ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Is Clam AV + Sentinel enough as the only AV protection?
hariskar


Joined: 04 Nov 2006
Posts: 17
Location: Greece/Kavala
Reply with quote
I use Microsoft Security Essentials as my AV for the last years iand have no problem with it. Would it be safe if I uninstalled it and used Clam AV + Sentinel as my only AV protection? How is this combination compared to MSE? Are there advantages/disadvantages?
I don't wont to use more than 1 AV.

Thank you!
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4134
Location: USA
Reply with quote
If you are a safe surfer, you could probably just use ClamWin with Clam Sentinel. You will use a bit less system resources. Security Essentials is a bit of a resource hog at times. However, Security Essentials and Clam Sentinel both scan a bit differently, so they do not both kick in all the time. Sentinel only scans when files are added, modified, or copied, and Security Essentials scans as files are accessed (opened or closed).

However, I recommend that you use Microsoft Security Essentials and keep ClamWin with Clam Sentinel as a backup. The Clam Sentinel front-end can handle lots of static virus files if you get them. I have stress tested it on over 20 viruses copied at once! In my stress testing, Sentinel is actually faster than Security Essentials when you just throw malware files to it that are not yet activated. However, if a virus becomes active, Sentinel may not react fast enough, and some damage could be done on your computer before it can react. It does not hook the Windows kernel like most real-time AV programs.

On my Windows 7 32-bit computer, I use Security Essentials with ClamWin and Sentinel with minimal system drain and conflicts. Here's how: exclude every Security Essentials program and data folder in Sentinel's paths/files not scanned. Look for folders that say Microsoft Security Client and Microsoft Antimalware and Microsoft Security Client. I also exlcude one such folder under c:\users\yourname\appdata\roaming\microsoft security client. On a Windows 7 64 bit computer, ther are more Security Essentials folders than on a 32 bit computer.

On the Security Essentials side, I exclude the ClamWin program and data folders, the Clam Sentinel program folder, and C:\Users\Bob\AppData\Local\Temp\clamav-*.clamtmp which is where the ClamWin temp files are located. Instead of C:\users\Bob, the folder on your computer will probably have your name.

Doing this, you should not have any real sustained use of both AVs at the same time. I also set Security Essentials to use 40% of CPU during its regular scans.

Sentinel has ClamWin's signatures and a decent heuristics package that is being continually improved, but it is just too slow for fast-acting malware like drive-by downloads, although not all malware is fast-acting when activated. I think that Andrea Russo, the Sentinel developer, will change it to a kernel mode scanner, or do something else, to improve reaction time within a few months. He recently suffered a drive-by download himself and sees the need!

Regards,
View user's profileSend private message
hariskar


Joined: 04 Nov 2006
Posts: 17
Location: Greece/Kavala
Reply with quote
Thank you for you very informative answer! It is a pity I can not substitute MSE with an open source AV like Clamwin yet. I keep in touch and wait for reaction time imrpovement.
But how can a virus become active, you say Sentinel scans when files are added, modified, or copied, so if a virus comes in the pc, will it not be found by Sentinel?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4134
Location: USA
Reply with quote
A virus is activatred when you click on it, open it, run it, or if it is dropped on your computer and activated by another program--like in a drive-by download or by another virus. A file is not necessarily active if it is just placed on your computer. Sentinel and ClamWin do very well when a file is added, modified, or copied to your computer--if ClamWin has a signature, or if Sentinel can detect it as malicious with its heuristic system monitor.

When a virus is activated, it can execute very rapidly, and Sentinel may not be able to quarantine it fast enough to prevent it from doing what it was designed to do. In Andrea Russo's case, a drive-by download was activated and performed some actions before Sentinel's system monitor could detect it. Sentinel did quarantine it, but the virus had already been active. Kernel mode AVs hook the Windows kernel and do not allow any execution until a file has been checked as OK by the AV scanner.

Regards,
View user's profileSend private message
hariskar


Joined: 04 Nov 2006
Posts: 17
Location: Greece/Kavala
Reply with quote
GuitarBob, thank you again for detailed answer!
I would like to ask: In my work I have to PCs in a network connected with a router. Both have MSE. I use the 1st to do all my internet work. The 2nd has access to internet, but I never use it for internet access, it only does automatic windows update and virus db update.
Would it be as safe as it is now with MSE, if I removed MSE and put Sentinel and ClamWin as my only AV in the 2nd PC?
Thank you!
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4134
Location: USA
Reply with quote
It might be safe to remove Security Essentials (MSE) from the 2nd computer that uses the internet only minimally, but I would not do that. You never know what will happen. Someone may use the computer to get on the internet without your knowledge. If you have broadband, the internet connection is is always on anyway. If so, someone may scan your ports, and MSE might be needed if you don't have a firewall, or if they get past the firewall. On the intrusion pretection side, Clam Sentinel can only warn about a few registry changes (autostart and a couple more), and it cannot stop/reverse them.

If you want to get rid of one AV, I would eliminate ClamWin/Sentinel. Otherwise, keep MSE/ClamWin/Sentinel, and make the exclusions I noted above.--especially exclude ClamWin temp files from MSE scans. Make sure MSE is configured for network protection.

Regards,
View user's profileSend private message
hariskar


Joined: 04 Nov 2006
Posts: 17
Location: Greece/Kavala
Reply with quote
GuitarBob thank you again for reply, but I decided to take the risk, uninstalled MSE in both work PSs and installed only Clamwin/Sentinel. I scheduled daily scan of drive C and weekly scan of drive D. Also I enabled "Detect suspicious filed only" in Clam Sentinel. Could I change some other setting to increase safety? Can I scheduled memory scans?
If I hover the mouse at Sentinel tray icon often it says "Scanning..." What is it scanning?

Our internet behavior is reasonable and there is S/W and H/W firewall.
View user's profileSend private message
hariskar


Joined: 04 Nov 2006
Posts: 17
Location: Greece/Kavala
Reply with quote
One month with only AV Clamwin+ClamSentinel!
No problems till now, my 3 PCs have become much quicker and responsive.
Only some false positives.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4134
Location: USA
Reply with quote
You can use ClamWin/Sentinel by themselves if you are a careful internet user. I recommend you also do a daily scan with Malwarebytes or Trend Micro's House Call for extra protection.

A software firewall and a hardware firewall give good protection.

You can't schedule memory scans in either Sentinel or ClamWin, but you can enable a memory scan with a scheduled ClamWin scan. I also recommend setting Sentinel's configuration to write scan activity to logs, detect and monitor new drives, ask to scan new drives (I scan USB if I have never used it or if it has not been used in a while), I set it to quarantine infected files, and I keep the maximum number of simultaneously active scans set at the default of 1 to keep from overworking Sentinel.

If the false positives are due to Sentinel's System Monitor detections (suspicious files--not infected files), you can whitelist them in Sentinel's Paths or Files Not scanned. If they are infected false positive files, you will have to submit the false positive to Clam AV.

Sentinel scans files as they are added to, modified, or copied on your computer. It is a bit slow compared to some AVs, but it gets the job done. It may continue scanning files for a while after you get off the internet because you get a lot of files when on the net--look at your real-time log sometimes. Look at all those .htm, .js, .css, and other files! It seems for everything on your screen, you get a temporary internet file!


Regards,
View user's profileSend private message
hariskar


Joined: 04 Nov 2006
Posts: 17
Location: Greece/Kavala
Reply with quote
GuitarBob, you were right... unfortunately my PC is infected since yesterday..
http://postimage.org/image/ppm4a8rlj/

Yesterday Clamsentinel found the infections and moved files to quarantine. I installed MSE, disinfected my pc, but today the same.. So I guess I switch back to MSE... Confused
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4134
Location: USA
Reply with quote
You can use Microsoft Security Essentials with Sentinel/ClamWin as a backup. To minimize excess computer resource use, exclude Sentinel's program folder and ClamWin's program folder and data folder and *.clamtmp files from Security Essentials Scans. You should also exclude all the Microsoft Antimalware and Microsoft Security Client files from Sentinel's scans. Look in the programs folder, data folder, and users\yourname\appdata\roaming folder under Microsoft.

It could be that Security Essentials can't stop the infections. If they keep coming back, try a scan in Safe Mode (hit F8 repeatedly upon booting up). I have had good luck with Malwarebytes free and Kaspersky's free TDSSKiller. As a last resort, use a free Rescue CD from one of the AV companies (AVG, Kaspersky, F-Secure, Dr. Web). The rescue CDs are Linux-based boot CD--Windows viruses can't hide from them.

No one AV is perfect. Sentinel makes a good backup to another AV. It is being strengthened in its malware detection, and I hope there will be a fast-reacting capability to it next year. For users of older computers, it may be the only AV they can use.

Regards,
View user's profileSend private message
hariskar


Joined: 04 Nov 2006
Posts: 17
Location: Greece/Kavala
Reply with quote
At work I used again as my only protection Clamwin+Clamsentinel and again have been infected with viruses.
This is strange, because at home pc I use only Clamwin+Clamsentinel for the last months without problems.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4134
Location: USA
Reply with quote
Starting with version 1.19, which will be released after testing, Clam Sentinel will have heuristic protection extended to all folders on the computer, instead of only those folders where viruses are most likely to hide. I will feel much more comfortable with someone using this version as their main antivirus. Even with this version, however, I still recommend they do a daily scan with a free cleanup scanner like Malwarebytes or Trend Micro House Call. Drive-by download malware and rootkits can get by any AV, and it never does hurt to have some extra protection. These two AVs do not use any computer resources when not scanning, so they make a good security combination with ClamWin and Clam Sentinel. Also, a weekly scan with Kaspersky's free TDSSKiller antirookit program provides extra protection against MBR and other hidden malware. TDSSkiller is updated a couple of times a week to keep up with new malware techniques. Users of computers older than Windows XP can still use Norman's Malware Cleaner for extra protection. A daily scan in Windows Safe Mode can also find some hidden malware, but it is not as good as the programs mentioned above.

I do not know when Clam Sentinel Version 1.19 will be released. Today is February 25, 2012. I am guessing that testing will probably be finished by the end of March or April. It should be worth the wait!

Regards,
View user's profileSend private message
hariskar


Joined: 04 Nov 2006
Posts: 17
Location: Greece/Kavala
Reply with quote
Is there any test version newer than 1.19Test1?
Thank you!
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4134
Location: USA
Reply with quote
There have been 15 test versions so far! I do not think version test1 had the extended heuristics. They came later.

Regards,
View user's profileSend private message
Is Clam AV + Sentinel enough as the only AV protection?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  

  
  
 Reply to topic