Dear sirs,

When will ClamWin have a real-time scanner or will ClamWin this never have? I read they were working on it!

Thanks in advance, Mike098.

That question has been asked several times on the fourm, Mike, so if you search, you may find a better answer than mine below:

Some preliminary work was done on the real-time scanner, but it has been stopped for a couple of years now due to lack of time on the part of the ClamWin developers. What is needed is a full-time programmer with specialized knowledge in Windows kernel programming. ClamWin has partnered with the Ask Toolbar people to get revenue needed for this. Once the revenue is in-hand, work can begin. When the project is started, it will take maybe six to nine months to develop the real-time scanner. The last I heard, the revenue from Ask wasn't coming in as expected. That's a shame, because in February the Clam people are scheduled to have a heuristics package that should work okay in ClamWin. The heuristics should improve detection rates quite a bit, and it would be wonderful to have it in real-time.

For a partial real-time scanner using ClamWin, look at the ClamSentinel front-end project at https://sourceforge.net/projects/clamsentinel/ on the web. ClamSentinel is designed for older Win 98/ME machines, but it also works on XP and Vista (I don't know about Win 7). This is not affiliated with ClamWin, and it is not an officially-approved project by ClamWin. Sentinel uses API hooking, which is better than nothing, but it's not Windows kernel programming.

If you want a ClamWin real-time scanner, please support ClamWin if you are able--with skills, knowledge, time, or money.

Regards,

Dear GuitarBob,

Thank you very much for your information. ClamSentinel looks difficult to me, but I have to think about it.

Kind regards, Mike098.

i had tested Clam Sentinel on windows xp pro sp3 system with the latest clamwin.
this tray-application seemed to me rather smart at the first glance... ~4mb ram, clean interface, easy configurable via ini-file (all options are nice and useful).
memory test worked well (but it starts clamwin in console mode).
then i copied virus in the root of %systemdrive% (coinsides with default option DirToScan=c:\) and... - no action, no detection... but when i started drive check directly via clamwin.exe it catched it!
i suppose that possible reason is ntfs file system format of my system drive.
thus the test results are not so good but i hope that better solution will appear soon :)

If you can tell me the name of the virus that Sentinel did not detect, I will see that the Sentinel developer knows about it.

Sentinel triggers on API hooking--it kicks in when certain APIs are invoked by malware. There are so many APIs (blame Bill Gates, I guess) that it only uses some of them. Those it does use are the APIs most frequently called by malware. I see some malware ocasionally--most likely network type worms, that it doesn't spot, and I would guess that it doesn't look at some of the stuff that can be used by rootkits.

Nevertheless, Sentinel is the only shot we presently have at any sort of real-time scanning with ClamWin. The Sentinel author has a consistent development effort--a couple of hours each day. There is a version being tested now that greatly simplifies configuration (via the system tray menu), instead of manually working with the .ini file. A regular setup routine (via Innosetup) is also being worked on.

When Clam comes out with its basic PE file heuristics in February, Sentinel can take advantage of them in real-time. However, until there is a kernel mode real-time ClamWin scanner, I recommend that anyone using Sentinel also supplement it with a behavior blocker. A combination of Sentinel and Threatfire would work pretty well.

Regards,

yes, of course. this is from ClamWin log file:
C:\ccyxch.exe: Trojan.Autoit-70 FOUND
C:\ccyxch.exe: moved to 'C:\WINNT\system32\clamwin\@\ccyxch.exe.infected'

but as i understood Sentinel uses installed ClamWin engine and its virus database for catching viruses, doesnt it?

Yes, Sentinel uses ClamWin and its signature database for scanning. It just provides a "front end" for ClamWin to scan certain files files as they are dropped on a computer--without having to do a manual scan. When Clam adds the Windows file heuristics in February, Clam/ClamWin will be able to detect some "suspicious" looking files without needing a signature. Since Sentinel adds some real-time scanning capability to ClamWin, Sentinel users will be informed about these suspicious files as they are placed on their computer. It will take a little time to "dial-in" the heuristic detection, but it will be a good improvement when they do.

Thanks for the Trojan.Autoit-70 information. I will pass it on.

Regards,

but i still cant catch the idea why it is needed to add some information about that virus (Trojan.Autoit-70) to ClamSentinel if ClamWin allready knows it!
or maybe there is no fully functional connection between ClamSentinel and ClamAV/Win database, isnt it? but in this case there is no practical sense in this front-end added to system startup.

as to the heuristic detection i hope it will be possible to disable this function via clamwin.conf options and command line parameters...

the combination of Threatfire with anything else cant work well at all.
that is the fact approved a lot on practical long-time IT outsourcing and system administation experience.
the most of commercial and closed-source antivirus solutions (well-known bloated software suits) are useless wasting of computers resources, users work-time and company's money...
one thing is that Threatfire has so many false positives and in some cases consumes so much pc resources that it could be impossible for user to work! a lot of viruses are more kind to user and pc hardware than commercial antiviruses, thats modern IT security nonsense...
and the other thing is very low real virus detection. i got this fact via real practical experience on many computers.

I just checked out the Autoit-70 virus. ClamWin scans all file extensions as a default, although you can put in your own extensions. Sentinel has its own file extensions to scan that is separate from ClamWin. The current default set of Sentinel extensions is pretty good, but it does not include all extensions (to speed up real-time scanning). It does not inlcude the ZIP and a few other extensions that are commonly used by malware. I have my own custom extension set in Sentinel, and Sentinel does detect the Autoit-70 virus.

The Sentinel version that is currently being tested includes some additional common extensions--including ZiP, PDF, etc. The new version will also have automated Sentinel installation and configuration. I would manually add ZIP, PDF, DOC, XLS, PPT, JS, DLL, RTF, SWF to the version of Sentinel you now have.

Regards,

thank you, the last information is pretty good)

so this is my extensions list from clamwin.conf:
includepatterns = *.exe|CLAMWIN_SEP|*.com|CLAMWIN_SEP|*.cmd|CLAMWIN_SEP|*.scr|CLAMWIN_SEP|*.bat|CLAMWIN_SEP|*.js|CLAMWIN_SEP|
*.wsh|CLAMWIN_SEP|*.lnk|CLAMWIN_SEP|*.pif|CLAMWIN_SEP|*.dll|CLAMWIN_SEP|*.sys|CLAMWIN_SEP|*.ocx|CLAMWIN_SEP|
*.cpl|CLAMWIN_SEP|*.inf|CLAMWIN_SEP|*.zip|CLAMWIN_SEP|*.rar

and this one from ClamSentinel.ini (default)
ExtToScan=.ACE,.ACM,.ACV,.ARC,.ARJ,.ASD,.ADD,.APP,.ASP,.AVB,.AX,.BAT,.BIN,.BOO,.BTM,.CAB,.CHM,.CLA,.CLASS,.CDR,.CNV,.CMD,
.COM,.CPL,.CPT,.CRT,.CSC,.CSH,.CTL,.DBX,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.DMD,.EMAIL,.EML,.EXE,.FON,.FLT,.FOT,.GMS,.GVB,.HLP,
.HTT,.HTA,.INF,.INI,.INS,.ISP,.IST,.JSE,.JSP,.KSH,.LIB,.LNK,.MHT,.MHTM,.MHTML,.MSC,.MSI,.MSO,.MSP,.MST,.OBJ,.OCX,.OVL,.OV?,.PCI,
.PCD,.PGM,.PIF,.PI,.PH,.PHTM,.PL,.PLX,.PM,.PWZ,.PRG,.REG,.SCR,.SCF,.SPL,.SCT,.SH,.SHB,.SHS,.SCT,.SHM,.SMM,.SYS,.SWF,.URL,.VB,
.VBA,.VBE,.VBS,.VBX,.VXD,.VS,.WSC,.WS,.WSH,.WIZ,.WSF,.386,.3D,.3GR

as it seen from clamwin log that i posted in one of previous messeges detected virus has exe file extension and it is included in both extensions list.

Well, I just downloaded the AutoIT-70 sample again, and here is the Sentinel real-time log posting:

##### Wednesday, January 27, 2010 10:14:54 PM
Scanning \\?\C:\MALWARE\TESTSETS\SAMPLEAUTOIT70.EXE
C:\MALWARE\TESTSETS\SAMPLEAUTOIT70.EXE: Trojan.Autoit-70 FOUND
C:\MALWARE\TESTSETS\SAMPLEAUTOIT70.EXE: moved to 'C:\ProgramData\.clamwin\quarantine\SAMPLEAUTOIT70.EXE.infected'

I don't know why this difference in scanning with Sentinel between you and me--perhaps the file was in a directory on your computer that is excluded from Sentinel scanning, but if you are using the Sentinel default configuration, the %app data%\Windows\recent is the only directory excluded from Sentinel's scans.

This is the Sentinel log above for sure--I have ClamWin set to Report only for any infections found--so that I will not lose access to Windows in case of false positives on system files. By the way, the Sentinel developer is working on a method for handling this--he will probaly opt to warn the user of infections found by Sentinel and let the user decide what to do.

Regards,

i determined that there is no dependence upon virus type cause i just have tested ClamSentinel with other virus samples and got the same results... ClamSentinel provides no action but separately started ClamWin scanner founds and removes viruses:

C:\sample\autorun.inf: moved to 'C:\WINNT\system32\clamwin\@\autorun.inf.infected'
C:\sample\axgnqq.pif: moved to 'C:\WINNT\system32\clamwin\@\axgnqq.pif.infected'
C:\sample\autorun.inf: INF.Autorun-40 FOUND
C:\sample\axgnqq.pif: W32.Sality-72 FOUND

by the way i use default ClamSentinel configuration

DirToScan=c:\
NoScan=%USERPROFILE%\Recent\

and as it seen from the pasted above log the virus location is disk C:\.

You said Sentinel provides no action. Do you have Sentinel real-time scanning turned on? Right click on the Sentinel icon in the system tray to access the menu. Verify that Run On Startup is checked. Check it if it is not checked.

Below is my real-time detection log from Sentinel on those two viruses. You can see Sentinel works fine on them!

##### Saturday, January 30, 2010 9:29:12 AM
Scanning \\?\C:\USERS\BOB\DESKTOP\W32SALITY72.EXE
C:\USERS\BOB\DESKTOP\W32SALITY72.EXE: W32.Sality-72 FOUND
C:\USERS\BOB\DESKTOP\W32SALITY72.EXE: moved to 'C:\ProgramData\.clamwin\quarantine\W32SALITY72.EXE.infected'
##### Saturday, January 30, 2010 9:29:14 AM
Scanning \\?\C:\USERS\BOB\DESKTOP\AUTORUN40.INF
C:\USERS\BOB\DESKTOP\AUTORUN40.INF: INF.Autorun-40 FOUND
C:\USERS\BOB\DESKTOP\AUTORUN40.INF: moved to 'C:\ProgramData\.clamwin\quarantine\AUTORUN40.INF.infected'

Regards,

yes, real-time scanning is turned on (as default option). run on startup option simply adds Sentinel exe to hkey_current_user\software\microsoft\windows\currentversion\run without any special parameters. thus it is the same as manual Sentinel startup made before writing virus-file on target disk.

i have one idea, it is connected with Sentinel interaction with file system: "Clam sentinel is a program that detects file system changes and automatically scans the files added or modified".
so does Sentinel api hook require some special system services to be started for working properly?
or maybe it depends upon some special system configuration options?..

when i saw your real-time detection log from Sentinel i understood that i really want to get the same one)

finally i found the reason of Sentinel malfunction.

both ClamWin and Sentinel support the using of system variables in their configuration files (e.g. %systemroot%, %appdata%, etc).
its very useful feature cause it allows to make universal ready-to-work configuration files without need to rewrite them or generate new ones for every system. (by the way Sentinel has system variables even in default ClamSentinel.ini)

but in the case when ClamWin and Sentinel work in pair Sentinel is not processing the values of clamwin.conf which contain system variables.

would you mind to submit a little bit more information to Sentinel developers?