Hello all,

I thought I wouldn't need to ask the question, but looking around the forum for 30min, I couldn't find my answers (sorry if I missed them).

as my log file says:
main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cld is up to date (version: 23782, sigs: 1742863, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 309, sigs: 69, f-level: 63, builder: bbaker)

I would like to know more about the meaning of these informations. What are "sigs", "f-level", and why are there 3 different *.cld files?

(I first supposed that "sigs" stood for the number of virus signatures, but according to https://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-virusdb , it looks more like the version number of daily.cld, and not the number of signatures ...)

Thanks for your help!

Welcome to ClamWin!

The ClamWin AV program is a Windows port of the Cllam AV project which is intended primarily for Linux email servers--to protect their users from malware. ClamWin uses the virus database that is kept up by Clam AV. Clam AV is an open source project that is now owned by Cisco. As you see, it uses 3 different databases. The main database contains the largest number of signatures. The daily database contains fairly recent signatures, and it is periodically integrated into the main database (maybe a couple of times per year). The bytecode database contains a few high-level signatures designed to detect virus families or certain very destructive viruses.

Sigs is short for signatures. F-level denotes function level. Some detections are not active until a certain date/function level because they depend upon new code; otherwise, they might "beak" the program. There are 3 separate databases because each database has a separate function. The main database has proven, older virus signatures. The daily database has newer signatures that might be subject to change. As mentioned, the bytecode database has high-level signatures. The bytecode database signatures consist of pseudo code. The main/daily database consists of file hashes, section hashes, and file strings (words) from the virus code.

The ClamWin developers prepare a Windows port from the Clam AV Linux program code and attach a graphical user interface (GUI) to it for Windows users. Clam AV is responsibe for detection signatures and database maintenance. ClamWin is only an on-demand scanner, featuring manual or scheduled scans. It does not scan in real-time as viruses are placed on your machine. Linux email servers do not need a real-time scanner. This is important to you because you should only use ClamWin as a backup/2nd opinion scanner to a real-time AV scanner. Some good, free AV scanners for Windows compupters are:, Windows Defender (or Security Essentials for older computers), Fortinet Forticlient, Avira, Avast, and Panda Free.

Thanks for using ClamWin!

Regards,

Thank you very much! this perfectly answers my questions.

And thanks for all the precisions. ClamWin (and ClamAV) seem to be fulfilling my expectations for almost a year now (I needed an AV, not too heavy to implement, to programmatically scan given files).

Thanks to the ClamAV Team