Quick report on ClamWin Antivirus and a question

[Richard Steinfeld]

I installed the free ClamWin antivirus on my Windows Me system. My hard
disk has about 1.4 gigs of files. I ran ClamWin; it took nine hours to
scan my system (!).

Sygate firewall was running, but in its "block all" mode. It's possible
that the firewall may have slowed the performance slightly becuase
Sygate runs processes almost constantly on my system.

I decided to uninstall ClamWin for the reasons I'm outlining below.
First some good stuff:

It appears that the virus signatures are updated every day. This is very
good maintenance. I've got the impression that the program is very
thorough, which is also good.

Now for the problems:
- Despite operating as a stand-alone utility, the program is actually
installed to the degree that it's a startup item that sits in the system
tray. So, it's adding to the system's load of TSR bloat. It's not one of
those "nice" ones that's in a startup group where you can put it
somewhere else; it starts up from a registry entry (boo).
- User configuration is very limited. There's no option to turn off the
autoloading and just run it as a nice, simple .exe file when desired.
There's almost no way that the user can affect the program's performance.
- There's no display whatsoever of the progress while it's working, no
estimated time until completion, etc. I had no idea about whether it
would be finished in 9 minutes or the actual 9 hours that it took. This
is crazy-making.

Because of the very long time to scan my system, I thought that I'd like
to use it only as a second-line antivirus; it's probably a good one for
that. Except that it's always taking some memory, and we've already got
a really bad case of programmers and product managers who each think
that their wares are so important that they must be instantly available:
all system tray all the time, with no way to stop this hogish behavior.
I believe that people are, or will be, working on all these issues;
it'll be interesting to watch this project develop.

Now, the question:
Can anyone suggest a way to run this program exclusively as an on-demand
application without any installation? This is the only twist that could
make this antivirus practical for me.

Thanks.

Richard

 

[Vanguard]

I installed the free ClamWin antivirus on my Windows Me system. My hard
disk has about 1.4 gigs of files. I ran ClamWin; it took nine hours to
scan my system (!).

Sygate firewall was running, but in its "block all" mode. It's
possible that the firewall may have slowed the performance slightly
becuase Sygate runs processes almost constantly on my system.

I decided to uninstall ClamWin for the reasons I'm outlining below.
First some good stuff:

It appears that the virus signatures are updated every day. This is
very good maintenance. I've got the impression that the program is
very thorough, which is also good.

Now for the problems:
- Despite operating as a stand-alone utility, the program is actually
installed to the degree that it's a startup item that sits in the
system tray. So, it's adding to the system's load of TSR bloat. It's
not one of those "nice" ones that's in a startup group where you can
put it somewhere else; it starts up from a registry entry (boo).
- User configuration is very limited. There's no option to turn off
the autoloading and just run it as a nice, simple .exe file when
desired. There's almost no way that the user can affect the program's
performance.
- There's no display whatsoever of the progress while it's working, no
estimated time until completion, etc. I had no idea about whether it
would be finished in 9 minutes or the actual 9 hours that it took.
This is crazy-making.

Because of the very long time to scan my system, I thought that I'd
like to use it only as a second-line antivirus; it's probably a good
one for that. Except that it's always taking some memory, and we've
already got a really bad case of programmers and product managers who
each think that their wares are so important that they must be
instantly available: all system tray all the time, with no way to stop
this hogish behavior. I believe that people are, or will be, working
on all these issues; it'll be interesting to watch this project
develop.

Now, the question:
Can anyone suggest a way to run this program exclusively as an
on-demand application without any installation? This is the only twist
that could make this antivirus practical for me.

Uninstall ClamWin. It's definitely a work in progress, and it needs a
lot of work.

If you want free AV scanners then look at:
- TrendMicro's online scanner
(http://housecall.trendmicro.com/housecall/start_corp.asp)
- McAfee's online scanner
(http://us.mcafee.com/root/mfs/)
- Symantec Security Center online
(http://security.symantec.com/ssc)
- BitDefender (free version)
(http://www.bitdefender.com/PRODUCT-14-en--BitDefender-Free-Edition-v7.html)

The online scanners will download an ActiveX control, so you need to
allow it to download and run (which means you need to use a browser that
supports ActiveX and has it enabled or prompted). I did not suggest
AVG, AntiVir, or Avast! for freebie anti-virus scanners because their
coverage is less than BitDefender, and the coverage for BitDefender is
low at 94%; see http://www.av-comparatives.org/ (however, those
comparisons use version 8 of BitDefender whereas the free version is one
version back so it at version 7). I used to recommend the 1-year
full-use version offered by CA for their EzAntiVirus
(www.my-etrust.com/microsoft) but I'm on the fence now due to their
spamming (where they spoof their e-mail as though it came from
TigerDirect; see
http://groups-beta.google.com/group/alt.comp.anti-virus/browse_frm/thread/2736e70f92839f6b).
I like the product but not the vendor's practices.

 

[David H. Lipman]

From: "Richard Steinfeld" <[email protected]>

| I installed the free ClamWin antivirus on my Windows Me system. My hard
| disk has about 1.4 gigs of files. I ran ClamWin; it took nine hours to
| scan my system (!).
|
| Sygate firewall was running, but in its "block all" mode. It's possible
| that the firewall may have slowed the performance slightly becuase
| Sygate runs processes almost constantly on my system.
|
| I decided to uninstall ClamWin for the reasons I'm outlining below.
| First some good stuff:
|
| It appears that the virus signatures are updated every day. This is very
| good maintenance. I've got the impression that the program is very
| thorough, which is also good.
|
| Now for the problems:
| - Despite operating as a stand-alone utility, the program is actually
| installed to the degree that it's a startup item that sits in the system
| tray. So, it's adding to the system's load of TSR bloat. It's not one of
| those "nice" ones that's in a startup group where you can put it
| somewhere else; it starts up from a registry entry (boo).
| - User configuration is very limited. There's no option to turn off the
| autoloading and just run it as a nice, simple .exe file when desired.
| There's almost no way that the user can affect the program's performance.
| - There's no display whatsoever of the progress while it's working, no
| estimated time until completion, etc. I had no idea about whether it
| would be finished in 9 minutes or the actual 9 hours that it took. This
| is crazy-making.
|
| Because of the very long time to scan my system, I thought that I'd like
| to use it only as a second-line antivirus; it's probably a good one for
| that. Except that it's always taking some memory, and we've already got
| a really bad case of programmers and product managers who each think
| that their wares are so important that they must be instantly available:
| all system tray all the time, with no way to stop this hogish behavior.
| I believe that people are, or will be, working on all these issues;
| it'll be interesting to watch this project develop.
|
| Now, the question:
| Can anyone suggest a way to run this program exclusively as an on-demand
| application without any installation? This is the only twist that could
| make this antivirus practical for me.
|
| Thanks.
|
| Richard


No scanner has a progress bar that I know of. Scanning time is a function of the OS, CPU
and file scanning selection and the number of files. If you think 1.4GB will take less than
10 mins. your perspective is *way off* !

The following can be used an an excellent "On Demand" scanner as it provides three different
scanners from; Trend, Sophos and Mcafee.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Franklin]

I installed the free ClamWin antivirus on my Windows Me system.
My hard disk has about 1.4 gigs of files. I ran ClamWin; it took
nine hours to scan my system (!).

Sygate firewall was running, but in its "block all" mode. It's
possible that the firewall may have slowed the performance
slightly becuase Sygate runs processes almost constantly on my
system.

My Sygate seems to be constantly scanning keys in the registry
even when there's no traffic and nothing to block.

I decided to uninstall ClamWin for the reasons I'm outlining
below. First some good stuff:

It appears that the virus signatures are updated every day. This
is very good maintenance. I've got the impression that the
program is very thorough, which is also good.

Now for the problems:
- Despite operating as a stand-alone utility, the program is
actually installed to the degree that it's a startup item that
sits in the system tray. So, it's adding to the system's load of
TSR bloat. It's not one of those "nice" ones that's in a startup
group where you can put it somewhere else; it starts up from a
registry entry (boo).

Both these freewares have a friendly menu which allows you to
enable or disable starup entries in the registry.

Mike Lin's Startup Control Panel
http://www.mlin.net/StartupCPL.shtml

Codestuff's Starter
http://www.mlin.net/StartupCPL.shtml

- User configuration is very limited.
There's no option to turn off the autoloading and just run it as
a nice, simple .exe file when desired. There's almost no way
that the user can affect the program's performance. - There's no
display whatsoever of the progress while it's working, no
estimated time until completion, etc. I had no idea about
whether it would be finished in 9 minutes or the actual 9 hours
that it took. This is crazy-making.

Because of the very long time to scan my system, I thought that
I'd like to use it only as a second-line antivirus; it's
probably a good one for that.

If you have another antivirus running then that could well slow
down ClamWin's scan as it may be set to scan all the stuff read by
an application (including Clamwin).

Except that it's always taking
some memory, and we've already got a really bad case of
programmers and product managers who each think that their wares
are so important that they must be instantly available: all
system tray all the time, with no way to stop this hogish
behavior. I believe that people are, or will be, working on all
these issues; it'll be interesting to watch this project
develop.

I don't know ClamWin but any antivirus will take a long time if it
set to scan all files of ANY sort rather than all executables or
all potentially-hostile files. Is this something which you can
set in ClamWin?

Now, the question:
Can anyone suggest a way to run this program exclusively as an
on-demand application without any installation? This is the only
twist that could make this antivirus practical for me.

Both StartCPL and Starter allow you to explicitly launch startup
entries such the one in the registry for Clamwin. After you are
done with it maybe you can close Clamwin down or, less nicely,
force it down using the Windows Task Manager?

HTH.

 

[Franklin]

Uninstall ClamWin. It's definitely a work in progress, and it
needs a lot of work.

Is it that poor? What sort of work does ClamWin still need?

ISTR someone recently that it was not such a bad choice nowadays as a
scanner-only application.

 

[Mark Carter]

Uninstall ClamWin. It's definitely a work in progress, and it needs a
lot of work.

Indeed. I was hopeful of ClamWin because it was truly an open-sourced
solution. It had received much praise, so I thought that I was onto a
winner.

Unfortunately, the scans took ages, as noted by the OP.

I'm currently using Kerio Personal Firewall, Avast, Spyware blaster, and
Spybot ... which is not kind to my system resources.

Does anyone know if Avast includes a firewall; only it mentions stuff
about Network Shield.

 

[Art]

Is it that poor? What sort of work does ClamWin still need?

ISTR someone recently that it was not such a bad choice nowadays as a
scanner-only application.

Please search past posts. It's tiresome posting the same answers
over and over again. Clamav and Clamwin have been discussed
at some length on these groups and alt.comp.virus several times.

Now, I can save you some work by giving you a very brief
summary. While clamav may be a reasonably effective scanner
for use on email servers, clamwin is a mistake because it does
not compare well to other av scanners ... it's not a "real" av
scanner with the usual capabilities expected nowdays.

Art

http://home.epix.net/~artnpeg

 

[idbeholda]

On demand with no installation...

http://www.download.com/3120-20_4-0.html?qt=vte&tg=dl-2001

 

[ms]

I installed the free ClamWin antivirus on my Windows Me system. My hard
disk has about 1.4 gigs of files. I ran ClamWin; it took nine hours to
scan my system (!).

Awhile ago, I installed Clanwin (W98SE). Ran it, exited, it never ran
again! No help on the Clamwin forum (?), so uninstalled it.

Mike Sa

 

[Art]

Awhile ago, I installed Clanwin (W98SE). Ran it, exited, it never ran
again! No help on the Clamwin forum (?), so uninstalled it.

Best thing you could have done.

Art

http://home.epix.net/~artnpeg

 

[Franklin]

On Sat 09 Jul 2005 18:56:41, Art wrote:

Please search past posts. It's tiresome posting the same answers
over and over again. Clamav and Clamwin have been discussed
at some length on these groups and alt.comp.virus several times.

Now, I can save you some work by giving you a very brief
summary. While clamav may be a reasonably effective scanner
for use on email servers, clamwin is a mistake because it does
not compare well to other av scanners ... it's not a "real" av
scanner with the usual capabilities expected nowdays.

Hi Art, nothing tiresome about it really. The OP sounded as if he
(like me) already has at least one antivirus package installed and so
he does not need a feature like "on guard" (or "resident shield" or
whatever you choose to call it). In that repsect ClamWin is possibly
a good match.

However someone posted less than a month ago that ClamWin has
improved a great deal recently. That is why I put "nowadays" into my
statement "ISTR someone recently said that it was not such a bad
choice nowadays as a scanner-only application!" and I am please to
see you quote my statement although the main problem seems to be that
you may not have understood it.

Now, I can save you some work by giving you a very brief summary. In
fact I will quote part of the posting:

ClamWin / ClamAV appears to have improved immensely. I haven't
seen a recent good comparative test. I would not have bothered
with it at all last year but I have started recommending it to
those who want more than two AVs.

And so that is why I asked Vangard "Is it that poor? What sort of
work does ClamWin still need?" when he made the point:

Uninstall ClamWin. It's definitely a work in progress, and it
needs a lot of work.

You see, it does not seem to line up with the recent posting I had
read.

Hope this helps. Keep an eye on the recent postings and you wont get
mixed up.

 

[Art]

Hi Art, nothing tiresome about it really. The OP sounded as if he
(like me) already has at least one antivirus package installed and so
he does not need a feature like "on guard" (or "resident shield" or
whatever you choose to call it). In that repsect ClamWin is possibly
a good match.

Sorry, but it is tiresome. I've seen no recent comparatives that
indicate ClamWin is worth having and using. There are many
far better alternatives.

Art

http://home.epix.net/~artnpeg

 

[Vanguard]

Is it that poor? What sort of work does ClamWin still need?

ISTR someone recently that it was not such a bad choice nowadays as a
scanner-only application.

I haven't bothered to try it based on what I read, but then I need an
on-access scanner to protect me rather than let myself get infected and
then discover its damage. ClamWin Free Antivirus does not include an
on-access real-time scanner. That means you need to manually scan a
file in order to detect a virus. If all you want is a backup scanner to
look around to see if you are ALREADY infected then I suppose its
doable. I'd rather catch it in the traffic coming to my host or as the
file is created or modified to zap it right then. If you want only an
on-demand scanner to figure out why your system is goofy, well, you
might as well wait until it goes goofy because your manually instigated
scans rans at infrequent intervals isn't going to catch the virus before
it inflicts its damage.

I haven't gotten any specific numbers but I've heard its database of
signatures is much smaller which means its coverage is less. I already
consider AVG, Avast!, and AntiVir at the low end of coverage and
wouldn't want to go any worse. Viruses that were missed by ClamWin were
found by AVG. So, yeah, they might be updating everyday, but with a
smaller database then they are doing a lot of catchup and hence all the
required updates while they enlarge their database to match what the
others already cover.

Doubling up, tripling up, or more doesn't help your coverage. If you
get a decent AV product that is over 98% for coverage then it already
covers what the lesser AV products will cover. Putting a coarse filter
after or before the fine filter won't catch any more silt. You'll run
into conflicts if you run multiple AV on-access scanners because their
file drivers get chained, each causes lag, and they not function
together. It used to crash when interrogating .cab files. A user
reported a bug that ClamWin wouldn't detect the eicar non-functional
virus test file when it was inside a .zip file attached to an e-mail
although there is a bug report on when it is a file, too. Filenames
were parsed incorrectly: a filename with parenthesis, which are legit as
in "thisfile(001)", were causing crashes. It has a memory leak: after
each scan, it doesn't release non-paged memory. You might want to
peruse the bug reports on their Sourceforge web site (for those with
Open status). They are just now trying out an on-access scanner. They
have a plug-in for Outlook but not for Thunderbird or Mozilla. Other AV
products don't use plug-ins to work with e-mail clients. How good is
localization (i.e., other language support)? Considering their project,
it is still a rough work-in-progress. You already discovered that it
takes a long time to perform manual (on-demand) scans.

Without a independent comparative test to show its true coverage, it's
an unknown product. It hasn't been tested yet by VB100 or av-compatives
and I doubt its coverage is any better than AVG. You might want to read
some user reviews at
http://www.download.com/ClamWin-Antivirus/3640-2239-10369484.html.
There are plenty of well-known free AV products out there and several
free online scanners by well-established AV vendors if all you want is
to periodically and manually instigate a manual scan. Unless you have a
need or desire to help out the ClamWin developers eventually mature
their product, there are plenty of other freebies out there.

 

[Richard Steinfeld]

Vanguard wrote:

A user

reported a bug that ClamWin wouldn't detect the eicar non-functional
virus test file when it was inside a .zip file attached to an e-mail
although there is a bug report on when it is a file, too.

Before I installed ClamWin, I downloaded all the varieties of the Eicar
test virus that I could get my hands on. ClamWin nailed all of them. I
deleted ClamWin because of usability constraints that I could not live
with. It appears that the virus signatures are updated at lease once per
day, which is impressive maintenance.

I concluded that this program isn't ready for me yet. But it's
definitely worth watching -- it's coming along!

Richard

 

[Spacen Jasset]

On demand with no installation...

http://www.download.com/3120-20_4-0.html?qt=vte&tg=dl-2001

VTE doesn't seem so good. It is highly CPU bound. Comercial scanners
generally wait mainly on IO for much of the time.

I'll test it some more later, however.

 

[Robert Moir]

Vanguard wrote:
[lots of snips]

Doubling up, tripling up, or more doesn't help your coverage. If you
get a decent AV product that is over 98% for coverage then it already
covers what the lesser AV products will cover. Putting a coarse
filter after or before the fine filter won't catch any more silt.

This assumes that the set (detected by "lesser" virus scanner) is always
going to be a full member of the set (detected by "greater" virus scanner)
and there are no guarantees that this is always going to be true.

 

[Art]

Vanguard wrote:
[lots of snips]

Doubling up, tripling up, or more doesn't help your coverage. If you
get a decent AV product that is over 98% for coverage then it already
covers what the lesser AV products will cover. Putting a coarse
filter after or before the fine filter won't catch any more silt.

This assumes that the set (detected by "lesser" virus scanner) is always
going to be a full member of the set (detected by "greater" virus scanner)
and there are no guarantees that this is always going to be true.

Interesting that you point out exactly what those of us actually see
when we test scanners with a large number of malware samples.

Actually, though, it's extremely rare that the "lesser" scanners alert
on malware samples the "heavy hitters" don't alert on. It's mostly
a war between two heavy hitters, as it were. That is, there
will be a handful that only HH1 _or_ HH2 alert on, and that handful
is pretty evenly divided between the two heavy hitters, each one
alerting on its particular half of the handful.

So, from what I've seen, one good heavy hitter is quite sufficient.
The main benefit of using multiple av scanners is for a preliminary
assesment of a suspected false positive. If only one of several
scanners alerts (after waiting a couple of days and updating), you
should submit the possible FP for analysis to that vendor.

Art

http://home.epix.net/~artnpeg

 

[idbeholda]

When you scan with it, yes. Read the page though, it explains in full
detail why.

http://69.10.149.234/~idbehold/vte/VTE.HTM

 

[Roger Wilco]

Vanguard wrote:
[lots of snips]

Doubling up, tripling up, or more doesn't help your coverage. If you
get a decent AV product that is over 98% for coverage then it already
covers what the lesser AV products will cover. Putting a coarse
filter after or before the fine filter won't catch any more silt.

This assumes that the set (detected by "lesser" virus scanner) is always
going to be a full member of the set (detected by "greater" virus scanner)
and there are no guarantees that this is always going to be true.

Plus it is a bad analogy - unless file size is the filter criterion.

It is possible to gain some positive effect coverage-wise using two or
more scanners like this, but its real value is in being able to get that
second or third opinion scan without having to go to the internet. How
likely is it that a series of three scanners will false positive on the
same file?

 

[Robert Moir]

Interesting that you point out exactly what those of us actually see
when we test scanners with a large number of malware samples.

Actually, though, it's extremely rare that the "lesser" scanners alert
on malware samples the "heavy hitters" don't alert on. It's mostly
a war between two heavy hitters, as it were. That is, there
will be a handful that only HH1 _or_ HH2 alert on, and that handful
is pretty evenly divided between the two heavy hitters, each one
alerting on its particular half of the handful.

Yep, I'm well aware of how things normally go down in these tests having
been around the place for quite some time myself, as you probably remember.
I'm talking about guaranteed behaviour rather than "probable" behaviour.