Hello Alch, Sherpya and other members of the Clam team,

I am a very satisfied and enthusiastic user of clamwin. Whenever I have the possibility I recommend and install Clamwin on other fellows and friends computers. For realtime scanning feature I am actually using Spyware Terminator as this is still a lack of Clamwin (although this feature is already available for the linux version). So far I want to ask you some questions:

1. Do Alch and Sherpya work for Sourcefire as their main job?
2. Have you already implemented realtime scanning abilities in Clamav or Clamwin for commercial software but it is not available for the open source version due to commercial reasons?
3. Do you know av software for windows wich is already using parts of or even the main engine of clam? Can you publish their names as I would pay for such a solution?
4. Are you actually working on the realtime monitor or would you appreciate my or others support to develop and finish it?

The Moon Secure project does not really show any good progress and the developers are having big problems with the integration into Vista, excluding system files, prevent blocking of common programs to start and so on. So I think this is a dead development. But the clam server of ST is also released under the gpl and could be a promising possibility. Their main problem is the missing support of the latest 0.94 clam version and its extended malware and other features.

I know these are a lot and direct questions. But I am still dreaming of a COMPLETE spyware and antivirus solution based on clam av/ win.

Thank you in advance and regards

Freefighter

Hi,

I'll try to answer some of your questions below.


No. ClamWin is a separate project which uses ClamAV engine. We have a good and friendly relationship with ClamAV team but we are not affiliated with Sourcefire.

We have started a non-commercial implementation of the real-time scanner however we have no resources to get it finalised. The development basically stopped a couple of years ago.

Other forum members might help here.

It would be very welcome, we currently have two developers and all their time is dedicated to support of the current code and maintenance releases.

Alch wrote:

"We have started a non-commercial implementation of the real-time scanner however we have no resources to get it finalised. The development basically stopped a couple of years ago. "

Microsoft will make their AV scanner free in June 2009. I think you have until then to do something. For the last year or so, they have been raiding the commercial AV companies for good people, and if they stay around, it should be a good personal scanner. Already I see some of the smaller commercial AVs with free scanners (Avast for one, and AVG too) emphasizing business use, as opposed to individual use of their products.

The information about the project on the ClamWin Wiki isn't enough, and not everyone reads it. I suggest that you draw up as detail specifications as you can as to what you need to finish ClamWin 1.0 and then get the word out to users, businesses, universities, AV industry participants, and others who might be interested in helping with ClamWin 1.0. Some businesses are using ClamWin. I saw a post recently from a guy who said he had installed it on 200 computers. Perhaps these businesses would be willing to donate employee time/advice/funding for a consulting programmer. They need to be aware of your need, however. I fear that our only choice for an AV scanner may soon be either the free Microsoft one or a bloated/complicated/unresponsive commercial one.

Regards,

Hello Alch, Budtse, Sherpya and so on,

what should I do to help you regarding the stopped realtime project? Is it written in C or Python?

Regards

freefighter

Bob,

I don't anticipate a free AV from Microsoft will change the game dramatically. There are quite a few free AV products available for long time, I know they are generally not free to use for commercial purposes. But Clamwin's primary audience is not commercial companies either. This is all my guess anyway.

There are other reasons we did not push hard enough to get the realtime scanner out:
a) Proper testing and support issues: Realtime scanning drivers are quite complex and can yield unforeseen conflicts with other AV/security vendors. When a driver crashes the whole system dies. I anticipate that support issues would increase dramatically in the early life-cycle of Clamwin Realtime scanner and would require full-time involvement in just that. We don't have resources for that.
b) ClamAV engine is still quite slow compared to other Windows based AV. Although it is getting faster it still is not fast enough to be useable in real-time scanning during file access without caching scan results.

I think we should still try to do that, perhaps as a limited beta release. We just need a Windows kernel developer with enough spare time. Unfortunately this combination is rare. If the development time is donatyed by a commercial organisation it needs to be without any strings attached .

Regards,
Alch

It's done in C, however it needs to be rewritten to use Minifilter architecture. Are you familiar with Windows Kernel development?

Hello Alch,

unfortunately I am not a windows kernel programmer with special skills. Anyway your answer to the realtime scanner was a loooong awaited announcement. Because you and your colleague are lacking time in the further development of this feature it seems very clear that you cannot provide it within the present future. Of course you are doing a great job in revising and maintaining the actual clamwin program. But with only an on demand scanner clamwin cannot reach the goal of a complete open source av and ant spyware solution.

I am sure that other programmers would help you regarding this matter. But until now nobody did know the real situation (that you have stopped the realtime monitor development) and everybody was still waiting for the first beta release of your scanner. I want to confirm Bob's opinion that you should make an official statement so the clamwin users know this and would be able to suport and even join you with their programming skills.

I know you have your own attitude of a possible realtime monitoring solution for/with clamwin. I have also read your thoughts about different methods of monitoring like api hooking. But perhaps you should be a little more open minded to other people and their possible approaches in realtime monitoring (Blanchon from winpooch, the moon secure guys, yeke antivirus,...). Of course their trials are far from being perfect so far, but it is a first promising step. They only need a chance and further support. I believe blanchon has the most skills regarding kernel programming. Of course even he is short of time but during the development of winpooch he had the same problem as you still have.

I guess otherwise the clamwin project has no chance without extended protection skills. Imagine you would loose your interest in the further development of clamwin. I don't think it would be longer alive without your support. But you must ask the people for programming assistance. Otherwise they don't know your problems in the further development of clamwin.

However I will have a closer look on the code of the present realtime solutions with clamav/win. Do you have any other thougts or comments here?

Regads

freefighter

By the way: The famous german computer magazine c't has tested clamwin together with the products of the well known av software companys. Here clamwin proofed its reliability over commericial competitors like Trend Micro. Therefore you shouldn't be so negative about clamwins detection and erase features.

May be off-topic, but if realtime scaner is long-term solution, I will propose short-term solution :
By default add scheduled "Weekly scan" (or monthly), so if somebody installs ClamWin there will be predefined scheduled scan. Now I must add this scan to all my installs of ClamWin manualy.
-Laco.

A pre-configured scan schedule is a good idea. I believe Avira comes with one for AntiVir at 12 noon each day, but a weekly scan would certainly be appropriate at least. You don't have to scan everything either - most malware will be in the Documents/Settings directory or the Windows directory after it gets on a system.

Also, how about a set of default extensions for scanning? I am now using about 40 or so extensions based on what I've seen malware come with during the last year or so. This makes scans more efficient/faster.

Regards,

Hello All,
Agree with Bob. Avira comes with a 'smart' set of extensions list already packed in and I think this should be a good choice also for Clamwin just to speed up scanning times. As basically Clamwin is provided in order to be configures as user wants, this update could be set as one of the Preferences, leaving to single user the possibility to activate it or not.

Thanks a lot all anyway for your great work.

Antonio

Hello friends,

I am actually testing the beta clamserver from Spyware Terminator for the developers. It is the latest 0.94.2. As far as I can say it is really fast, doesn't slow the pc down any longer and scans are 50 % of the time compared to their previous 0.92.1 version. If you want to check it visit their forum.

I'll keep you informed until they have released the final version.

regards

freefighter

There's nothing wrong with keeping ClamWin a "backup" scanner to a real-time AV program. It needs some additional capabilities to make it easier to live with--such as an "unquarantine" capability and an automated script to send files to Clam and/or Jotti/VirusTotal (VT already has one, by the way).

There's also nothing wrong with a little API hooking until/in place of real-time scanning via the kernel. A hook to "catch" just a couple of file types to look at--notably .exe/.dll will catch a lot of malware, providing the signatures are in the database.

Regards,