Hi all,
In order to cut down on scanning time (atm it takes 48 hours to scan my entire system) I was wondering about which files really needed to be scanned. I checked the Preference on which files Clamwin excludes and was surprised to find that it was only very few file extensions at all.
I added a few obvious ones (.jpg, .jpeg, .gif, .avi, .mpg, .mpeg, .mp3, .tif, .tiff, .wav, .) and am wondering how many more I could add.

I did a google search on dangerous file types as suggested in https://forums.clamwin.com/viewtopic.php?t=958 and now I am wondering about images and library files. Is ClamWin able to actually recognise viruses within images such as .nrg, .iso?
My test would suggest that it doesn’t. I "burned" the EICAR test file into an .nrg image with nero and scanned it afterwards. No Virus found.

And what about library files such as .cab, .msi, .dat, .tar, .msp, chm, and .wmf (especially wmf, its more than just a video file isnt it?

Furthermore there seem to be many large files in Games such as .big, .mpq, .fsb, .rsb, .bik. Are these files even capable of "activating or harbouring" a virus?

Could I propose a safe list of file extensions regularly updated to cut down on scanning time?

clamwin has "detect executable files" option under advanced section, turned on by default. This option looks at the file contents rather that the extension which can be faked - regardless of the extension a file can be executed.

ISO and media files are not be scanned already

Thanks for that Alch! I check and I have that turned on. Still I would like to cut down on files that are scanned at all. I am sure it is safe to exclude some extensions by default.



Hmm thats not what I could see in the progress window. It definetly scanned .avi.

Anyway has anybody already created such a list of files? I could not find any in my forum search...

That option is a little misleading. It really isn't an inclusionary check for executables, but an exclusionary list for certain media files.

Several anti-malware vendors have maximum file-size limits and actually do check for valid MZ/PE header combinations. If clamwin used a straight executable check, scans would be significantly faster.

If you also use a resident scanner (you should if you surf the Web), you can use ClamWin as a "backup" scanner. That way, it doesn't have to look at everything. Just have it scan for the 30 or so most dangerous file extensions, the three/four most common compression types, and document extensions like .doc, .xls, .ppt, and .pdf. The resident scanner will most likely look at 50/75 file types for you, and they will update them as necessary. Unless you turn it off just for ClamWin scans, a resident scanner will also get another look at files that ClamWin scans, so that's why you might need to have a whole lot of file types for ClamWin.

Regards,

media files are skipped by exe only option,
avi are scanned but only if they are animated cursors so even if you see the progress the scan should be
fast
I suggest to exclude, *.cab *.msi *.jar (maybe also archives - unchecking scan archive option it's not enough to avoid scanning file they are scanned as raw files)

clamscan can only scan inside files that it knowns how to extract so you can safely exclude also *.nrg

What exactly does it mean that files are scanned raw?


Dont get me wrong. I want ClamWin to scan all that makes sense. That means I don't have the exe only option checked.
At the moment I am only looking for file types that either CAN'T have a virus (like jpeg) or CAN'T be scanned by CLamWin (like nrg).



Thats what I mean!

As far as I understand this I have the following 'safe' list:

.jpg, .jpeg,
.gif
.vob, .ifo
.tif, .tiff,
.avi, .mpg, .mpeg,
.mp3, .wav,
.iso, .nrg,
.cab, .msi, .jar

I appreciate all your answers, but speculation does not help me. The same goes for alternative strategies. I simply want to cut down on scanning time without compromising the scans integrity.

jpegs are not as safe as you might think:
https://news.com.com/Major+graphics+flaw+threatens+Windows+PCs/2100-1002_3-5366314.html

That's why we take a cautious approach on excluding file extensions and leave it to the end user to do that consciously.

You also asked what a "raw file" scan is. There are many file compressors, packers, encryptors, and obfuscation programs used for both legitimate software and malware. No antivirus program can uncompress/unpack/unencrypt/unobfuscate all of them. If Clam/ClamWin finds a file it can't handle, it still scans the "raw" file as it is. There is a small chance that it might still find a bit of a signature when it does a raw scan.

Regards,

Thats what I thought and thats exactly what I am doing. I will leave JPGs excluded as the maount of time spent scanning my pictures far outweighs the benefit of catching such a rare event.

I understand that I risk more by excluding file types and that you can't categorically tell me what is safe and what isnt. But surely someone has already put a "reasonably" safe list together?

I still dont know what raw means. I know what it tries to do, but how does it work? it read the file bit for bit?

Each virus/malware has one or more unique byte signature patterns developed by a virus analyst to identify it. Each pattern is added to a signature database. Clam/ClamWin scans each file and compares it to the byte patterns in its virus signature database. The primary scanning algorithim Clam uses was originally developed to identify familites of protein molecules.

Regards,

wav,avi,anim cursor are all detected as avi (if you look inside they are very similar)
clamscan with exeonly enabled will only scan anim cursor even if it looks always inside to detect what kind
of RIFF (they are riff) is
you can safely exclude image files (you understand the risk of jpeg but you may want ignore them since they are always your own pics)

scan raw means that clamscan will scan them without known the type, this means that it will scan a file without unpacking if an archive
and without extracting executable sections if it's an executable, this will suggest you to add some types to exclusion list (like nrg)

iso,mpg,mp3 and other detected media are skipped by no-exe option
look at:
https://clamwin.svn.sourceforge.net/viewvc/clamwin/trunk/clamav-release/libclamav/filetypes.c?revision=1198&view=markup https://clamwin.svn.sourceforge.net/viewvc/clamwin/trunk/clamav-release/libclamav/filetypes.c?revision=1198&view=markup
for types marked as CL_TYPE_SKIP

other types are always scanned, my suggestion is add at least msi and cab as exclusion list
but we cannot "give" a "safe" list because there are no safe list
msi and cab can even contain viruses
my suggestion comes from the fact that your msi and cab files are legitimate installers of "safe" software

finally I'm not the best that can you give this "safe" list because I never make "full scans"
I use clamwin to scan suspected and just downloaded files
I have 500gb of data / programs in my system I don't think there is any AV that can scan in a reasonable time
all my files

You don't need to scan everything. You need to scan downloads before you run them, and if you scan your Windows directory and your Documents/Settings directory, that should help spot the majority of any malware you would probably get. Even if you do a complete scan, you don't have to do it all at once--break it up so that it's done over a period of hours or days--one directory or program scan at a time.

Regards,

Thank you sherpya, thats what I mean. I am only looking for a reasonably safe list. I understand the risks I take with that.




Thats exactly what I do and with 1 exception it worked very well for me for years. Just recently I had an unsupervised nephew downloading crap form the net and immediately I found myself with a worm. Apparently this worms spreads over the network and only that made me consider a network wide scan.

Well, there's no telllng where you can get malware now. I recently went to an on-line public relations (press release) site, and my resident antivirus popped up several times while I was there to warn me that malware was trying to download. And this was a business site--no porn, downloads, or instant messages!

Besides using a firewall, you might consider an additional level of protection with a host intrusion protection software (HIPS) program, such as Cyberhawk. It's one of the least intrusive ones around, and it's free.

Regards,