ClamWin ver.: 0.96.1
O/S=XP Pro Svc Pk 3.

QUES> Has anyone had any experience, good or bad, with attempting to use the Microsoft Security Essentials anti-virus/anti-malware app with ClamWin? If so, what was your experience?

I have been using ClamWin for about 6 years, and, quite bluntly, it has done a masterful job for me. It has not missed a virus or malware -- not once. And it has certainly prevented me from any successful virus/malware attacks over the years.

I am aware that the CLAMWin folk actually recommend a "back up" anti-virus program to ClamWin, so, OK, I finally broke down and downloaded Microsoft Security Essentials since the app had in fact gotten a pretty decent review by AV-Test Product Review and Certification Report Q2-2010 Report No. 102237 -- not "great," mind you, but decent.

So, since it had some "on demand" in it, I downloaded it and installed it.

A couple of gliches arose, so I went to the Microsoft Security Essentials forum and asked a couple of questions and posted a couple of error reprt logs.

I also made the "mistake" of mentioning that I had been using CLAMWIN for 6 years and that it had never failed me or caused any computer problems for me.

Then the "zealots" jumped me. Upshot is that I don't think I am going to get any straight answers from the MS Help forum.

I have pointed out that I personally detected absolutely no conflict between MSSE and ClamWin inasmuch as ClamWin's scanner engine is completely dormant unless one actually schedules or manually initiates a scan with ClamWin.

OK, has anyone here at the ClamWin forum tinkered around with MSSE and tried to use it in tandem with ClamWin? If so, I'd like to ask a couple of questions; such as, for example:

1. If I deactivate the "realtime" (on demand) features in MSSE, is that "enough" deactivation of MSSE to undertake a valid ClamWin manual scan; it ought to be "enough," but I thought I'd ask;

2. If anyone has tinkered around with this duo, how do you use them together? Do you use the MSSE realtime feature and then run CLAMWIN at night? What's the best way to coordinate these two apps.

Just keep in mind, I'm perfectly willing to chuck MSSE off my box if I've downloaded and installed a real pig in a poke; but I thought I'd see if I could get a matchup of some utility.

For the last six years, my anti-virus/anti-malware routine has been:

1. Keep XP firewall running at all times;

2. Scan nightly with CLAMWIN on all four of my hard drives;

3. Use Windows Defender to scan once a week or every other week; and

4. Perform a major Spybot scan about every three weeks or so; and

5. Run a downloaded version of the Microsoft Anti-Malware tool two or three times a month; and, last but not least,

6. Avoid, to the extent possible, visiting any "risky" sites on the web, NOT opening any emails the sender of which I do not know, and always scanning any downloads or email attachments or FTP downloads with CLAMWIN's context menu scanner before I open or execute a download or attachment.

I don't know if that is a good or a bad plan; but thus far, it seems to have worked pretty well over the last six years.

So, what I was thinking I'd do is chuck Windows Defender since MSSE is duplicative of Windows Defender, and see if I could incorporate MSSE into the above routine. For example, the thought has crossed my mind that I probably should have some "on demand" turned to ON when I'm on the internet.

Anybody had any experience with MSSE? It's got some quirks in it so that's why I am asking if anyone has had any "experience" using it; the quirks show up pretty quick, so it's one of those things where you probably have had to horse around with the thing to know what to advise.

My gut instincts are telling me there really shouldn't be any more of a conflict between ClamWin and MSSE than there would be between ClamWin and any other AV app (i.e., none) that employs a real time monitoring feature.

Thanks, and I'm looking forward to any insights or other input any of you can give me.

Best regards,

Nuncus

PS "Insight" or "Input" could well be something like, "You did WHAT, Nuncus!??? You actually put that thing on your computer???? My advbice is to just RUN!, man."

I used MSSE with ClamWin for several months without any conflicts at all. I did find it a bit more resource-intensive than I thought it would be. This was a bit disappointing because Microsoft has pushed it as a simple, low resource antimalware program. I was also disappointed that it is not made available everywhere and to all Windows users--even those users in some foreign countries with unlicensed copies of Windows, who probably need it the most. I understand the new version of MSSE that is supposed to come out this month will have some good improvements, including some web protection--perhaps it will block "evil" websites.

When I was using MSSE with ClamWin, I did a MSSE quick scan at noon and a ClamWin full scan at 5 pm. To prevent any possible conflicts, I excluded ClamWin's quarantine directory, its database directory, and clamwin.tmp files from MSSE's scans. I also excluded MSSE's quarantine directory and its database directory from ClamWin's scans.

It appears that you have used a good security plan. No antimalware product can replace common sense, and you have been using both common sense and ClamWin well. With that said, however, with malware everwhere, you should have a real-time scanner operating when you are on the web, so I would not deactivate MSSE's real-time scanner. If you use MSSE, you do not need Windows Defender, which is part of MSSE anyway.

I quit using MSSE because I work a lot with malware, and it was hard to get a malware file out of MSSE quarantine to examine and prepare a signature for it. For most of this year, I have used ClamWin with ClamSentinel, which adds a free basic real-time scanner to ClamWin. The Sentinel project is at https://sourceforge.net/projects/clamsentinel/ on the web. There should be a great new upgrade to Sentinel coming out after Patch Tuesday that will be well worth checking out.

Regards,

Dear Guitar Bob:

Thank you very, very, much for stepping up to the plate. Your answer is EXACTLY the information for which I was looking.

I do have a couple of minor follow-on questions:

(A) The "mutual scanning exclusions" you mentioned:

(1) MSSE exclusions of Clam Win Files:

. QUES: What is the file extension you used in MSSE to avoid having MSSE scan the ClamWin temp files? I checked both my own temp directory and the Windows temp directory. I didn't see a readily apparent temp file extension for ClamWin; I saw some ".log" but I didn't see any unique extension for ClamWin's temp files per se.

(2) ClamWin exclusions of MSSE files:

. QUES: I can't figure out how -- in the ClamWin "Filter List" -- to exclude the MSSE folders (directories) for MSSE. Do you recall how you did that in the ClamWin filters? The ClamWin "Filter" uses extensions and regular expressions for constructing the filters; I am unclear as to how one uses the ClamWin Filter to exclude a folder and sub-folders, either on a per folder basis or on a hierarchy basis, which is how MSSE has its Quarantine and Definitions organized.

. I see that the MSSE definition files have an extension of ".vdm". Is that what you used for the ClamWin filter, or did you exclude the MSSE definition files in ClamWin by entire "folder" hierarchy?

. The MSSE folder hierarchy for "Quarantine" consists of a hierarchy of sub-folders that are right now simply empty folders on my box. How do you use the ClamWin filter to exclude "folders"? Did you do that with a regular expression? If you did it with a regular expression, do you remember what syntax you used? I don't know how to construct a regular expression.

The path names on my box to the MSSE folders are as follows:
--------------------------
MSSE Quarantine =
"C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Quarantine"

MSSE Top folder in its definitions=
"C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates"

The ClamWin Filters list constructor apparently does not yet offer a Windows O/S type "folder" selector dialog box for marking scan exclusions.

I don't know the syntax to use in the ClamWin filter to exclude "folders" and "sub-folders" or how to exclude an entire "folder hierarchy" in the ClamWin filters.
--------------------------


(B) How mature is Sentinel for an ordinary user?

Finally, MSSE may not work out; it's got a "crashing service" problem, as well as a sometimes BSOD problem, that sometimes surface when I try to scan multiple drives ("Full scan" or "Multiple Scan); also, the current iteration of MSSE really doesn't offer true web protection, according to one of the independent review orgs that reviewed it; the more complete web protection iteration is, as I understand it, still in Beta.

Thus, since I actually downloaded the ClamWin Sentinel prior to deciding to give MSSE a try because of MSSE's "realtime" protection, and since I see you've been using the Sentinal for about a year or so, would a viable solution for me perhaps be to uninstall MSSE and install the Sentinel?

I figured I'd better ask you because I'm not a virus app internals guy, and Sentinel is a relatively "new" app. Does it work sufficiently in its present iteration, or should I wait for the upcoming major release before I start relying on it?

Quite bluntly, I would just as soon use ClamWin and the Sentinel if that is sufficient. As I indicated above in my original post, I've been using ClamWin as my "primary" anti-virus program for about six years now, and ClamWin has NEVER failed me -- not one, single time. I've had a few false positives; but that's what VirusTotal is for. Yes, I did say "primary," and "money" had nothing to do with my decision: I had been historically using, for about 12 years, the higher rated proprietary anti-virus/anti-malware apps; and, one fine day, I just had enough of their silly little bugs and hassles and did some research; and, my bottom line is that, if the CLAM engine is good enough for professional IT folk at web ISP's and server farms, then it ought to be good enough for me.

In other words, one plan would be to simply (a) uninstall MSSE, (b) re-install Windows Defender, (c) keep SpyBot, and (d) just add Sentinel to ClamWin to get my "on demand" or "real time" protection while on the internet -- and, of course, continue using the XP firewall and continue performing periodic scans with the Microsoft Malware removal tool.

Whaddya think? At this point, given six years of using ClamWin in my security routine, I KNOW I can rely on ClamWin and that ClamWin is as "steady" as the proverbial rock; but I just don't know that much about the Sentinel and where it stands in its app maturity; I do not want to be on the "cutting edge" of anything when it comes to malware.

If, however, you've been actually using the Sentinel for about a year now, and since you ARE in fact a "malware guy," I would imagine that you certainly have had plenty of opportunity to form an opinion of just where the Sentinel app now stands in terms of "maturity."

Actually, with the exception of Word Perfect Suite (need it because of the stream technology), my rule of thumb has been over the last five or six years to almost always go with the Open Source solution AFTER the app in question reaches behavioral maturity, and then, just stick with it. My uniform experience has been that the Open Source stuff just runs better and is less hassle than the proprietary stuff. Everybody in Open Source these days pretty much uses Bugzilla and the Development Tree, so the quality control checking in Open Source generally seems to be a whole heap more thorough than is customary in the "shove it out the door and make some sales" proprietary world -- also bugs tend to get fixed a whole heap quicker in the Open Source world. My prediction -- for what it's worth -- is that in the not too distant future, Open Source is just going to swallow up "in toto" large swaths of the proprietary world -- the quality control will ultimately be the big factor, I think. ClamWin is a prime example: in twenty years of computing on a daily basis, I certainly haven't run across a proprietary anti-malware/anti-virus app that performs as well or as hassle free as ClamWin. If you hear of one, please call me any time of day or night and lemmie be the first to know about it.

So, if the advanced user and developer folk like yourself in the ClamWin and Sentinel communities figure Sentinel is "good to go" at this point, I might as well get on board.

Thanks a bunch for your help and guidance.

Best regards,

Nuncus

I excluded the entire MSSE quarantine folder in ClamWin's Filters tab on the left-hand side--using the full Windows path. Here's how I am now similiarly excluding Malwarebytes quarantine: C:\Users\Bob\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\* . (no period)

I used the full path to exclude ClamWin's quarantine directory in MSSE.

I excluded Clamwin's temp files in MSSE as *.clamtmp. Seems like I recall MSSE just called it CLAMTMP without anything in front.

Sentinel takes a little getting used to, but it is really simple. All configuration is done from 2 menus in the system tray icon. I do not think it is as complicated as most other AVs. You do have to have ClamWin installed/configured before installing Sentinel. At present it only uses the Clam signature database via ClamWin, and Clam is a bit behind the commercial AVs in signatures due to lack of personnel and automation. Sentinel's current basic signature protection (which includes a USB option) is probably adequate for someone who gets regular updates, practices safe surfing, and supplements Sentinel with an antispyware/antimalware program like Windows Defender (Spybot S&D may not be as good as it used to be). Sentinel does not run under the Windows kernel like most commercial AVs do, but I think that is overrated, and the kernel can be exploited. In addition, Sentinel does not scan files On Access like most AVs--it only scans them when they are added, modified, or copied. Malware can do some things that do not involve those actions. The new version of Sentinel will offer enhanced protection which will help, to some extent, to minimize the kernel advantages.

If you are having problems with MSSE, I would lose it, install Sentinel with ClamWin, keep Windows Defender, lose SpyBot S&D, and do a twice-weekly scan with Bitdefender's online scanner, in addition to daily scans with ClamWin and Windows Defender. Keep a copy of F-Secure's Linux Boot/Rescue CD as a last resort.

Regards,

Thanks muchly, Bob. I'll pop your syntax right in there. I didn't pick up at all on the fact that a folder could be excluded with the folder's name, a backslash, and the old "*" trick. Mebbe somebody should post that little tidbit somewhere in the main ClamWin FAQ if it's not there already; that's very useful information -- small item but major usefulness.

I think I'll try your exclusions first, although my animal instincts are telling me that the type of problems that MSSE seems to have sprouted won't be helped all that much by the exclusions; but I might as well give 'er a try.

I was sorry to hear that about SpyBot; oh, well, these anti-virus apps go up and down like major league baseball teams; that's just part of the S/W game, I guess. If the ol' SpyBot has developed a few loose bricks, well, I sure as heck ain't gonna wait around because of "old time's sake" until the wall falls down on me -- thanks for the heads up on that one, man.

If I can't figure out how to cure the MSSE errors, I'll just get rid of it and modify my game plan along your suggested lines.

I ain't going near Bit Defender, though; Bit Defender was the last straw in the "proprietary" game.

Bit Defender can go "real destructive" on you without your even knowing it. What it did to me was chew up the innards of a lot of my *.ZIP and ".7z" archives; to whit: the entirety of my Windows 98 archived installation and update and patch files. Seems the good children in Romania got the "unzipping" part correct in order to get the guts out to scan them but were a little on the short stick as far as getting the files BACK into the compressed archives. Some of the archive files contained only small shreds of files and pieces of files. I got confirmation of the glich from a buddy who ain't no dummy on a box; and I never could get a straight answer out of the BitDefender folks; but I later saw a woebegone post somewhere in a help forum where a dude was crying the blues because BD had done the same thing to him. So, when it comes to me and BD, it's a case of "the burned child fears the fire," I guess.

Windows Defender never caused me any problems; anyway, I use NoScript in Firefox for my browsing, as well as AdBlock Plus and Abine (helping to test out the Beta right now [very promising little plug-in if you don't wanna be tracked all over the place by the Goniffs on Madison Avenue and god knows who else - it's the old TACO 3.0 on steroids]). So, I don't tend to draw much of a hit on spyware or adware; and I don't download "cute little programs" from sites; so Defender ought to be enough -- even without the Spybot.

What's the scuttlebutt on when the new version of Sentinel will be up and out?

Thanks again. I wasn't getting to first base with the folk over at the MSSE forum; they "say" they want "details;" but when you give'em "details" about all they do is complain about the "details;" and they forget all about why you called in the first place. All I did was send 'em all the Event Viewer error reports.

As a humerous aside, the guy who was purporting to assist me said, "...as to ClamWin, DUMP IT." That's AFTER I had stated I'd been using ClamWin for SIX YEARS and it had never failed me!!!! I was just incredulous; the boy didn't seem to understand the difference between "realtime" and "manual on demand" scans. I am satisfied from your recounting to me your experience with using ClamWin and MSSE that there's no "conflict" between MSSE and ClamWin; but, i'm disinclined to get into a pissin' contest with a bunch of zealots over at Microsoft; I'm a bit long in the tooth to be tilting with windmills; so, if I can't figure out how to stop the quirks in MSSE, I'll just toss the MSSE overboard.

I sure am glad I checked into here. Obviously, since ClamWin hasn't ever caused me a problem, I've never had to check into the ClamWin forums. Sure am glad I did.

Thanks again. I'm copacetic with your approach to this stuff.

Best regards,

Nuncus

I'll add my two cents here about a couple of things. Remember, these are just my opinions .

I would also suggest dropping Spybot S&D and replacing it with either MalwareBytes AntiMalware or SUPERAntispyware as on-demand scanners. I'd turf Windows Defender as well, I've never thought very highly of that program viewing it as nothing more than bloated and ineffective . I'd also trade MSSE for AntiVir.

If you want some extra real time protection I'd suggest turning off the Windows firewall and installing a good third party firewall like Online Armor (free). If you'd prefer to stay with the Windows firewall you could gain some real time protection by installing Spyware Terminator instead.

I find the combination of AnitVir and Online Armor offer amazing real time protection given they are both free rograms . Although I've never personally tried AntiVir and ClamWin together I wouldn't hesitate to try it.

Making some minors tweaks to your current setup (by changing some programs) and adding ClamWin with ClamSentinel would go a long way to bolstering your security .