Hi all,

I'm currently doing tests with ClamWin and installed a conficker worm on a test device to check the AV. The result is not as good as I thought it should be. If the worm is inactive on the disk, ClamWin is able to recognize it correct. But if the worm is active and get be used by svchost, ClamWin isn't able to read that file and with that it doesn't recognize any worm/virus on the system. Is that like it should work? Other AV are able to find it without any problem.

Maybe I didn't understood ClamWin correct. But I think a virus scanner should find any virus

Thanks

ClamWin uses the Windows API, so it won't be able to scan anything invisible/unavailable to the Windows API. I don't think ClamWin was designed to detect active threats.

The Clam AV engine used by ClamWin was/is designed to detect viruses/malware in email attachments on Linux email servers. ClamWin therefore has this same orientation to detect static malware. You might be able to detect malware that is in memory, but ClamWin must first convert the memory to a file, load the Clam AV virus signatures, and then scan the file--which will not be a very fast scan, and any malware in memory might have already done its damage.

Due to this, ClamWin should only be used as a backup scanner. To improve ClamWin, the developers need to eliminate/diminish ClamWin's dependency on the Clam AV engine, add on-access (real-time) scanning capability, keep the virus signatures in ready memory for fast scans, and include a good set of heuristics to supplement the mediocre Clam AV signatures. That is a lot for a free, open source program to do. The Clam Sentinel add-on program to ClamWin was/is an attempt to improve protection with ClamWin, but it still has a way to go.

Regards,

Hmmm, ok. That sounds that it is not really usable for my needs. I'm searching for a portable AV which is able to check some devices on demand. But in industrial field.

Thanks for your answers