Hi!

I just migrated from BitDefender to the Clam because I was looking for and on demand AV that did't had any services installed and running in the background.

Now, when configuring it, I noticed the extension filter scanning and the "Do not scan files bigger than.... / Do not extract more than..." options. What do you think is the best configuration for this tabs in a real world scenario? Should I leave them as they are out-of-the-box or tweak them a little?

For example, by not scanning files bigger than 100 MB, a lot of installables .exe won't be scanned. The same as in archives that are bigger than the specified threshold... if they have an infected file inside, they won't be picked up. And about the scanning filters... what do you think its best to specify there?

Thanks in advance guys.

An individual malware file will seldom be found that is 1MB or larger, although the rogue antivirus stuff is larger. Executable files that have been infected with malware can, of course, be larger than 1MB. As a practical matter, I just leave the defaults and assume that the ClamWin developers will change them if needed.


Regards,

Hello,

I'm generally keeping the default values as well. In addition I have set some filter to make Clamwin scan only certain filetypes depending on their extensions, just to speed up scans. Of course it mainly depends if you download filed from trustworth places.
Just to be sure, I would still keep a resident AV (or a behaviour blocker) just to be sure I am not 'missing' something on the way.
Regards
Antonio

Thanks for your comments!

Can you please share with us the extensions you are using Antonio?

I forgot... is it quite safe for most cases to use ONLY these files extensions for scanning (thus saving scanning time)?:

.exe
.dll

Thanks.

Hello,

.exe and .dll cover only a part of the malware which is around. Basically it depends on the source you download files from but think that compressed files (.zip, .rar, .7z, .tar) or office files may even contain viruses.

As per my blacklist of potentially dangerous file extensions I have set:
*.ade/*.adp/*.bas/*.bat/*.chm/*.cmd/*.com/*.cpl/*.crt/*.exe/*.hlp/*.hta/*.inf/*.ins/*.isp/*.js/*.jse/*.lnk/*.mdb/*.mde/*.msc/*.msp/*.mst/*.pcd/*.pif/*.reg/*.scr/*.sct/*.shs/*.url/*.vb/*.vbe/*.vbs/*.wsc/*.wsf/*.wsh/*.zip/*.rar/*.tar/*.7z*/*.doc/*.xl*/*.ppt/*.od*/*.dll

which is basically a list of potentially dangerous files extensions one can find by googling on the web. I have just added dll's, compressed files other that .zip and open document format (just to be sure).

I skipped .msi files (which I do not download and install usually) so my Vista install files are skipped anyway (that takes too long..). Unfortunately a standard Vista install (like the one I have on my laptop) has so many .ddls that it takes quite some time to have a full c: scan.

Of course this reflects only my approach to scannning of malware using Clamwin; I guess it should cover most part of threats but it is not the definitive word on it. It has been useful to me just to have a reasonable benchmark between protection and scan performance. As I said Threatfire is always running in the backgroud in case I miss something.

Regards,
Antonio

A lot of infected virus files use the exe and dll extensions. Exe is certainly the most commonly infected extension. Infected dll files will usually be dropped on your computer by a virus when it is executed, and if you have an infected dll file, you may also have other infections as well.

There is a decent list of about 40 or so dangerous file extensions at https://www.trimmail.com/help/howto/dangerous_extensions_1/ on the web. This list seems to have the most common dangerous extensions, although you will find that no two lists are alike. You will need to add Office-type extensions to it, however, such as doc, xls, ppt, rtf, pdf and swf (flash files). It seems that no list (even Microsoft's) includes them. The new office stuff has four letters in the extension, so you can use do**, xl** and pp** to cover both old and new office stuff. Lots of people also include the most popular archive extensions like zip, rar, tar, 7z and gz, but if you make it a practice to scan files after you unarchive them and before you run them, you can save some more scanning time--archived files won't hurt you until they are unarchived and run. In fact, many AVs don't bother very much with archived files--they try to catch them with their real-time scanner as they run.

You can also Google for "dangerous file extensions" to get other lists, but I would try to keep it to 50-60 extensions. If you use a real-time antivirus with ClamWin, this should give you some extra protection with a minimum amount of scanning effort.

Regards,

Thanks for your advice Antonio & GuitarBob! I think I'll merge your recommended extensions and create a list that suits my needs from that.

Thanks°!