ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Clam AV Community-Based Signatures
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
The Clam AV team is starting a community-based virus signature program in which they are soliciting signatures from the user community, which includes ClamWin. I see they are not looking for file hash (HDB) signatures. I assume however, that a section hash (MDB) signature would still be acceptable (primarily for the code section or the RSRC section) of a Windows PE file. Anyway, all the details are available at http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html on the web. I hope this increases the Clam AV signature output, as it is presently especially poor/slow for user submissions.

Regards,
View user's profileSend private message
move
brucecy92


Joined: 04 May 2020
Posts: 2
Location: London
Reply with quote
Thanks for sharing
View user's profileSend private messageSend e-mail
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
I don't really recommend using the community-based signatures. They are a bit of trouble to set up/use for us individual Windows users. I think they are intended for the Linux email server people.

Regards,
View user's profileSend private message
Anybody alive
gianpaolomapacpac@yahoo.c


Joined: 05 Dec 2010
Posts: 23
Location: Philippines
Reply with quote
Does alch and sherpya* still do the development of ClamWin antivirus?
Is anyone here still alive?

I just recovered this account, since I made it back 2011.
Oh, and can the Site Administrator enable HTTPS (SSL) with Let's Encrypt.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
There is nothing going on now with the ClamWin developers or with the ClamWin site. I'm just waiting for an official post from Alch that it is dead.

Regards,
View user's profileSend private message
gianpaolomapacpac@yahoo.c


Joined: 05 Dec 2010
Posts: 23
Location: Philippines
Reply with quote
oh, so they are still maintaining the site host?
You're still here, thanks.

I just want to ask this, is ClamWin supposed to work on windows 98, me and nt, xp?
Clam Sentinel died back in 2014. I may want to work on clamwin but I am not that expert in programming yet.

The cisco's/sourcefire ClamAv engine does appear to not support windows xp anymore.
Sherpya has a github but I will try to reach out. alch, i have no info on where.
I just need the documentation on what they do on porting the clamav, and their development environment/tools used.
View user's profileSend private message
gianpaolomapacpac@yahoo.c


Joined: 05 Dec 2010
Posts: 23
Location: Philippines
Reply with quote
Wow, I didn't know you were the sentinelguy. Thank you.
I think you should remove the emails to prevent spam now. I saved them earlier
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
Good! I intended to remove the email addresses after I gave you enough time to read.

I am also the Robert Scroggins that Andrea Russo gave a special thanks to in the credits to Clam Sentinel. I was working as a Clam AV sigmaker at that time on behalf of the open source community, and I was able to help him with the heuristics and testing. I was with him then until the end.

Do you know the guys at OS Armor? Looks like they have a good thing going now, and they are starting to charge for it. They have a separate site for OS Armor now.

By the way, I think it is time to quit supporting Win 98 and maybe XP--that should make it easier to port ClamWin.

Regards,
View user's profileSend private message
gianpaolomapacpac@yahoo.c


Joined: 05 Dec 2010
Posts: 23
Location: Philippines
Reply with quote
Yeah, I knew that you were the Robert, I read the sourceforge discussions on clam sentinel and there was thid interesting article on someone talking about using the kaspersky source code but the continuation of the thread resulted in 404. Its this guy the https://github.com/kenkit

I don't remember OS armor but the novirusthanks seems familiar, I think I may have looked for them in the past.

I posted comment on the Github of sherpya, waiting for the reply.
I am trying to determine the difference of these two repo:
https://github.com/clamwin/clamav-win32
https://github.com/clamwin/clamav

Which of them is being used in the ClamWin project, for what I understand sherpya or alch ports the code because they want it to work in WinXP and below, but also adds improvements such as unloading virus process in memory (killing the virus process?) and adding information on the original file location when quarantining the file, am I right? Because the default, clamav.net win32 packages does not have that capability.

I do still know few companies use winxp but they are medical and i would'nt recommend installing clamwin there. Especially when a bug may cause loss of life or equipment.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
I don't know anything about the Kaspersky code, but I did hear a year or so ago that it had been leaked. It is not open source, and any Kaspersky code used by anyone other than Kaspersky is illegal.

The new OS Armor version stops malware from using over 200 ways to infect a Windows computer. It doesn't delete the malware--it just stops it from working and gives the user a warning. I don't know if it works on XP, but I think it will, and I have been recommending it to XP users. They are charging for this new version, however, but there is a 30 day free trial.

From the name, it looks like the repository with Win32 is what Sherpya prepares for Alch so that he can port it to ClamWin. The other one looks like its is just Clam AV Linux code.

Regards,

Regards,
View user's profileSend private message
gianpaolomapacpac@yahoo.c


Joined: 05 Dec 2010
Posts: 23
Location: Philippines
Reply with quote
This is the thread that I was talking about: https://sourceforge.net/p/clamsentinel/discussion/976132/thread/e3f91b8d/
I'm trying to contact that guy, but no replies yet on his github repo. The thread is about porting Clam Sentinel to C/C++.

I don't think that I can create windows kernel filter driver because it does require a signed driver and it should cost a lot of money to buy.
The methods I've tried to create a visual basic .net file system watcher to detect file access, read, and write, it will execute clamdscan to scan that file.
I am also the developer of this project but I forgot it after 2014, currently in the process of recoding it or just shifting all to clamwin.

Old project is here, somehow I lost all the source code: https://sourceforge.net/projects/gpm-clamantivirus/files/
I tried to reboot the project in 2019 but now I lost access to my site and bunch of other accounts.

My Gitlab:
https://gitlab.com/gian.mapacpac/GPMAV


I'm trying to understand the Clam Sentinel code, it is in object pascal and I forgot all about it.
I'm more of a VB6,VB.net for now, but I am still learning other languages. Everything seems to be shifting to web dev nowadays.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
Yes, I had forgotten all about that attempted Clam Sentinel project. I guess I didn't check it out much. It seems that nothing ever came of projects to improve ClamWin. It's a pity, but a non-commercial AV just can't succeed without a revenue base. Alch never was interested in getting one for ClamWin other than a quick attempt at incorporating some opt-in advertising for a short while. I always thought that he could have gotten a few dollars from each committed user. At one time there was several hundred thousand users of ClamWin.

As mentioned, Sentinel was in Delphi mostly, but I think there may have been a bit of Pascal that Andrea used in one or two modules. He incorporated several little utilities in the code to examine PE headers, compute entropy and things like that. Andrea said he used "exclusive control" to control a file while he was scanning. I think that is similar to control used to protect files on networks while someone is working on them. Whatever he used worked, although it was not really a filter driver. I don't think he was up to working with a filter driver. He had to perform the Sentinel heuristic scan first before using the ClamWin scan, and it was much faster than ClamWin's scans.

I don't really recommend using Clam AV/ClamWin as the basis for an AV--unless you can speed up both scanning and loading the databases. They should have loaded the DB upon startup and kept it in memory somewhere. The Clam AV signatures are also not enough to provide good protection to anything other than a Linux email server! Clam AV/ClamWin also has practically no heuristics. Sentinel had some good common sense heuristics at the time because I was working virus signatures for Clam AV and was able to help Andrea. The Sentinel heuristics did enable it to provide protection to ClamWin users at the time that was probably better than similar non-commercial AVs, but you have to keep improving to keep up with the malware writers!

Regards,
View user's profileSend private message
gianpaolomapacpac@yahoo.c


Joined: 05 Dec 2010
Posts: 23
Location: Philippines
Reply with quote
It is fun to base clamav as a windows antivirus, mostly it is only my hobby.


Sherpya made a new release of clamav port 0.103, he said that he has not abandoned the project.
https://github.com/clamwin/clamav-win32/issues/7#issuecomment-724623589
https://github.com/clamwin/clamav/issues/1
He did not answered any of my inquiries on the how to porting etc.
I haven't messaged alch about the guide on how to port clamav.
Anyways, can you delete some spam/advertising threads in this forums?
If you don't have the time to delete them, maybe you can grant me mod to be able to delete. I will delete those spam message when I have time.

Thank You
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
I delete spam when I see it--usually every day. Alch is the only one who can give admin rights to someone.

Regards,
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
What I like about OS Armor is that even with the trial version, you can see what their protection is. This would make a good model for a real AV. You can see all the things they protect against. If anything they protect against tries to infect a computer, they will block it (not quarantine). They say they have 250 items they protect against, and you can make your own protections also.

Regards,
View user's profileSend private message
Clam AV Community-Based Signatures
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  

  
  
 Reply to topic