded heuristics. I'm impressed on the work that you and Andrea Russo made on it! Would be great if we somehow could upgrade them through definition updates (maybe using Yara signs?). I love Yara, it looks simple and powerful. But it is a work that would we can think about into the future, after the release of the new UI.

You installed it as Admin and still it doesn't start if you don't set it to start as Admin? I think that the best we can do is migrate ClamSentinel to Python and integrate it as an optional heuristic module into ClamWin. In fact, Delphi 6 is problematic into 64-bit builds of Windows OS. As I already working into IT support, I had a lot of calls of government programs developed into Delphi 6 that we had to use workarounds to make them work. =( I'm not saying that it's the case, but would be great if we could port ClamSentinel to a development language that is still supported by community and that we can ask on their forums for help if we found some bug into a specific piece of code. The APIs that ClamSentinel uses (ShellNotify) are presented into other languages (I see it into C++ at Ariad code), and it can be implemented into Python through Watchdog library.

I successfully downloaded ClamWin sources through GitHub but I'm having difficulties to build "pyc" module, as it apparently requires we build all ClamAV code of ClamWin (if all Python devs should build ClamAV from code, it became a wall that put away most of them - maybe I can offer it pre-compiled to allow the pyc module be easily installed for future devs). I installed the Visual Studio Express C++ 2005 and Windows Server 2003 SP1 SDK, and I will try to build it again. Into the last case, I'll use an old version of libavclam library and build the UI through it, but I think that sherpya would kill me if I do that XD

One thing that I think is that probably Andrea Russo made it separate from ClamWin Quarantine because ClamSentinel can run both into ClamWin Portable and with ClamWin installed on the machine (or, at least, it were his intention, as there is references to ClamWin Portable into the code). If we join the ClamSentinel Quarantine with ClamWin one, maybe we loose this capability (running ClamSentinel as Portable). But, sincerely, I don't see much sense running ClamSentinel as portable, because the most majority of viruses would require admin rights or system rights to clean them, and if the user has admin rights into the machine, it would be better install ClamWin and run it as a service into system context, as it would allow cleaning the virus. One thing that I miss into both quarantines is the type of virus identified directly into quarantine window. Maybe we can provide this info into the new UI. And yes, ClamSentinel quarantine is better, =)

Now, the question that breaks my heart (that, in fact, needed be took into account): ClamWin worth it? It makes me think about the ClamWin project... What were alch and sherpya intentions with the project? Maybe ClamWin just birth because they needed a ClamAV build for Windows to protect some system (maybe a mail server) into Windows platform? I was starting with the assumption that they port the ClamAV engine specifically for use into ClamWin, but I maybe wrong... In fact, sherpya still works into ClamAV port (his last commit into the code were yesterday - https://github.com/clamwin/clamav-win32), but the UI seems maintained since 2008 (from what I've read so far into the code headers of the Python UI files)... I have hopes to talk with sherpya, but alch looks missing here into the forums... As I said, it's not an obligation be here, the life changes, the priorities, everything... But I didn't think that the ClamWin community were so needy of devs. I see that some started working into a new UI, and even into i18n (translation) support to ClamWin UI, but it never became commits into ClamWin GUI code... It makes me feel so sad! I really loves ClamWin! So much that I'll interrupt ClamWin WebAdmin by now to develop a new UI to it! =)

Edit: I read the About tab at ClamWin and I saw it was compiled by NetFarm, that isn't exclusively related with ClamWin project. It explain some questions that I had above, but I'm still intrigued with alch and serphya motivations...

I think yourself can reply if ClamWin does worth it. In fact, I don't believe ClamWin deserves it! Before killing me, let me finish! XD Even it not being a daily AV, it has a good detection rate for an opensource alternative for known viruses and it's the only opensource AV for Windows that I found so far that is still into development. I had seen a lot of students that uses ClamAV port from ClamWin to build it's "own" antivirus for it's classes here into the forums. Would be great if they passionate with the project and keep learning and contributing to the project. I really believe into ClamWin potential, it's one of the only that we can extend it freely (example: the ClamWin WebAdmin that I started working at) without fear of going to the court because Copyright issues. Other example that I could found were with ClamSentinel developer: I read somewhere that he cogitated to use TrendMicro engine into ClamSentinel. But he didn't because Copyright issues. I don't pretend to gave up ClamWin, maybe we can call attention from the media and get new adepts to the community that can help us into further ClamWin development, or at least donating to the project to allow it keeping alive. Only if sherpya stop the ClamAV port (I wouldn't even know how to start!), and it's engine be considered dead, that I pretend to gave up from the project =) You've been here on the forums for years now, I believe that ClamWin is special for you too and you don't want to see it dying! =)

About the ClamWin GUI: I think in migrating it to Aero Admin (http://demo.felippepuhle.com.br/aero/). With it, I can use the same UI to WebAdmin and ClamWin. It offers a lot of elements built-in that I can use to populate ClamWin API data. =) Using it make it easier focusing into ClamWin code instead of fixing bugs into UI code. It's much more easier to implement i18n (translation), among others, into a HTML interface.

Offtopic: I think that Andrea Russo would love the state that I live (Rio Grande do Sul, Brazil). It has a lot of identification with Italian culture. In fact, many foreign stabilizes their selves here into 1890-1930 migration period (but the principal foreign are the Germans). We even have a Japanese colony here.

I do speeches into the local open source community into my state (TcheLinux), and into this event there is a lot of devs (there is about 200 people - not all of them are devs, but most are skilled Linux and dev guys). They would freak out when discover that there is an open source AV for Windows with a UI that gives you will to test! I have some contacts into 1? CTA (the IT organization from Brazilian Army at Rio Grande do Sul's state) that I could contact to spread the use of ClamWin into Brazilian Army (at least into Rio Grande do Sul's comprehensiveness). In fact, I heard that in Brasilia (Brazil's capital) army base, most desktops use ClamWin and ClamSentinel for AV protection. The Brazilian army has developers that works into internal systems, maybe if we can show them the potential of ClamWin they can help us into further development. On my country, some states has determined in law the preference to open source software instead of closed ones (but, in fact, most government institutions use open source because the low budget).

Maybe we can call attention enough of PROCERGS (the IT institution from Rio Grande do Sul's state - most software developed by them were Delphi, I think that they're starting migrating to Java right now, but for them to develop ClamSentinel would be so easier to them!), and maybe we can even call attention from SISP (the IT institution that take care of Brazilian IT, but it is starting dreaming out loud - but it's possible). There is members from TcheLinux that knows/works at PROCERGS and can start divulge it as an open source AV alternative.

Finally build pyc module through MinGW to start working into a new UI to ClamWin! =)

The progress can be accompanied at https://github.com/coldscientist/clamwin-htmlpy-ui (I documented the process to build pyc module and ClamAV lib into details, I sleep over 3 hours this night trying to build it

Initially, I tried building it through Visual Studio C++ 2005 Express Edition without success [but the progress that I got are documented at 0.0.1 branch of clamwin-htmlpy-ui, if useful], but after I discovered that ClamWin is built through MinGW to keep compatibility with legacy versions of Windows I built pyc with MinGW and it were far from easier to build than Visual Studio after all) =)

Some information for you!


Here is the undocumented Clam Sentinel configuration option to use heuristics only:

NS= (No scanner options (actually the scanner is Clamwin--not Sentinel System Monitor);
0 = default; 1 = disable the scanner but the usb full scan and the memory scan are enabled;
2 = disable the scanner)

The scanner referenced is ClamWin. The undocumented default is always NS=0 NS=1 will disable scans using ClamWin except for USB and memory.
NS=2 will disable ClamWin scans using ClamWin and use heuristics only. The heuristics are only for Windows PE files.



Using Yara with ClamWin/Clam Sentinel:

Clam Sentinel error message when a Yara signature is in the ClamWin database:

##### Saturday, January 27, 2018 3:26:47 PM (Bob@BOBSSURFACE)
Scanning \\?\C:\USERS\BOB\APPDATA\LOCAL\TEMP\~DF6E6F4E5CC9E80663.TMP
LibClamAV Error: yyerror(): C:\ProgramData\.clamwin\db\Big Numbers.yar line 1 syntax error, unexpected '+'
LibClamAV Error: cli_loadyara: failed to parse rules file C:\ProgramData\.clamwin\db\Big Numbers.yar, error count 1
WARNING: Can't open file \\?\C:\USERS\BOB\APPDATA\LOCAL\TEMP\~DF6E6F4E5CC9E80663.TMP: Permission denied
##### Saturday, January 27, 2018 3:27:41 PM (Bob@BOBSSURFACE)
Scanning \\?\C:\VIRUS TEST\XTOPH.EXE
C:\VIRUS TEST\XTOPH.EXE: OK
LibClamAV Error: yyerror(): C:\ProgramData\.clamwin\db\Big Numbers.yar line 1 syntax error, unexpected '+'
LibClamAV Error: cli_loadyara: failed to parse rules file C:\ProgramData\.clamwin\db\Big Numbers.yar, error count 1


Yara signatures work okay with ClamWin. See message below from scanning the same file used above with Clam Sentinel:

----------- SCAN SUMMARY -----------
Known viruses: 6397756
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 1
Infected files: 0

Data scanned: 0.14 MB
Data read: 0.13 MB (ratio 1.03:1)
Time: 16.281 sec (0 m 16 s)


Regards,

Hello GuitarBob,

Thank you for the feedback and for finding the NS info! I will give a look into it.

I'm not sure, but maybe this problem can be related to VirtualStore (https://support.microsoft.com/pt-br/help/927387/common-file-and-registry-virtualization-issues-in-windows-vista-or-in) that I've found a lot into Delphi 6/VB6 legacy applications. I believe that into ClamSentinel rewrite to Python it should be fixed itself, as VirtualStore normally is thrown as a "compatibility" layer for legacy applications.

Will Python be fast enough for an AV? I know that many security experts use it to prepare quick malware analysis aids, but I don't think any AVs actually use it. I think the ClamWin developers used it because it was easy and available.

I will look at your long posts above later.

Regards,

In a first moment, I pretend to port ClamSentinel logical to Python. In theory, it should work exactly as ClamSentinel does today, maybe not as faster as ClamSentinel, because py2exe (ClamWin compiler) doesn't compile ClamWin source code into machine code (specific to the platform they support) as Delphi does, but into Python bytecode one. I pretend to port CreateProcess Hook from Moon Antivirus too. It'll increment ClamSentinel functionality, that will scan EXE files before they run (even it being easily to workaround for a crafted virus, it's better than nothing). I believe that the CPU load that would came from these changes (porting to Python and intercept CreateProcess hook) will be compensated with ClamAV engine running as a service.

But it will not be a real-time AV, instead, it will be considered an "on-access scan". Would be need a C dev to build a file system minidriver/kernel driver to support a true real-time scan into ClamWin, but it's more than my capabilities today =( But I believe that Ariad (https://blog.didierstevens.com/programs/ariad/) maybe a good start. There is the real-time protection engine from Hazard Wizard (https://github.com/xqrzd/HazardShield), that's promising. He appears here on the forums for awhile, and he start developing an On-access protection to ClamWin (http://forums.clamwin.com/viewtopic.php?t=3914&postdays=0&postorder=asc&start=0), but now the source code is unavailable and he is missing. I sent an e-mail to him this week, but didn't receive a reply (at least, not yet).

But I think that ClamAV engine (not ClamWin), even written in C/C++ (a low level language that is lightweight on it's own) wouldn't be faster enough into a real-time engine (aka., even with a kernel driver developed around it) because it wasn't the focus of ClamAV engine. Even into a comparison between running ClamAV as it is today and as a service, some users reports that it took about 5 seconds to scan a file against 20 seconds as it is today (http://forums.clamwin.com/viewtopic.php?t=4178&highlight=seconds). It's 5 seconds, not a problem into a manual scan. But it can be a problem if the user runs an executable and wait for the engine scan the file. Maybe I should make a check for exe file size (and allow it customize through UI) before scanning a file into CreateProcess Hook interception, to avoid high delay times.

My biggest preoccupation is with ClamWin UI, it will be a lot bloated than it is today with htmlPy (I'm trying to develop it the most lightweight that I can, avoiding unnecessary JS and CSS), and it'll break Windows 9x compatibility - and I'm not sure how Jinja2 (Python Template Engine) will behave into Windows 2000, in theory, Windows 2000 is compatible with Python 2.6, but I'm not sure if WebKit will be. Maybe we can still provide the legacy UI with ClamWin installer for these versions, or let them go. Even the UI being incompatible, sherpya builds of ClamAV (clamscan.exe, freshclam.exe) will still be compatible with these platforms, so these users can run ClamWin through Command Prompt, and (in theory) they can replace the ClamWin executables with builds from sherpya's ClamAV (oss.netfarm.it/clamav/) and keep the executables from ClamWin UI untouched. And sherpya provide a basic UI to update into his site to update and scan through ClamAV engine too. Better than nothing. =)

Hello! Your post is very interesting. I will suggest to the ClamWin developers to read it--they do not often monitor this forum now. Perhaps they can provide some direction. ClamWin badly needs to be upgraded/improved. There have been some attempts to do so, but not much work ever gets done. You might consider using a combination GUI/console manager. It would be a good first step toward improvement.

I fear that ClamWin will soon be no more. The developers are not interested in improving it. They have had lots of opportunity to do so. I have been a Clamwin user since 2006, and I worked for 5 years as an Open Source sigmaker on the Clam AV team. I have monitored these ClamWin forums for many years to give the ClamWin developers time to develop the program. All to no avail. I no longer use ClamWin as a backup scanner . I now use Microsoft Windows Defender, the free OS Armor program, and a commercial antimalware program as my security setup.

Regards,