Thanks for the info. Might be worth a try. The real time scan is done upon file write/open--nothing is done on the fly. The program appears to have a certain amount of flexibility for the user. However, there is no free support, and they don't say anything about their intent for the program for the future, so you don't know how long it will be around or if there will be program updates (I assume you can use the ClamAV signature updates). Looks like they will rely upon ClamAV for future stuff--reckon the ClamAV people will keep it compatable? You might need to know all this before you rely too heavily upon it.

Regards,

Hi. I am the developer of Tech-Protect. I heard that it had been discussed here, and as I saw that there were a number of questions about it, I thought I would pop in and answer them.

Tech-Protect is kind of a hobby project. It was originally a tool that warned when script files were run or files changed, into which a virus scanning capability was added using the free F-Prot DOS software. After a lot of problems were experienced with F-Prot under XP / NTFS I experimented with a version using the SOSDG port of ClamAV, but I experienced various issues that led me in the end to abandon the project.

I was fed up with most existing anti-virus solutions because they were bloatware that try to take over the computer, so I did not lose interest in the Tech-Protect project. When I found that Nigel Horne had released a new native Windows port of ClamAV I thought it was worth trying again. This new version worked much better, so I decided to release it. However I have made little effort to publicise the product since I was afraid of being swamped with support requests for virus problems. Tech-Pro.net is a business on which my wife and I depend to earn a living, so I can only release freeware if it doesn't take up time in support that could be more profitably spent elsewhere. Hence the statements about support on the website.

Tech-Protect is not GPL for a number of reasons, the most critical of which at the moment is that, because of its history, it was developed using a commercial shareware product whose developer now seems to have lost interest. You could not get hold of a copy of the tool it was developed in, even if you wanted to, at the moment, although we are still hopeful that it will eventually be released. Therefore Tech-Protect is probably best regarded as a prototype for someone to redevelop using something with a future. However, while it and ClamAV continue to work on current and future versions of Windows and as long as Tech-Pro.net itself is still around I don't see any reason why Tech-Protect should disappear, as long as it does not become a source of support headaches for the business.

I am aware that this is a forum belonging to another ClamAV-based product, therefore I apologise for any breach of etiquette by posting here. If anyone wants to continue a discussion about Tech-Protect, or help to form a peer support group for it, then as I own https://www.the-pc-guru.com The PC Guru site I suggest the https://www.the-pc-guru.com/forum/index.php?board=4.0 Security forum there could be used.

Thank you for your interest in my little anti-virus tool.

TechPro is a pretty good effort at making ClamAV resident for Windows via the ClamAV Windows port engine. It is robust and flexible but isn't suitable for use on servers. It can be used with most antivirus software because it doesn't conflict with them--as it uses redirection to become the hosting application for executables called from within Windows Explorer/Desktop instead of embedding hooks deeply into the operating system (like Kaspersky).

I think, however, ClamWin 1.0 will have more up-to-date code, and it is (and will be) an ongoing effort, using current deveopment tools/techniques. Finally, ClamWin has very good responsive support, and I'm sure it will continue. No other antivirus software offers the accessability you have to the developers of ClamWin, who can quickly address your suggestions and concerns via these ClamWin forums. That's why I'm sticking with ClamWin.

Just the same, I wish they would release some of those version 1.0 improvements gradually instead of waiting for one massive upgrade. It could make testing easier and keep some users from jumping ship.

Regards,

From the brief analysis of the TechPro I can conclude that it use 2 approaches to "automate" scanning:

1) Monitors changes to files using ReadDirectoryChanges API calls. This is a notification only API and it is not possible to block writing of an infected file to disk. Therefore it is very easy to circumvent such protection by executing a file programatically before a user takes action. Possibilities include dismissing the virus warning dialog, etc.

2) Changes the way files are opened in Windows Explorer (Run action) and scans them first. Although it helps within Windows Explorer, a fil will run undetected when executed from command line or another program.

In ClamWin we consciously decided not to go this way and not implement the 2 features listed above for one major reason: if the protection is not comprehensive and can be bypassed with ease, then such protection creates a fals feel of security with a user and can do more harm then good.

ClamWin version has full-featured file system filtering and will block any read access to an infected file. ClamWin v1 is a major rewrite with no code from 0.xx codebase and cannot be introduced gradually (we would if we could).

Your analysis is almost correct. The object in Tech-Protect was to provide better checking than a plain on-demand scanner. In reality, it is unlikely a virus would target Tech-Protect specifically by including code to close its warning dialog, and the couple of seconds between a file being written to disk and the warning being shown is still better than waiting until a manual scan has been initiated. The limitations of the virus check on open being implemented via the registry are admitted (though you are not quite correct: it works even when something is run from the command line, or from a program if it uses ShellExecute to do the opening) but to be frank I didn't (and still don't) know another way to do it.

I wish you success with the new version of ClamWin and will watch for its release with interest. I hope that your proposals for real time virus checking will not have too big an impact on performance. Because ClamAV is quite a slow scanner, I found that scanning every file on every access made the system unacceptably slow. Therefore Tech-Protect uses CRC checking to avoid re-scanning files in real time when they have not changed.

ClamWin v1 will have a persistent cache database with fast and secure hashing algorithm: PanamaHash. CRC32 however is a very insecure algorithm and it does not take much for a virus to change a file and then pad it so the CRC is intact - this has been done before.

In my opinion Antivirus software is not the one where you can make compromises, therefore ClamWin does not have such features as ReadDirectoryChanges and Explorer "Run" hook.

I have successfully executed eicar.com from command line without seeing a warning, as far as I know cmd.exe does not use ShellExecute.

@alch

All the comments regarding ClamWin 1.0 are very exciting to hear. Can you summarize the development issues remaining before you can move into the beta testing phase?

I am supporting ~35 or so machines (various Dell, Compaq, and Sony models) in a business environment and can perhaps offer you some help on the testing side if you are interested If so, how do I join up on your dev team

Thanks

It seems you are right, however I am sure that several years ago when I first created this thing it did. It may be something that changed during one of the security updates. To be honest I have no idea why Windows uses the file association mechanism to run executables, I can't see any possible benefit of it, and as you know the mechanism has been exploited by Windows viruses in the past, but since it does I thought I would take advantage of it. If I knew of a better way to do it then I would.

I think there are always compromises to be made. Otherwise one might argue that you should not be using ClamAV at all, since it still has quite a few weaknesses (for example, detection of many polymorphic viruses, overall detection rates in comparative tests) that other virus detectors do not. Indeed, it is unwise to mention anything related to ClamAV in the alt.comp.antivirus newsgroup unless you enjoy being flamed by people who claim exactly that...

Thanks to you both for the info guys. I didn't know that V 1.0 was a complete re-write for ClamWin, Alch, so I see why you are taking your time.

IMHO if you can get an antivirus program that will catch 80% of the viruses at any one point in time, that is about as good as you can get. For those that test in the 95-98% or so range, they just weren't exposed to that 20% new stuff.

Some viruses are starting to target antivirus software--sometimes specific to certain brands, so this is a possibility for any AV software I suppose. The virus guys can upload their stuff to AV TEST also--just like users. Again...80%!

Regards,

cmd.exe on WinXP SP2 uses CreateProcessW inside of the ExecPgm() function.

It all depends on what you claim to do when a virus is detected. If you don't claim to be stopping it, then it is merely on-access detection/warning, not on-access removal/prevention.

One second is a millenium for code to execute.

Malware that scans looking for things, bots that wait for instructions, or malware that uses large sleep() calls to prevent manual investigation by non-reverse engineers would be impacted by that long of delay, otherwise, you've allowed a tremendous amount of CPU cycles to occur.

Hello,

All that seems to very good however I wondering if ClamAv 1.0 will include an AntiKill feature to prevent viruses form shutting it down ?
Also one quick feature that I would like would be the option to delete a file once it has been identified as a Virus.

Thanks

Al968

Arch (or someone else), would you be able to give us a technical run-down on how the proposed on-access scanner is going to work?
For example, will it be implemented via a ring-0 driver, or a vigilant ring-3 application which will hook all possible ways of executing files?
Are there any obstacles which need to be overcome at this stage?

it is implemented as a file system filter driver (ring-0)
more info here:
https://wiki.clamwin.com/index.php/Package_Diagrams

[edit] please do not promote other software in clamwin support forum[/edit]