Hi,
I have created a small project to add on-access scanning to ClamWin. It currently scans PE files as they are launched, and files as they are written (see known issues). This is just a prototype, it still needs a lot of work.
Since ClamAV is rather heavy on CPU, I implemented a simple cache so files aren't rescanned until the cache is cleared (eg. a database update).
Additionally, protected Windows files aren't scanned.

It runs on Windows XP and newer. With some work it could run on Windows 2000.
Also, it currently only runs on x86; MS requires that drivers be digitally signed on x64. If you want to test it on x64, you can download the Driver Signature Enforcement Overrider.

Install instructions
Download bin.zip and extract it. Open the x86 folder.
Start ClamScanner.exe as an admin. It should start scanning.

Uninstall instructions
Run uninstall clamfilter.bat

New in version 2:
Scans files on write (see known issues)
Automatically loads database from ClamWin db folder
Includes installer / uninstaller
Fixed dll load deadlock

Known issues:
Files are scanned after write, since libclamav cannot access them otherwise. Using cl_scanmap_callback instead fixes this problem, however this function has some bugs (for example it crashes when scanning rar SFX), so until this is fixed, scan-on-write cannot block file writes in real-time.
Unicode files cannot be scanned (need def of CWScanFile_W, or cl_scanmap_callback needs to be fixed)
On Windows XP, ClamWin's libclamav.dll hangs when scanning an infected file, so I have included ClamAV's binaries. If you are using Windows XP, do not copy the files into ClamWin's directory, instead run ClamScanner directly from the folder it came in.

TODO list:
Create extension inclusion / exclusion list for file write scanning (to eliminate unnecessary scanning)
Move scanning to service, so multiple users are supported
Reload database after update

You can download the program here: https://mega.co.nz/#!UcZDXaLB!KN7qdDjKW2VUQhaw34AJK2VOWv1Sy8dNIOuEUf4D7KU
The source in C is here: https://mega.co.nz/#!YYw0xTQQ!Unj0KyjMPRBHfI1z6CN1mATj3L84WfB1KIQbXs6gOQ0

You can test if it's working by downloading the ClamAV test file: https://github.com/vrtadmin/clamav-devel/blob/master/contrib/test/clam.exe?raw=true
Try to execute it, it should be blocked

Here is a screenshot from my Win 8 VM:

Well, you have made a good start, and perhaps it can be improved as you/someone gets the time. I hope not too much needs to be done to enable operation on multiple Windows versions, but legacy support is probably not as important as it once was, and perhaps ClamWin mini-driver operation could only be included for certain versions of Windows.

Lots of malware masquerades as protected Windows files and the non-PE file malware is increasing as Windows security gets tightened up, although PE malware is still more numerous at maybe 80-90% of the total.

Regards,

Thanks for your comments
It can easily run on Windows XP+, I just need to recompile it. It ignores Windows files by using SfcIsFileProtected(). Windows itself maintains this list; it should always be correct, unless the system is already compromised.
Do you think it would be better to scan files as they are created / written or as they are read from?

Some of the AVs do both a scan on-read and on-write, but I think on-write is probably the better choice of the two if code/time/etc. are limited. A file is usually infected on-write.

What keeps me up nights are the malware injections into existing processes, which initially doesn't get written anywhere, and the drive-by downloads of brand new malware/exploits for which there are not yet any signatures. However, it is getting harder for run-of-the-mill malware writers to bypass DEP/ASLR, etc., and we are slowly getting a handle on exploit patching, so the bar is getting higher for malware writers.

Regards,

Do you know if ClamAV includes signatures for malware in memory? I could write a VAD parser, which could catch code injection. Hooking WriteProcessMemory / CreateRemoteThread could help stop code injection, but that is beyond me.
I will start working on scanning files as they are written. Do you know where the ClamWin source is? I would like the definition of CWScanFile_W, but I can't find it anywhere.
Also, I updated my original post, it will now run on Windows XP.

I don't know for sure whether or not Clam AV scans memory, but I doubt it--it was designed primarily for email servers, and there is not much need for memory scans on them. That is the problem--to a large extent, they never got beyond that use. The Sourcefire guys are better now that they have responsibility for Clam, and I look forward to some more practical development if they hang in there with it.

Here is a link to ClamWin source information: https://www.clamwin.com/content/view/178/27/ from the FAQ.

I've reference this thread to the ClamWin developers. I think that whatever you can do will hel--either now or later.

Regards,

Has there been any more progress on this project?

Regards,

I stopped working on it because I thought people weren't interested. I can continue, I'm about halfway done with the scan on write. I should be able to post a new version in a few days. I can also start on a VAD parser, but it seems ClamAV's automated 'signatures' are just PE section hashes, which are wasted on a memory scanner.

Well, I hope you take it as far as you can. ClamWin needs to have on-access capability, and you will provide a start. Even the Clam Sentinel resident front end to ClamWin isn't on-access. It scans files as they are added, modified, or copied and only controls them in suspended mode for its heuristic scan, so fast-acting malware can still execute.

Clam AV uses an PE section hash for its automated signatures because it's easy to do a lot of them that way, and they now comprise the bulk of their signatures. They don't seem to use the code section, so they get some false positives on the other sections due to import tables and other data.

I was under the impression that ClamWin transfers the processes in memory to disk files and then scans them, but maybe I'm wrong; however I think that's the only way they can do them, since Clam AV never had to worry about memory scans in its Linux code. ClamWin does have the option to remove infected files from memory.

I visited your web site--you guys look busy.

Regards,

I'm mostly busy with school, so I don't have a lot of spare time. For write scanning, I have files scanned as they are closed if they were opened for write access (since ClamAV is designed to scan whole files and not just parts). This eliminates a lot of unnecessary scanning. Do you think it's better to have an inclusion list for extensions (eg .doc, .pdf, .jar...), or exclusion list (.dat, .txt, .pf...)?

I've posted a new version that can scan files on write, however since libclamav cannot access the files, I can only scan them afterwards. cl_scanmap_callback() fixes this, however it has some bugs, so until ClamAV fixes this function, file writes cannot be blocked in real time.

I just noticed your question re: an inclusion/exclusion list. It's probably better to have an inclusion list rather than an exclusion list. The primary extensions to include would be Windows executables, as this is how most of the damage is done. In my experience, malware uses a list of 20-30 extensions about 95% of the time. I currently have ClamWin look at exe, dll, js, htm, html, swf, tmp, eml, scr, zip, inf, bat, bin, class, pdf, lnk, pif, doc, docx, job, sys, rtf, xls, xlsx, ocx, and rar. This is sort of in the order in which I see them used. You should probably add cpl, com.

The list of extensions that malware could use is almost limitless, but in my experience, 20 to 30 extensions covers most cases. Clam Sentinel looks at 130+ extensions which is pretty complete.

Regards,

Hello, xqrzd

I am interested your driver on-acces to ClamWin.
I can not send a PM, so please send me a PM or write here.

Regards.

Sure, what are you interested in? I haven't worked on it in a while, it still needs a lot of work.

I am interested improve driver on-access.
I want make antivirus at the beginning, with the engine clamwin/clamav in realtime.

Please speak to me on mail and we agree details
adrianjadukiewicz @ gmail .com

If you write to me, my email will deleted from this thread