Using ClamAV as a general purpose scanner

[Julian]

There seems to be a renewal of interest in the idea of using ClamAV as a
general purpose virus scanner for Windows. Boguslaw Brandys of Bransoft
(www.bransoft.com) has developed a pure Windows port of ClamAV (one that
doesn't require Cygwin) and has used it to develop a very nice mail
scanning POP3 proxy. He is apparently considering developing this into a
complete anti-virus package.

I have been thinking about converting my Tech-Protect GUI shell for
F-Prot for DOS to use ClamAV, due to the problems that the F-Prot DOS
scanner has with NTFS filenames and its inability to scan .NET
executables, so I thought I'd do a bit of testing to see how well (or
badly) it would work. I've posted the results on my website. Here's the
link: http://www.tech-pro.net/clamav.html .

 

[Art]

There seems to be a renewal of interest in the idea of using ClamAV as a
general purpose virus scanner for Windows. Boguslaw Brandys of Bransoft
(www.bransoft.com) has developed a pure Windows port of ClamAV (one that
doesn't require Cygwin) and has used it to develop a very nice mail
scanning POP3 proxy. He is apparently considering developing this into a
complete anti-virus package.

I have been thinking about converting my Tech-Protect GUI shell for
F-Prot for DOS to use ClamAV, due to the problems that the F-Prot DOS
scanner has with NTFS filenames and its inability to scan .NET
executables, so I thought I'd do a bit of testing to see how well (or
badly) it would work. I've posted the results on my website. Here's the
link: http://www.tech-pro.net/clamav.html .

Since clamav isn't a "real" antivirus scanner (just a sig scanner) I
suggest that you refer to it appropriately. Call it a "Liimited
Capability Signature Based Malware Detector" (LCSBMD) or something
like that to distinguish it from "real" av products that normally do
detect macro viruses and polymormorphics ... and that use a balance of
signature recognition and heuristics (at the very least).


http://home.epix.net/~artnpeg

 

[Julian]

Since clamav isn't a "real" antivirus scanner (just a sig scanner) I
suggest that you refer to it appropriately. Call it a "Liimited
Capability Signature Based Malware Detector" (LCSBMD) or something
like that to distinguish it from "real" av products that normally do
detect macro viruses and polymormorphics ... and that use a balance of
signature recognition and heuristics (at the very least).

Well, it's capabilities may be limited in some areas, but if the
developers call it an antivirus (that's what the AV part of the name
stands for after all) then that's clearly what they intend it to be, and
that's what I shall call it. Whether it's a very good antivirus, judged
by current standards, is another matter.

I suspect, in fact, that it does use heuristics to detect certain types
of mail exploits. That's the area where the developers seem to have
focussed most of their effort. Not the detection of DOS viruses that
have largely died out anyway.

 

[Art]

Well, it's capabilities may be limited in some areas, but if the
developers call it an antivirus (that's what the AV part of the name
stands for after all) then that's clearly what they intend it to be, and
that's what I shall call it.

I think it was intended to be a email malware blocker. They can call
it what they want, but in my mind it's far from a antivirus.

Whether it's a very good antivirus, judged
by current standards, is another matter.

It's lousy by either old or new standards of what's expected from
antivirus products.

I suspect, in fact, that it does use heuristics to detect certain types
of mail exploits. That's the area where the developers seem to have
focussed most of their effort. Not the detection of DOS viruses that
have largely died out anyway.

Back when I evaluated it, it was strictly a sig scanner. As a email
malware blocker it may be quite effective. But I think it should be
characterised as to what it reallly is so that people realize it's a
different kind of animal than the "real" antivirus products. There's
too much confusion and misinformation. Why contribute to it?


http://home.epix.net/~artnpeg

 

[Ian Kenefick]

I agree with everything you say except for..

"real" av products that normally do[SNIP] ... and that use a balance of
signature recognition and heuristics (at the very least).

IMHO - There are but 3 or 4 products that incorporate balanced
Signature/Heuristics scanning despite rediculous statistical claims
like for exmaple KAV who say they detect 82% of 'previously unknown'
malware using heuristics. Thats a lot of BS if you ask me.

1) NOD32
2) Norman
3) Dr. Web
4) F-Prot

This does not include generic detection which is not to be confused
with heuristics since it is still signature based.


Regards,
Ian Kenefick
http://www.ik-cs.com

 

[Ian Kenefick]

Since clamav isn't a "real" antivirus scanner (just a sig scanner) I
suggest that you refer to it appropriately. Call it a "Liimited
Capability Signature Based Malware Detector" (LCSBMD) or something
like that to distinguish it from "real" av products that normally do
detect macro viruses and polymormorphics ... and that use a balance of
signature recognition and heuristics (at the very least).

P.S. - sorry I should have included this in my origonal post. Sophos
Antivirus is an excellent choice for business and it does not
incorporate heuristic analysis as part of it's malware detection
routeens.


Regards,
Ian Kenefick
http://www.ik-cs.com

 

[Julian]

Back when I evaluated it, it was strictly a sig scanner. As a email
malware blocker it may be quite effective. But I think it should be
characterised as to what it reallly is so that people realize it's a
different kind of animal than the "real" antivirus products. There's
too much confusion and misinformation. Why contribute to it?

Well, I don't want to get into an argument over this. People *are*
interested in making ClamAV into a general antivirus package because
there is interest in having one that is free, not just for personal use.
Therefore it should be evaluated as such, and that is all I was trying
to do.

Regardless of what you or I think of it, there is already one package
that uses it as a general purpose scanner, ClamWin (an on-demand scanner
only) and someone else (Bransoft, as mentioned in my article) has stated
an intention of developing what will be presented as a "real" antivirus
package using it.

 

[Ian Kenefick]

Well, I don't want to get into an argument over this. People *are*
interested in making ClamAV into a general antivirus package because
there is interest in having one that is free, not just for personal use.
Therefore it should be evaluated as such, and that is all I was trying
to do.

Regardless of what you or I think of it, there is already one package
that uses it as a general purpose scanner, ClamWin (an on-demand scanner
only) and someone else (Bransoft, as mentioned in my article) has stated
an intention of developing what will be presented as a "real" antivirus
package using it.

Julian, I gather you are not a'customed to Art's inability to control
his need to be arguementative. Mind you, he was right with the
exception of the Heuristics statement.


Regards,
Ian Kenefick
http://www.ik-cs.com

 

[Art]

I agree with everything you say except for..

"real" av products that normally do[SNIP] ... and that use a balance of
signature recognition and heuristics (at the very least).

IMHO -

No need to be humble about stating an opinion.

There are but 3 or 4 products that incorporate balanced
Signature/Heuristics scanning despite rediculous statistical claims
like for exmaple KAV who say they detect 82% of 'previously unknown'
malware using heuristics. Thats a lot of BS if you ask me.

That's BS all right but your humble opinion is also BS KAV does use
heuristics as do most "real" antivirus products. Some also use a form
of generic detection.


http://home.epix.net/~artnpeg

 

[Ian Kenefick]

That's BS all right but your humble opinion is also BS KAV does use
heuristics as do most "real" antivirus products. Some also use a form
of generic detection.


http://home.epix.net/~artnpeg

Yes I know KAV does use heuristics (I think they were one of the first
to implement heuristic analysis into av engine) - I refer to their use
of an unrealistic figure or detecting 82% of previously unknown
threats. Generic detection is not heuristics.


Regards,
Ian Kenefick
http://www.ik-cs.com

 

[Art]

Well, I don't want to get into an argument over this.

Stasting facts and POVs is arguing?

People *are*
interested in making ClamAV into a general antivirus package because
there is interest in having one that is free, not just for personal use.

I know. It is also being used commercially, IIRC.

Therefore it should be evaluated as such, and that is all I was trying
to do.

I don't think standards of high quality should be lowered simply
because something is freeware, do you?

Regardless of what you or I think of it,

I know av experts don't think much of clamav either.

there is already one package
that uses it as a general purpose scanner, ClamWin (an on-demand scanner
only) and someone else (Bransoft, as mentioned in my article) has stated
an intention of developing what will be presented as a "real" antivirus
package using it.

Well, I hope clamav eventually does become a respected and "real"
av.


http://home.epix.net/~artnpeg

 

[Roger Wilco]

Julian, I gather you are not a'customed to Art's inability to control
his need to be arguementative. Mind you, he was right with the
exception of the Heuristics statement.

Right, something like this could become "the best" in some peeps eyes
because it is fast and not resource hungry, and detects all the lame-ass
e-mail worms they are subjected to. Those peeps won't worry about what
it doesn't do. Art is right to caution about how this product is
portrayed.

 

[Julian]

Yes I know KAV does use heuristics (I think they were one of the first
to implement heuristic analysis into av engine)

I recall F-Prot and Dr. Solomon were starting to use heuristics 10 years
ago when no-one had even heard of Kaspersky outside of Russia.

 

[Julian]

I don't think standards of high quality should be lowered simply
because something is freeware, do you?

Agreed, but I don't think how well a product performs should determine
what it is allowed to be called, either. There have always been good and
bad anti-virus products.

I know av experts don't think much of clamav either.

I'm sure you're right, but I think it's a pity that those with the
skills to do so aren't more supportive of the effort and don't help to
improve it. If there was a completely free anti-virus, new computers
could come with it already installed. It seems to me, most new computer
buyers, who never read magazines or visit technical forums. don't get an
antivirus until *after* the first time they get infected.

Well, I hope clamav eventually does become a respected and "real"
av.

Yes, me too.

 

[Abut]

Odd - Sophos say they use heuristics. See
http://www.sophos.com/sophos/docs/eng/papers/sav-overview.pdf .
Martin Taylor

 

[Ian Kenefick]

I recall F-Prot and Dr. Solomon were starting to use heuristics 10 years
ago when no-one had even heard of Kaspersky outside of Russia.

The first Heuristics analysis was used in the F-Prot/Datafellows
co-developed engine. You are semi-correct where as my initial
statement was not correct at all.


Regards,
Ian Kenefick
http://www.ik-cs.com

 

[Ian Kenefick]

Odd - Sophos say they use heuristics. See
http://www.sophos.com/sophos/docs/eng/papers/sav-overview.pdf .
Martin Taylor

They employ static heuristics (not truel heuristics) - not dymic
heuristics. They do not have an actual heuristics engine.


Regards,
Ian Kenefick
http://www.ik-cs.com

 

[Julian]

The first Heuristics analysis was used in the F-Prot/Datafellows
co-developed engine. You are semi-correct where as my initial
statement was not correct at all.

That's something. My memory is rarely very accurate when going back that
far...

 

[James Egan]

I have been thinking about converting my Tech-Protect GUI shell for
F-Prot for DOS to use ClamAV, due to the problems that the F-Prot DOS
scanner has with NTFS filenames and its inability to scan .NET
executables

It's not only a problem with NTFS since the same apparently happens on
WinXP with a FAT32 filesystem.

In this recent thread http://tinyurl.com/4fbpu bassbag and I were
wondering if Tech-Protect overcame F-Prot for DOS's limitations on a
WinXP machine with a FAT32 filesystem. Perhaps you can shed some
light?


Jim.

 

[Julian]

It's not only a problem with NTFS since the same apparently happens on
WinXP with a FAT32 filesystem.

In this recent thread http://tinyurl.com/4fbpu bassbag and I were
wondering if Tech-Protect overcame F-Prot for DOS's limitations on a
WinXP machine with a FAT32 filesystem. Perhaps you can shed some
light?

Hi Jim.

Your analysis of what Tech-Protect does is correct. It does overcome
some of the problems, but I have still encountered F-Prot hanging, which
is why there is also a timer for scanning each folder and Tech-Protect
tries to terminate F-Prot if it gets stuck. I have also encountered
F-Prot throwing some DOS Extender exception, in which case it refuses to
be terminated. And it does not even attempt to scan .NET executables
(don't know if there are any .NET viruses yet.)

On the whole, I'm coming to feel that Tech-Protect has gone as far as it
is possible to go to keep F-Prot's DOS scanner usable under NT/NTFS, but
it isn't quite far enough. It would be great if Frisk would make their
32-bit scanner available on the same terms as the DOS one, but since
they probably aren't, it seems time to look around for an alternative.