Hi All,

I thought and I thought... about on-access scanner. The only alternative was - winpooch, but it discontinued after SP3 and all the efforts of Microsoft to make antivirus writing more difficult. And then an IDEA came to my mind: if I could run Clamwin as a screensaver with memory of what files already were scanned! ... if only, if only... It doesn't look possible. Although, the second IDEA came to my mind:

Run an HOURLY scheduled scan of JUST memory. But that's impossible (at least with GUI settings).
And finally, third IDEA:

Run an HOURLY scheduled scan of memory and TEMP folder.

On my computer all of the temp work is saved in one folder (one can change it in properties of "My Computer"). Alternatively it is possible to add all the temp folders to the list of scanned folders.

I understand that this method is not going to catch virus while it is infecting system, but it wouldn't take long (one hour) before a viral activity is detected. After that a complete scan of system will do. On the positive side - this method isn't going to load system to much (I have noticed how slow computer becomes during complete system scan - almost impossible to use any processor-hungry application)

Please, share your ideas about this method.
Thank you

I thought about running an hourly memory scany, but I decided it was just too much. You're not going to get infected every hour, and even a memory scan takes (in my case) about a minute and uses about 40% of resources while doing so. Until there is an on-access/real-time version of Clamwin, I think the best protection is to run a free antivirus and use ClamWin as a backup (primarily for Windows and %user% scans). Threatfire and ClamWin make a good combination, and they are both free.

Regards,

I think what many Anti Virus clients are out for is the risk of a worm spreading beyond its grasp, and therefore it likes to check everything...

Ideally, you only need to scan the files that don't originate from the workstation.

So whatever you download in Firefox, IM, P2P, BitTorrent, etc.
Half of that could be improved to save resources by adding trusted locations.

You only need those scanned really.

What about scanning only those with access date (or even better - created date) of today? I used to catch viruses (worms) by hand like that:
- see the list of processes (i know it could hide)
- find suspicious-looking items (usually the size isn't too big)
- find file on disk
- see the creation date and if it's something you don't remember installing on that date - put away (in a different folder) and
- look for that name in system registry....

but really, there's a simple mechanism:
- just find (including hidden and system) all files *.exe with size less than 1MB
- sort by creation date
- see the most recently created ...
-----------------------
Having said all that, is there something useful of those ideas that can be applied to Clamwin?
I think we're all waiting for 1.0 release with on-access scanner, but it would do the same thing as AntiVir did to my computer - dramatically slow it down. So, we're not only finding a way around the current situation, we're finding an ALTERNATIVE to on-access scanning.

BTW All of the viruses i found, had a copy (maybe under different name) in TEMP folder. That's why I think that scanning TEMP is a good idea.

PS My memory scan takes about 20 seconds, but with the growth of TEMP (cleaned once a day) -- all together scans start at 1 min -- ending with 100 min a scan. Cleaning TEMP once a day isn't enough

Those characteristics you just mentioned would make a good set of basic heuristics for ClamWin--independent of Clam. They could piggyback on the Clamscan for the following:

files with common extensions frequently used by malware
files with a size less than 500KB
files with "funny" names: all vowels/consonants, numbers at begin/end of name, less than 4 characters/more than 12
files with a creation date that is less than 10 days prior to scan date
files in malware directories: sys32\config, win\drivercache, win\temp, sys32\drivers, %user%, c:\, sys32\nosubdir

Compute a score for each "hit" and "flag" a file as possible malware if it is 80% or more of total score.

You could add it to memory scan initially and see how it goes and then expand it to regular scans.

Regards,

Wow! But, let's be practical: what can be done with current abilities of clamwin?

files with common extensions frequently used by malware
I don't want to scan too many files, so the idea is great, but let's be more specific: is it possible to add (i'm not sure) a file or list of most attacked files to a scan scheduler?

files with a size less than 500KB
files with "funny" names: all vowels/consonants, numbers at begin/end of name, less than 4 characters/more than 12
files with a creation date that is less than 10 days prior to scan date
Are these settings possible with clamwin?

Thanks

No, these settings cannot be used by ClamWin currently. They are just some simple, common sense malware characteristics that I have noticed. They would have to be integrated into the Clamscan, and I don't think Clam is interested in doing anything like that (especially on personal use Windows machines). They are looking at heuristics with more "horsepower" (primarily for larger/paying businesses) if/when time allows, but that may not come to pass for some time. Unfortunately, I'm not a programmer.

Your best bet now is to download signature updates often, scan regularly, and supplement ClamWin with a real-time/on-access scanner.

Regards,

Hello,
You can set Filters Tab on Clamwin preferences thus to make it scan only certain file extensions. A list of those extensions can be found at https://safecomputing.ttu.edu/lubbock/recommended/fileextensions.php
I would add .dll and MS Office most common extensions for extra safety.

Make regular virus DB updates and regular scans of your machine, as Bob suggested.

Hope this helps,
Antonio