Clam antivirus for Windows - any good?

  • Thread starter Thread starter Piotr Makley
  • Start date Start date
P

Piotr Makley

This page says the free Clam antivirus has just been made available
for Windows.

http://sourceforge.net/forum/forum.php?forum_id=365033

I have never come across Clam before. Seems it is a command line
scanner only but that is the sort of thing I want.

Is Clam reckoned to be as good an AV program as the current free
Windows AV programs like AVG, AntiVir and Avast?
 
Piotr said:
This page says the free Clam antivirus has just been made available
for Windows.

http://sourceforge.net/forum/forum.php?forum_id=365033

I have never come across Clam before. Seems it is a command line
scanner only but that is the sort of thing I want.

Is Clam reckoned to be as good an AV program as the current free
Windows AV programs like AVG, AntiVir and Avast?
Click to expand...

I downloaded it and have used it, based on the recommendation of some
techie types in another group that I lurk around. My understanding is
that it was originally developed for Linux-based email servers. It is an
on-demand scanner only -- no background scanning involved. Scanning can
be scheduled. Appears to have daily definitions updates, and can be
configured to download them automatically.

It is quite thorough and quite slow. Overly thorough, perhaps: it has
consistently detected an instance of MyDoom in an .iso file that I know
is in fact virus-free; it also picks up on the Eicar test script in my
F-Prot folder, and flagged a message in a private tech-oriented
newsgroup that would have been identified in a heartbeat by the group
members if it had actually carried a malicious payload.

I would consider it a good backup, but not a replacement for an active
scanner such as AVG. Probably would be a good tool to use when trying to
disinfect a known-compromised system.
 
Button bashing in practice for another round of Daley Thompson's
Decathlon said:
I have never come across Clam before. Seems it is a command line
scanner only but that is the sort of thing I want.

Is Clam reckoned to be as good an AV program as the current free
Windows AV programs like AVG, AntiVir and Avast?
Click to expand...

Check/ask in grc.security.software or similar - lots of
info/help there. Personally, f-prot for dos ( continually rates
excellent) and AVG6. Seems ok so far..... (also Spybot, AdAware with
plugins) - belt & braces & suspenders & a bit of string through the
loops approach - fine by me. AVG slows startup lots but otherwise no
probs. AFAIR, it's ok but nothing special, but grc will know...There's
about a dozen very helpful longtimers whose opinions would help.
 
I downloaded it and have used it, based on the recommendation of some
techie types in another group that I lurk around. My understanding is
that it was originally developed for Linux-based email servers. It is an
on-demand scanner only -- no background scanning involved. Scanning can
be scheduled. Appears to have daily definitions updates, and can be
configured to download them automatically.
Click to expand...

These "techie types" apparently didn't know or point out that Clam is
a extemely deficient scanner. Most decent av products detect four or
five times as many malwares, and they don't have the detection holes
that Clam has, such as a inability to deal with macro and polymorphic
viruses.
It is quite thorough and quite slow.
Click to expand...

It's just slow :) Don't bother with it.


Art
http://www.epix.net/~artnpeg
 
These "techie types" apparently didn't know or point out that Clam is
a extemely deficient scanner. Most decent av products detect four or
five times as many malwares, and they don't have the detection holes
that Clam has, such as a inability to deal with macro and polymorphic
viruses.
Click to expand...

Just to update you slightly:

ClamAV does detect macro viruses in the current CVS
http://cvs.sourceforge.net/viewcvs.py/clamav/clamav-devel/ChangeLog
and new macro virus data is being entered all the time:
http://news.gmane.org/gmane.comp.security.virus.clamav.virusdb
Look for updates like:
Submission: 3069
Sender: Edmond
Submitted virus name: W97M.Microb
Virus name: W97M.Microb.A
Added: Yes
It's just slow :) Don't bother with it.
Click to expand...

Well, there have been speed ups added:
http://cvs.sourceforge.net/viewcvs.py/clamav/clamav-devel/libclamav/scanners.c

For example, I've asked the authors to add "ignore-types" for BMP, PDF's,
PostScript and Real Media files and they added them, to the list they aleady
had:

Detail:

{0, "\000\000\001\263", 4, "MPEG video stream", CL_DATAFILE},
{0, "\000\000\001\272", 4, "MPEG sys stream", CL_DATAFILE},
{0, "RIFF", 4, "RIFF", CL_DATAFILE},
{0, "GIF", 3, "GIF", CL_DATAFILE},
{0, "\x89PNG", 4, "PNG", CL_DATAFILE},
{0, "\377\330\377", 4, "JPEG", CL_DATAFILE},
{0, "BM", 2, "BMP", CL_DATAFILE},
{0, "OggS", 4, "Ogg Stream", CL_DATAFILE},
{0, "ID3", 3, "MP3", CL_DATAFILE},
{0, "\377\373\220", 3, "MP3", CL_DATAFILE},
{0, "\%PDF-", 5, "PDF document", CL_DATAFILE},
{0, "\%!PS-Adobe-", 11, "PostScript", CL_DATAFILE},
{0, "\060\046\262\165\216\146\317", 7, "WMA/WMV/ASF", CL_DATAFILE},
{0, ".RMF" , 4, "Real Media File", CL_DATAFILE},

So, as a result, it's getting slightly faster.

As far as windows users, I wouldn't remove AVG or AVAST etc. as my main
scanner, I just use WinClamAV for a backup on-demand scanner. However,
WinClamAV now has a plugin for Outlook and that's a step forward :)

Hope that helps,

Steve
 
On Fri, 07 May 2004 18:32:43 +0100, Steve Basford

As far as windows users, I wouldn't remove AVG or AVAST etc. as my main
scanner, I just use WinClamAV for a backup on-demand scanner. However,
WinClamAV now has a plugin for Outlook and that's a step forward :)

Hope that helps,
Click to expand...

Sorry Steve. I've given Clam a good go, and I've tested it. I can't
recommend it to anyone for any purpose since there are so many far
superior av available, even of the free variety.


Art
http://www.epix.net/~artnpeg
 
Sorry Steve. I've given Clam a good go, and I've tested it. I can't
recommend it to anyone for any purpose since there are so many far
superior av available, even of the free variety.
Click to expand...



I want to protect a mailserver with 5000 clients - what free AV do you
recommend ?
There is no vendor that offers this. Don´t mix ClamWin with ClamAV.
ClamAV was made for the use on *nix-based mailservers. ClamWin is
another project, based on ClamAV.

regards

Christoph
 
These "techie types" apparently didn't know or point out that Clam is
a extemely deficient scanner. Most decent av products detect four or
five times as many malwares, and they don't have the detection holes
that Clam has, such as a inability to deal with macro and polymorphic
viruses.
Click to expand...

The most recent stable release of clam is 0.70. Do you have any idea why
it´s a 0.xx release? Maybe because it´s under development? There are
many things ClamAV can´t do at the moment, still many people use it with
great success. ClamAV is able to deal with macro-viruses. If you look at
the viruses/worms that show up on a mail server, you will see that there
is a very small number of polymorphic viruses. Still, the polymorphic
detection is something that will be added sooner or later.
Just a hint: If you replicate some polymorphic viruses (not only the
standards you find on the web) you will see how good or bad the
polymorphic detection of a commercial AV realy is. Detecting polymorphic
viruses is a pretty complex task - if you start from scratch. And you
can´t tell the quality of a scanner by the number of signatures - you
should know that. But you are right, ClamAV is far away from the
detection rate of a commercial scanner.
It's just slow :) Don't bother with it.
Click to expand...

Please make a difference between ClamAV and ClamWin.

regards

Christoph
 
Depends on your criteria for determing "goodness", but in general the
answer is "no".
I downloaded it and have used it, based on the recommendation of some
techie types in another group that I lurk around. My understanding is
that it was originally developed for Linux-based email servers. It is an
on-demand scanner only -- no background scanning involved. Scanning can
be scheduled. Appears to have daily definitions updates, and can be
configured to download them automatically.

It is quite thorough and quite slow. Overly thorough, perhaps: it has
consistently detected an instance of MyDoom in an .iso file that I know
is in fact virus-free; it also picks up on the Eicar test script in my
F-Prot folder, and flagged a message in a private tech-oriented
newsgroup that would have been identified in a heartbeat by the group
members if it had actually carried a malicious payload.
Click to expand...

This is because it has a fundamentally broken concept of what viruses
are and how they work, and thus attacks the problem of detecting them
from a technically unfeasible angle. ClamAV is a classic example of
what I call the "glorified binary grep" approach to virus detection.
Further, its developers have done very little of the minimally necessary
"glorifying" yet -- ClamAV is basically a dumb string scanner that is
unable to deal adequately with complex viral forms such as polymorphics
and metamorphics. Due to an accident of history this does not prevent
the scanner from detecting most of the currently widespread malware as
very little of it uses such trickery, but depending on such a scanner
will leave you open to unreliable detection of any new polymorphic or
metamorphic malware.
I would consider it a good backup, but not a replacement for an active
scanner such as AVG. Probably would be a good tool to use when trying to
disinfect a known-compromised system.
Click to expand...

I have less confidence in its usefulness than you then...
 
Back
Top