Released - February 14th 2007 - see "www.clamav.net" - new website as well

ClamAV appears to be evolving to address phishing and has further anti-malware development plans - per its website news/info.

What now for ClamWin? Multi-threat anti-malware engines seem to be gaining momentum as well as a philosophical support base vis-a-vis solely signature based engines. Will ClamWin be able to reach Version 1 before its underlying philosophy becomes irrelevant in the mal-war? Will it evolve its anti-malware capabilities along with the rest of the anti-malware community or fade into the paleozoic past?

I strongly support the ClamWin project and employ it in a notable percentage of my business systems - despite various reports/claims/test/blogs that tend to disparage its detection and speed - which are questionable based on testing procedure versus real world usage. But, I am developing a sense of discomfort regarding the next generation of ClamWin. I understand the personal time put into its development and the difficulty of finding the team members. But, at the end of the day, the capability of the software plus its ability to defend/protect a user's system(s) are the only issues that will matter when the "wolves come knocking".

Guys - what's going on? The developer blogs are, frankly, becoming rather dated and the repeated mentioning and references in the forum to "Version 1" are becoming like...well, like vaporware references. Its unfair to your committed user base to effectively keep folks on a string so to speak. Is there specific progress towards a specific goal...is there anything other than a handwaving and smiles regarding where the development really is? If users are to plan for implementation in a business environment then some factual information is needed for us to lay out a timeline for business deployment. Should we be concerned about the development, should we plan on nothing...and for how long...yes, delivery dates are more frequently missed than met in the software world - but it does give the user a sense of the timeline to hear a specific target date. Don't worry about your committed users not understanding your time committents and the rather dicey probability of actually meeting a delivery target date....we are a hardy bunch or we would already have left for greener pastures....just give the real when and where facts for the project....we'll understand and accommodate the timeline and its ongoing corrections.

Your committed users know and understand the difficulty in a open source project - or they wouldn't still be committed and still here with you. But, nonetheless, the purpose of being here is to have (and participate in) a viable anti-virus and, hopefully, anti-malware tool for their systems. Can you offer up some meat and potatoes on development and (a non-binding) schedule? My planning to use any tool is dependent on its availability and capability to address the daily threats - as of now we really don't have a comfort zone with ClamWin's development - but - we really "do" want that comfort zone.

Please accept a hearty THANKS for the effort put into and ongoing for the project!

clamav-devel (0.90) branch is actively merged with win32 port, so it will be ready when 0.90 will become stable
I've some doubt about the phishing engine, it's only for email, it makes no sense to use in normal scanner.

We are testing in clamav release branch, a new feature that should skip unneeded binary and media files,
this should speed up a lot "large scans".

About the v1, yes it's not easy, I stopped a bit the development because a nasty bug that fortunately seams
to be gone.
The ifs filter is almost done
The service is almost done (it still lacks of some mandatory functionality)
We are waiting for the gui developer, that should put the gui on svn repository

Yes there are lack of infos about development, all of use are also busy for "real life" job,
but if you subscribe to beta testing forum you will see that the development is not stalled

Take a look at sourceforge svn repository and commit messsages and dates
https://clamwin.svn.sourceforge.net/viewvc/clamwin/trunk/ https://clamwin.svn.sourceforge.net/viewvc/clamwin/trunk/

Finally thank you for the support

The natives are getting restless! See: https://wiki.clamwin.com/index.php/ClamWinD.

Many (if not most) of the commercial antivirus software has been around since the late 1980s. Most of them didn't go real-time/on-access until after 1996. ClamWin has been around about what now--three years? Alch could have taken some shortcuts and have a "half-fast" real-time scanner by now--like some of the other stuff out there, but I'm convinced that he is going about the development of ClamWin in a careful and thorough manner. Clam is incorporating some antiphishing/antispyware signatures/capabilities, and there is at least one free/opensource website working on phishing/spyware/scam signatures that can be incorporated into ClamAV/ClamWin. ClamWin will continue to benefit from the development of Clam.

There will probably always be a certain need for a signature-based scanner. You don't see any of the commercial programs throwing away their signatures! In fact, the behaviorial/heuristic antivirus software components need updates, but they don't like to tell you that.

We'll just have to see what the Open Source area has in the way of behavior blocking/dynamic heuristic detection/etc. once ClamWin gets real-time/on-access capability. And don't forget Windows (XP) has a decent incoming firewall. Perhaps ClamWin could incorporate code protecting the outgoing functions, and you would be protected between the two products. A marriage of ClamWin and Winpooch might work if we could live with those Winpooch system hooks. I'll also bet somebody else (open source) is now working on other advanced techniques that could be incorporated into ClamWin at some point.

Regards,

@sherpya

Thank you for the info and direction. By the way, I support over 35 machines in a business environment (Dell, Compaq, Sony, Fujitsu) and am willing to help out with Alpha/Beta testing. I currently have ClamWin installed on about one-third of the user base. Let me know if you need assistance.

@GuitarBob

waka waka hooya hooya.....

Real-Time Malware Behaviorial Analysis And Detection Engine (BAAD)
CONTROL MODULE
Accepts an executable file per criteria
Notifies Undo/Analysis to initiate
Uses API/system hooks to track behaviors
Notifies Undo/Analysis of behaviors
Receives Analysis threat warnings
Contacts User for decision (optional)
Carries out User's decision (one):
Continue execution
Stop execution
Notifies Undo when to reverse actions
Notifies Analysis/Undo of completion

UNDO MODULE
Initiates an undo log
Logs process behavior/action
Reverses actions per Control
Closes log upon completion notice from Control

ANALYSIS MODULE
Initiates an analysis file
Keeps cumulative score of behaviors/actions
Issues threat warning to Control
Closes file upon completion notice from Control

PROGRAM DESCRIPTION
The purpose of this system is to perform an analysis of the actions of executable files as they are being executed in order to detect malware.
The Control Module uses API/system hooks to allow one-at-at-time process behaviors and notify the Analysis Module and the Undo Module of the behaviors.
The Analysis Module keeps a cumulative score of the behaviors and and notifies the Control Module if the score indicates a threat.
The Undo Module logs the behaviors in detail so that they can be reversed if a threat is indicated.
Upon notification of a threat from the Analysis Module, the Control Module notifies the computer User and requests a decision.
The User will either tell the Control Module to Stop the threat or Ignore it/continue execution.
When the User tells the Control Module to Stop, the Control Module notifies the Undo Module to reverse the behaviors that have occurred.
The Undo Module will use its detailed log of all process behaviors completed and undo/reverse them.

NOTES
The Control Module can be set up to operate only when an executable file meets certain criteria.
Assumption for scoring implications: malware will perform its malicious actions rather quickly in order to minimize User detection.
The Scores used by the Analysis Module can be adjusted to allow for "gaming" by malware writers, malware evolution, and for other purposes.
To completely automate the Engine, take the User out of the loop.
This system can/should be used to increase the functionality of traditional malware signature detection.
The system can also be used to identify malware and keep a detailed log/record of its actions for malware analysts.
The system may also be beneficial in identifying specific malware signatures when/as malicious acts are performed.

Regards,

I'm a common home user,besides scanner engine improvements,A real-time monitor is necessary.

And,i think,ClamWin'd better publicize the method of signature-tool,so that AV fans all over the world can do update a favor