ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
aru


Joined: 09 Jul 2009
Posts: 42
Location: Italy
Reply with quote
GuitarBob wrote:
Hello Aru:

I believe you mentioned that Sentinel doesn't scan in subfolders, is that correct? Of course, you need to be able to scan as deeply as possible, but if you scan a directory and two subdirectories under that, you will take care of most viruses. Tonight I saw an mIRC trojan that dropped many files in C:\Windows\Temp\Spoolsrv, and I don't believe that Sentinel was able to scan them. ClamWin has a Scan In Subdirectories configuration option.

Regards,


Clam Sentinel scans all subfolders, in the sense that detects the changes made in all subfolders, but in the previous version don't detect filesystem changes on some cases.
Try the new version 1.5 that use a new method for Windows 2000 and more (for Windows 98 continue to use the previous method until, I hope, I will develop a vxd).

bye,
aru
View user's profileSend private message
aru


Joined: 09 Jul 2009
Posts: 42
Location: Italy
Reply with quote
dw2108a wrote:
Aru, as a fellow DOS, 3.x and 9x/ME enthusiast, I would like very much to lend you my encouragement with this project.

We 98 users truly need someone who appreciates our 98 software.

Best,
Dave


I use very often Windows 98, and I will continue to use it until I can do whatever I need: navigate on internet; view films and dvd; use Open Office; develop with Delphi; internet phone; email; burn dvd and cd; photo editor; usb sticks; etc. etc.

I have installed also Skype on my Windows 98. Smile And often is possible to install programs where the installation don't works because require a new windows version but if you extract manually the files from the install package you can "install" and use the program without problems.

And Windows 98 runs very very fast on recent machines!

bye,
aru
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4536
Location: USA
Reply with quote
Thanks Aru (and Francis too). I will run Sentinel tonight when working malware. I also have some questions below:

Can we use wild cards when showing the extensions to scan (like VB*)? Also do the letters have to be capitalized?

What is ShowCmdScan?

Do you include the daily signatures in a full scan?

Regards,
View user's profileSend private message
aru


Joined: 09 Jul 2009
Posts: 42
Location: Italy
Reply with quote
GuitarBob wrote:

Can we use wild cards when showing the extensions to scan (like VB*)? Also do the letters have to be capitalized?

What is ShowCmdScan?

Do you include the daily signatures in a full scan?


About wild cards

No, wild cards aren't supported.

About uppercase or lowercase

Letters are case insensitive.

About ShowCmdScan

This intended only "for internal use", hovewer is the show parameter of the Windows API CreateProcess and is used for view or not the ClamScan's shell window.
In then new version when a file is scanned the dos window is not more visible (SW_HIDE = 0).
If you change to ShowCmdScan=7 (SW_SHOWMINNOACTIVE = 7) the dos shell is visible into the system bar when a file is scanned.

About daily scan

In a full scan ClamScan is called with the db folder without specify a file (the parameter --database=), if you set for use the daily signatures ClamScan is called with the daily signature file (daily.cld or if not exists the previous the daily.cvd).

bye,
aru
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4536
Location: USA
Reply with quote
Thanks for the information, Aru. Here are some things I noticed last night:

You do not need Sentinel to scan when a manual ClamWin scan is running. This uses a lot of CPU at times. Running Sentinel with another real-time antivirus program can also use a lot of CPU, and I think you need to caution users not to do that.

After I get a signature for a malware, I put in in the Recycle Bin until I can go back to a safe snapshot. Sentinel kept telling me about the malware in Recycle, so I put Recycle in the Directories Not To Be Monitored. I also put the ClamWin Quarantine folder in the Directories Not To Be Monitored.

The right-click options in the Sentinel icon in the system tray is nice. After configuring the .ini file, it seems that all you need to do now to set up Sentinel to run is enable real-time scanning in the options once you run the program. I think you need to explain this a little better to users--also a little better explanation of how to Stop, Configure, Start (and re-start the computer, I think) to enable any changes.

Sentinel provides good protection, but at the present time, I suggest that it be used with a regular scan by another on-demand antivirus (or a full-time antispyware program) because Clam doesn't have the staff to get out as many signatures as the commercial antivurus companies. Clam will have some heuristics in January or February, so detection of new malware should improve then.

I will work some PUAs tonight.

Regards,
View user's profileSend private message
dw2108a


Joined: 09 Mar 2009
Posts: 43
Location: Austin, TX
Reply with quote
I'm missing something, and being very stupid. But how do I get ClamSentinel to scan my drive C (and all subfolders) in realtime with the entire Clam virub database?

Pleas tell me where I either placed or misplaced a semicolon in the ini file.

Thanks,
Dave
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4536
Location: USA
Reply with quote
It looks like the semicolons in the ini file just precede the instructions/comments. The configuration is done on the lines that don't have the semicolons. It also looks like the defaults Sentinel comes with are okay for most people.

Assuming the configuration is okay and you have put the unzipped files in a directory somewhere, just click on the exe file. You should then see the Sentinel icon (shield) in the system tray. Right click on the icon to bring up a menu. Click on Settings. There should be a check mark beside your configuration options If there is not a check mark beside Run Clam Sentinel On Startup, put one there. That's it!l Sentinel should scan in real time whenever you turn on your computer. Right clicking on the More Settings item will bring up your configuration file. If you want to change it , Stop Sentinel, make your changes, then Start Sentinel again.

Be sure to tell Aru your results and suggestions for improving Sentinel.

Regards,
View user's profileSend private message
aru


Joined: 09 Jul 2009
Posts: 42
Location: Italy
Reply with quote
dw2108a wrote:
But how do I get ClamSentinel to scan my drive C (and all subfolders) in realtime with the entire Clam virub database?


Normally ClamSentinel use the full signatures database.

Only if you check into the Settings of to use the daily signature ClamSentinel utilize the small database with the signatures found in the past months.

bye,
aru
View user's profileSend private message
aru


Joined: 09 Jul 2009
Posts: 42
Location: Italy
Reply with quote
GuitarBob wrote:
After I get a signature for a malware, I put in in the Recycle Bin until I can go back to a safe snapshot. Sentinel kept telling me about the malware in Recycle, so I put Recycle in the Directories Not To Be Monitored. I also put the ClamWin Quarantine folder in the Directories Not To Be Monitored.


The quarantine folder is not scanned for default (is skipped).

I have prefered of don't skip also the recycle because some months ago I got a virus that was saved into the recycle and that has been activated automatically by a normal autorun.ini file.

aru
View user's profileSend private message
starbound


Joined: 23 Dec 2008
Posts: 99
Reply with quote
Hello,

I have just been alerted about this clam sentinel, could someone please let me know what I need to do in simple steps?

Some questions I have are.....

1. I take it version 1.5 works separately from the current ClamWin program?
2. Does clam sentinel update defs automatically?
3. Is clam sentinel a real time program?
4. Is clam sentinel a spyware program only? or ddoes it warn about potential viruses
5. Does Sentinel detect possible worms on web pages, or does it have a web shield?
6. If I install this clam sentiel now do I still have to configure any ini file, if so how do I do this?

It says this, detects file system changes and automatically scans the files added or modified with Clam Win, why would ClamWin add a file?

I was hoping to install Clamwin soon as Avast will be dropping support for windows 98 in the not too distant future, and wondered if I require to install the clam sentinel

Can this be explained please, Before starting Clam Sentinel you must edit the file ClamSentinel.ini to set your parameters

Sorry for all these questions.

Thanks.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4536
Location: USA
Reply with quote
I've been using ClamSentinel since first learning about it over a month ago. It's a nice little program that works with ClamWin to add some real-time scanning functionality to ClamWin. It is not a "full-service" real-time scanner, but it acts as a "front-end" that uses ClamWin to scan files when certain "events" happen on your computer. It is a separate program from ClamWin and must be configured separately, as must ClamWin. You should install ClamWin and configure it for all options, including update frequency, before you install/configure ClamSentinel. Sentinel has no virus/spyware signatures of its own. ClamWin has both virus and spyware signatures, but it only has some of the most common spyware signatures--you should use a separate antispyware program, such as Windows Defender, in addition to ClamWin, for full antispyware coverage. Neither ClamWin nor Sentinel has a Web Shield.

Once you have installed and configured ClamWin, you can install and configure ClamSentinel. I tried to include some instructions in a post above based on my experience. You download the zipped Sentinel program from the Sentinel website. Unzip it to wherever you want--I set up a ClamSentinel Programs folder and unzipped it there. It has three files--the executable (.exe) file, the ini configuration file, and a small ReadMe file. Click on the executable file to run it. It places a Sentinel Shield/icon in your system tray. Right click on the icon to bring up the configuration menu, which has the ini file options. I would just leave them at their defaults for a while until you learn the program and feel comfortable with it. Just click on Settings and make sure the option to Run ClamSentinel Upon Startup is checked. That's it! When Sentinel scans, you will notice a gold color around the edge of the icon. Sentinel also will tell you when it is scanning if you hover the mouse over the icon. One last thing, before making any configuration changes via the icon, you should Stop Sentinel, make your changes, and then Start it again.

I hope this helps. If I got something wrong, I'm sure Aru will corect me. It's a nice program, and we should thank him for coming up with it.

Regards,
View user's profileSend private message
notags.html and nocomment.html Files
GuitarBob


Joined: 09 Jul 2006
Posts: 4536
Location: USA
Reply with quote
Aru:

When Clam scans files, it creates temp files--notags.html and nocomment.html and javascript (that's the name) for html files and *.*.clamtmp (there may be a double extension) for other files. It usually deletes these files after it finishes with them. It looks like ClamSentinel is trying to scan these files, but it can't find them--look at the logs. Sentinel should probably just ignore these files and not try to scan them. Here's a log entry:

WARNING: Can't access file \\?\c:\Users\Bob\AppData\Local\Temp\clamav-f5ffbe18587a7da765b62606feb3a44d.000013c4.clamtmp\notags.html
c:\Users\Bob\AppData\Local\Temp\clamav-f5ffbe18587a7da765b62606feb3a44d.000013c4.clamtmp\notags.html: No such file or directory

There is a similar situation with some other files (maybe related to web activity): WARNING: Can't access file \\?\c:\Users\Bob\AppData\Local\Temp\www5739.tmp
c:\Users\Bob\AppData\Local\Temp\www5739.tmp: No such file or directory

Regards,
View user's profileSend private message
aru


Joined: 09 Jul 2009
Posts: 42
Location: Italy
Reply with quote
A thank you to Bob for explain so better the use of Clam Sentinel.
Here some more comments.

starbound wrote:
1. I take it version 1.5 works separately from the current ClamWin program?


No, it require ClamWIn.

starbound wrote:
2. Does clam sentinel update defs automatically?


The works of Clam Sentinel is only to detects filesystem changes and then to use the ClamWin for to scan files.
You can update defs by ClamWin and also you can schedule automatic updates with ClamWin.

starbound wrote:
3. Is clam sentinel a real time program?


Yes and not.
Clam Sentinel detects a real time filesystem changes and then call ClamWin (ClamScan.exe) for to scan them, but don't block the access to the file before that the antivirus has scan them.
Real realtime antivirus detect the request of execution of an exe and block it until has scanned it, ClamSentinel not.
So for example if you save a file ClamSentinel detects it and run the antivirus but this operation require some seconds and if is a virus the file is automatically moved into the quarantine folder, but if you meanwhile that the file is detected and scanned you open it you take the virus.

starbound wrote:
I was hoping to install Clamwin soon as Avast will be dropping support for windows 98 in the not too distant future, and wondered if I require to install the clam sentinel


Yes is for this that I have searched a good antivirus that can works on Win98 and I have found ClamWin and then I have developed ClamSentinel.
But actually there is a problem on ClamSentinel on Win98, don't detects all filesystem changes. This because on Win2000 and more I some api (ReadDirectoryChanges) that don't exists on Win98, so on Win98 I use others api (SHChangeNotifyRegister) that don't return all filesystem changes (this is documented by Microsoft), so for example files copied by the MSDos prompt.
The solution is to develop and vxd service, like filemon by sysinternals, for this I have found the Win98 device driver Kit DDK, but for use it I must to find other environment material (like microsoft c++ 5.0 and perhaps also some sdk). The source of the vxd is relatively easy but to build it with the right environment for win98 is not easy for me (also because Microsoft has dropped all ddk and sdk and documentation for Win98 from its web site).

aru
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4536
Location: USA
Reply with quote
ClamSentinel will buy Windows98 users a little time, but you will eventually not be able to use Windows 98 and other older operating systems to take advantage of improvements in technology/software. It is getting harder for programmers like Aru to do things with it, and it will get worse.

I came to ClamWin after using Windows 98 for 8 years when Microsoft/many AVs dropped support for it. I have since gone on to XP (a pretty good OS) and Vista (lousy OS). It's too bad that Microsoft uses their operating systems as a glitzy marketing device that changes everything every four years or so to get a new stream of revenue, instead of making slow, really useful improvements that don't change everything all at once. I wish things would change, but that's the way they are. Even Linux changes some, and you almost have to be a nerd to use it well.

Thanks Aru!

Regards,
View user's profileSend private message
starbound


Joined: 23 Dec 2008
Posts: 99
Reply with quote
Thanks folks.
View user's profileSend private message
Clam Sentinel
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 2 of 7  

  
  
 Reply to topic