ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
HOW TO Run Clamwin as a system SERVICE
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
Clamwin doesnt come as a service. This procedure details how I EASILY installed it and highlights the benefits.

Running as a service provides the ability to pass threads to it on port 3310. Some applications (such as email clients and Mail Servers eg, Hmailserver which has Clamav and Clamwin integration options built in) can integrate and pass mail to this for scanning emails. As it is multithreaded it is therefore lower on system resources and faster

You will need:

A, the installation set of Clamwin (if you havent already done it) and
B, the ported Zip file of the "clamav-win32-0.98" from http://oss.netfarm.it/clamav/ (which is an unofficial windows port of Clamav and claims to be what Clamwin was based on). We need this Zip as we are going to use 2 files from it.

BEFORE BEGINNING: It is important to ensure that Clamwin (A) and the Clamd port (B) are of the same version. ie, "v0.99" clamwin is not the same as "v0.98.7" Clamd.

PROCEDURE:

1, Install Clamwin. Run it, be happy. (I will assume all default file locations for the sake of this instruction).
2, Open the 7Z zip file (downloaded from netfarm (2)- above) and extract SPAMD.EXE and SPAMD.CONF
3, Copy those 2 files in to the Clamwin program directory (usually: C:\Program Files (x86)\ClamWin\bin\)
4, With text editor (eg notepad) edit CLAMD.CONF and change the following 2 lines (leaving the other lines alone):

LogFile C:\Program Files (x86)\ClamWin\bin\clamd.log
DatabaseDirectory C:\ProgramData\.clamwin\db


(Note: the above reflects default locations. You can place the log file where you wish, and the 'DatabaseDirectory' must reflect your existing Clamwin DB directory - refer to clamwin.conf locations if unsure whether you have changed it or not)

5, From command line (CMD), cd to the program directory C:\Program Files (x86)\ClamWin\bin and run:
clamd.exe --install

This installs the service called "ClamWin Free Antivirus Scanner Service" running clamd.exe

6, Go to windows SERVICES ('services.msc') and search for the service, right click and Properties of the service, and change it to

Startup Type = AUTOMATIC.

You may then click START to run the service.

Done.
(The definition database update that get performed by scheduled Clamwin will get loaded into the service within 10 minutes as the service automatically checks the database for changes every 600 seconds and reloads it if changes are found).

BENEFITS

Doing a controlled test with eicar text virus, time taken to respond with result:
Clamwin = 20 seconds (visible CPU increased to 24% in the system's taskmanager monitor)
ClamAV service = 5 seconds (and strangely no visible CPU increase).

I then tried the tests again but by launching THREE test all at the same time and they all performed inline with above tests (all clamav service returned 5 secs and no CPU, clamwin sent CPU to 70odd percent with 3 separate processes being launched).

CONCLUSION:

A LOT quicker for mail scanning.

Hope you find this useful.




Now for a gripe (dont worry I still advocate using the service but do read on......)
I performed a test of the system with REAL email viruses recently proliferating around the net. It took me ages, though, to find a virus that Clam recognises - I tried 3 different ones that came in over the last 10 days and none were recognised. I had to go back 3 weeks before I found one with a definition Clam knew about. It kind of makes me wonder really how effective Clam is. 3 weeks before getting updated effective definitions is ridiculous (especially considering the effectiveness of new viruses are in the first 36 hours after which the proliferation usually drops and MOST antivirus definitions get updated to catch them. 36 hours, not 3 weeks!!!)

My conclusion, the spamd service with Clamwin does work as we want it to and is quick.....but overall Clam simply is pants for stopping REAL threat viruses. So why bother?!


Last edited by jimimaseye on Wed Jan 20, 2016 9:26 am; edited 2 times in total
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4254
Location: USA
Reply with quote
ClamWin uses the scan engine and virus database provided by the Clam AV project, which was formerly an independent project that was then bought out by Sourcefire, and now Sourcefire has been bought out by Cisco. Clam AV was originally committed to Open Source, and it has continued to be so under each owner, including Cisco now. The project was (and is) developed primarily for Linux email servers who provide a Linux gateway for Windows email clients. There was (is) no need for fast scanning speeds and Windows services. Sourcefire (and now Cisco) are primarily commercial businesses, and most of their resources are devoted to the commercial side of things--not to an Open Source project like Clam AV. This includes the virus signatures, which (in my opinion) are too-little, too-late to provide good protection.We are actually lucky they have devoted a minimal amount of time/resources to Clam AV, since this has allowed the ClamWin project to continue helping some users who want a free, Open Source AV.

The ClamWin project advises its users to run ClamWin as a "second opinion" AV alongside a real-time AV (I like Microsoft Security Essentials/Windows Defender and Panda Free Cloud). The Clam Sentinel project (also free, Open Source) provides a real-time "front-end" to ClamWin that automatically scans files with ClamWin as they are added, copied, or modified on Windows computers. Clam Sentinel also has its own heuristic scanner that detects many files for which ClamWin does not have a signature (as you know--there are lots of them). The Clam Sentinel heuristic scan kicks in first, and it is quite fast, and it then uses the ClamWin signatures/scanner which are lots slower. It approaches adequate detection unless you are are "risky" web user. There is also a real-time version of ClamWin in development (I haven't heard the status lately), but it will still be hampered by the Sourcefire/Cisco less-than-adequate signatures.

It's tough to have a free, Open Source AV unless you can subsidize it with a commercial product. There are some, of course (see above), but they increasingly come with adware/tracking functions that I do not like.

Thanks for your work--I will pass it on to the developers. Also thanks for using ClamWin.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
Earlier I went out for an hour. Whilst I was driving back, something hit my (not literally)... I regularly see 'Windows Defender' updates coming in to my Windows Server 2008 R2 (running my mailserver software) and suddenly it dawned on me that maybe its ACTUALLY running on the box already (I simply didnt realise before now). But how can it be? I mean, I was doing loads of virus testing on it the server this morning with known virus files and clamAV (by sending viruses, opening Zip files, emailing them etc) and not once did I hit a restriction. So I just checked. And you know what? It IS running on my box! Shocked And yet, despite all the 'near the knuckle' testing I did this morning with old viruses (3 weeks old) and recent viruses, it didnt stop me once! I even did a forced custom scan on a folder containing the viruses. Even ClamAV recognised one of them! And Ive ruled that useless already (in post my above). So what does this make Microsoft MSE/Windows Defender? (Just to confirm, I just did all the testing again by making sure the Windows Defender options are all enabled (archive, heuristics etc etc)).

Therefore it seems I was always running the preferred scenario as you suggested (ClamAV as a backup to another realtime protection). But unfortunately that realtime protection looks like its worse than CLamAV. Can things get worse?! (Even uninstalling both wouldnt make things WORSE!)
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4254
Location: USA
Reply with quote
On computers before Windows 8, Windows Defender is just a real-time antispyware scanner, and an average or below one at that. It will not find much malware, as it is one of the old antispyware programs that just has signatures for spyware and maybe a few high-profile viruses/malware. Remember at one time that you had antispyware programs and antivirus programs, and neither intruded upon the other's domain?

Microsoft has had Security Essentials as its free AV software for several years now available for Windows XP, Vista, and Windows 7 computers. Security Essentials contains components of the old Windows Defender antispyware with an antivirus--making it antimalware, and it is a decent one at that. Starting with Windows 8, however, Microsoft took Windows Defender and re-worked it into a full antimalware program and installed it as the default AV on Windows 8 machines. The new Windows Defender is essentially the same as Security Essentials, but it also has some features specifically designed to improve security on Windows 8 machines--search as early launching in the bootup process before most malware can activate and a digital signature check of the Windows drivers to find rootkits.

Some testing outfits do not rate either Security Essentials or the new Windows Defender very highly, but Microsoft is more interested in protecting real users from the malware that they are likely to get than it is in detecting viruses on some test! Microsoft is a big company with lots of resources, qualified antivirus people, and good telemetry on what is attacking/likely to attack its users. In my opinion, it does rely a bit too much upon signatures in the cloud rather than upon heuristics on the users' machines, but that's just my opinion. I know where some of the bodies are buried, and I still regard it well.

I would uninstall Windows Defender on Windows 2008 and replace it with Security Essentials.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
The problem is that Essentials is neither qualified or supported for running on any windows 'Server' brand (that is to say they cant be sure that it is performing 100% as intended despite it *looking ok* after an install) nor is it legally authorised for running on Server machines in a commercial environment (to so so breaks their license - they want you to BUY their more premium offerings such as Forefront). So even if I wanted to believe MSE 'does the job' in the main, I wouldnt be confident its was fully protecting us on our 2008 Server R2 nor comfortable risking my company in a breach of license. That just isnt cricket. (And given my experience that I simply cannot get Windows Defender to recognise today a simple known obvious virus thats 3 weeks old, I really dont have THAT much confidence in Microsoft to give them the tolerance in confidence they would need.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4254
Location: USA
Reply with quote
Yes--I forgot about that commercial usage, but you can use it if you have no more than 10 machines. That is limiting, but I think there are some free AVs that are not limited to personal use only. Look at Comodo's free Internet Security program for one. I'm not sure about network use of Forticlient, but it's pretty good. It was designed for network appliances but is available in a version for PC users. If all else fails, look into Clam Sentinel--it's hosted on Source Forge. It is free, provides simple, basic protection, and as I mentioned, it is a real-time front-end for ClamWin.

Here is some info from Microsoft that tries to explain the current AV testing situation at http://blogs.technet.com/b/mmpc/archive/2014/08/01/the-future-of-independent-antimalware-tests.aspx on the web.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
Bob, most helpful, thanks

I will take a look at your suggestions. I wont bother with Clam Sentinel though because:

a, my specific requirement on my server doesnt really need a realtime protection - it mainly does scanning of incoming mails to the mail handling software it hosts which my existing Clam solution handles.
b1, (and here is the cruncher): as explained above, Clam is rubbish. It doesnt catch anything. (And I assume Sentinel is still using the ClamAV engine and definitions)
b2, it is RELENTLESS at receiving false positives. I spent probably the last 3 weeks where I was daily getting false positives for standard programs on my machine such as Firefox, Thunderbird, Adobe Reader and tried submitting them back to ClamAV for false positive removal. So if I can find something else other than Clam I will try it, otherwise I keep what I have already (for what its worth). (It really became a bug-bear of mine. No AV software should be giving 4 false positives a day on standard recognised programs).

Cheers Bob.
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
It seems Comodo is not suitable for me. I need a solution that allows a command line scan of a file and issues a return code

eg, "c:\comodo\comodoscan.exe -parm1 -parm2 %InputFile%"

and it then returns a returncopde (say, 0=pass, 1=infected )

(it is called by my mail server to scan each email as it arrives). It doesnt seem that comodo allows such on demand command line scanning.

Shame.
View user's profileSend private message
Re: HOW TO Run Clamwin as a system SERVICE
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
jimimaseye wrote:
I performed a test of the system with REAL email viruses recently proliferating around the net. It took me ages, though, to find a virus that Clam recognises - I tried 3 different ones that came in over the last 10 days and none were recognised. I had to go back 3 weeks before I found one with a definition Clam knew about. It kind of makes me wonder really how effective Clam is. 3 weeks before getting updated effective definitions is ridiculous (especially considering the effectiveness of new viruses are in the first 36 hours after which the proliferation usually drops and MOST antivirus definitions get updated to catch them. 36 hours, not 3 weeks!!!)

My conclusion, the spamd service with Clamwin does work as we want it to and is quick.....but overall Clam simply is pants for stopping REAL threat viruses. So why bother?!

On Tuesday 16th September, I received a conformation notification from CLAMAV virus team saying that they have finally added my submitted virus definition report for 2 viruses quoted above that I tried testing with but had no definition - TEN WEEKS after submitting them for adding and first receiving the virus. And to confirm, the very next scan of my system finally found them (I had them stored on disk for referal) and quarantined them.
I will repeat, CLAMAV added the virus definition for a virus that was submitted to them for adding TEN WEEKS AFTER THE VIRUS had been released (and probably done its damage to the worlds computers and since faded away again).

Conclusion: Clam works as an antivirus solution to new viruses...as long as you dont actually use your system for 3 months giving it time to be updated (assuming you personally can be arsed to send it to them in the first place)...otherwise dont bother! Oh, and I have just scanned the same 2 files with my 'Windows Defender' as supplied by Windows Server 2008 R2 and that STILL doesnt recognise them.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4254
Location: USA
Reply with quote
Yes - the user submissions must be worked manually by a Cisco/Sourcefire sigmaker at Clam AV. Most of the antimalware effort there goes to the commercial side of things. No one is assigned to work on Clam AV sigs full-time--they seem to think that the automated signatures they prepare from Virus Total submissions is enough, but it is not. They need to get more signatures, and they need to get them faster.

Re: Windows Defender (the one bundled with Windows 8): it is a decent AV (not great). They do not seem to give much attention to email viruses or viruses that are not in Windows executable (PE) files. Two other better AVs I can recommend are Panda Free Cloud and the free AV from Fortinet. Both have good heuristics, the companies have good telemetry on viruses, and they are fairly simple to use.

I have been using Clam Sentinel with ClamWin since Sentinel came out. The Sentinel heuristics are not bad--they are simple and common sense, and they will detect lots of viruses for which there is no ClamWin signature. On my computers, I have turned off the use of ClamWin sigs by Clam Sentinel and am relying upon the Clam Sentinel heuristics, a basically non-effective daily scan by ClamWin, and Malwarebytes Antimalware. For insurance, I also make daily use of F-Secure's free online scanner and Kaspersky's free TDSSkiller.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
Today a new virus was released. It got sent out at 2:30ishpm (my time).

I know this because the spambots had used an email address that points to our mail server. The USER part was invented by the spambot and isnt a REAL user in our domain but we do have a CATCHALL account set up. At 2:40pm I had a flood of undeliverable emails 'being returned' to this address from systems that have rejected the original email due to being unknown user or deemed as risky. All emails had our address and the same invented user as the 'return path' (but all other sending servers and address completely different).

From these undeliverable emails I was able to identify the attachment of the new virus, so at 15:40 I submitted it to:

AVIRA (for my home pc)
CLAMAV (for the server)
for them to identify and create a definition for it.

Four hours 50 minutes later later I received the acknowledgement from Avira that they have now created a definition against it. (I tested it to prove it).

I am now going to wait and see how long from today, 15:40 on 24th September, it takes before CLAMAV take my submitted report and include in their database. (My nightly system scan should identify it once updated).

(For your information, the attachment was called "contention_111924953056769_6STQZ57.rar", containing "contention_111924953056769_6STQZ57.exe", and Avira have now called it TR/Crypt.Xpack.89608 Trojan
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4254
Location: USA
Reply with quote
That will be a good test. I think Clam Will be very slow to get a signature, however. They work user submissions manually, and they do not have any sigmakers who work on Clam full-time. Your best bet is to submit an undetected virus file to Virus Total--the Clam AV automated signatures seem to give their submissons preference--probably because Virus Total has so much information on the files it scans, which eliminates a lot of work and enables automated signatures to be more easily prepared.

The Avira description looks to be a generic detection--Clam could do it too if they spent some time working on generics.

Let us know how it goes.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
This week my nightly system virus scans with CLamwin have started throwing up an email in someones Inbox archive that contains a virus.

Now, this is good, you might say. Clam is actually detecting viruses correctly. Well yes, but consider this..... my system does the same nightly scan on the mailboxes and this email, with this attachment, has existed on this same system since January 14th 2014! And only NOW, some 17 months later, has it finally got round to having the correct definitions to identify it. SEVENTEEN MONTHS later. And for the avoidance of doubt, this is not a strange 'one off' virus that may never have been seen before - its one of those "UPS Missed package delivery - Dear Customer...print this label (open the dodgy Zip file attached)" emails.

And just when you think it couldnt get worse? I saved the attachment, double checked it gets identified by Clam (it does), and then did a direct scan of it with Windows Defender (as supplied with Server 2008) - the same software that is *supposedly* protecting my system realtime. And it STILL didnt recognise it!

Oh and the other test I mention in my previous post regarding contention_111924953056769_6STQZ57.rar, it is STILL there and has still never been detected! Virustotal has it analysed and deemed a virus rate of 43/57. See: https://www.virustotal.com/en/file/838c54c167995aa79d7e8a70ef814f9cd60fc0f0ec99ba0f62067440fee1273a/analysis/1434923374/. Still, its only 9 months after it arrived so going by the above experience they still have another 8 months to think about doing it! (oh, and also Windows Defender hasnt detected it to date either). Conclusion of worthiness: Defender: BOTTOM. Clam: 2nd from bottom!


Last edited by jimimaseye on Sun Jun 21, 2015 8:15 pm; edited 1 time in total
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4254
Location: USA
Reply with quote
Well, let me repeat, the old Windows Defender was/is just an antispyware program and a middle-of-the road one at best. Security Essentials/new Windows Defender have a lot of technology behind them, but no AV is perfect.

If you suddenly get a detection on a file that has not changed for a long time, it is most certainly a false positive. False positives happen to all AVs at some time. A few times a year, you usually see a big incident where some AV kills an important file. ClamWin has protection against false positives on important Windows files.

To really test an AV adequately, you need a variety of widely-circulated malware from a variety of sources. That can run into the thousands of samples. You have to evaluate the testers also--some testers are unqualified, some are not impartial. Some tests are knowingly rigged, some tests are unknowingly rigged. Some AVs are rigged for a specific tests (Qihoo 360 and a few other Chinese AVs recently on an AV comparatives test).

If an AV doesn't suit your needs, move on--there are lots of other AVs around.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 93
Reply with quote
This is no false positive. Both Avira and bitdefender (which I also use on various machines) identify it as malware (and probably did within a day of it first being issued). Clam have only now got round to identify it.
View user's profileSend private message
HOW TO Run Clamwin as a system SERVICE
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  

  
  
 Reply to topic