Configuring ClamWin

Open the Configuration Preferences screen

Perform one of the following sequences of actions.

  • Open the ClamWin interface and then use the “Tools” menu to then select “Preferences”. Then (use Control-Tab to) select the tab called “Scheduled Scans”.
  • Open the same “ClamWin Preferences” window by accessing the context/shortcut/“right-click” menu of the ClamWin icon in the “system tray”/“message notification area”, and then choosing “Configure ClamWin”. Then (use Control-Tab to) select the tab called “Scheduled Scans”.
  • Access the context/shortcut/“right-click” menu of the ClamWin icon in the “system tray”/“message notification area”, and then choose the “Scheduler” submenu and then choose the “Configure Scheduler” menu option. If following this step, the window that opens will be showing the tab called “Scheduled Scans”.

Opening up the main ClamWin program interface and accessing its menu may be slightly less nice than the other options because the main program interface will take up screen space, although it will not be able to be interacted with until the ClamWin Preferences child window is closed.

Scheduling scans

Configuring ClamWin: Initial
view of the tab called Scheduled Scans

The “Scheduled Scans” button is another absolutely critical tab to make changes with. By default, ClamWin will never scan anything unless a scan is manually started. To fix that, go to the “Scheduled Scans” tab and choose the “Add” button. The default time may be similar to the current time and that may not be ideal since often people prefer scans to run when the computer isn't being interacted with. For example, choosing a start time a bit earlier than 3:00 A.M. may work well for many people.

Configuring ClamWin: Starting
the scheduling for a scan

Also, a value for the “Scan Folder” must be selected. Choose the elipses button to choose a folder.

Configuring ClamWin: Choosing
a drive for a scheduled scan (initial view)

Select a drive or a drive's sub-folder. It is recommended to pick a hard drive, which will probably be identified with a drive letter of “C:”. After the desired target is selected, choose the OK button.

Configuring
ClamWin: Scheduling a scan: Drive is selected

The final task, which is not optional if the scheduled scan is to be saved, is to choose a description. As a recommendation, type a reference to the time the scan is scheduled, and perhaps which target is scanned.

Configuring
ClamWin: Describing task

After the folder and Description are selected, ClamWin goes back to the “Scheduled Scans” dialog box. At this point, the window will show all of the scans scheduled so far. It is recommended to have ClamWin scan all drives which are not removable drives, so press the Add button again, and repeat the process (but choose a different drive) if that is the case. The following screen shows the results after multiple drives were added.

Configuring ClamWin: Scans
are scheduled

General tab: Response to infections (and scanning options)

Configuring ClamWin: General
tab

If this system is not going to be regularly maintained even though it is used, it is highly recommended that problems are dealt with by selecting “Move To Quarantine Folder:”. (The q

The reason why to move files is this: The primary issue with “Report Only” is the amount of effectiveness if the report isn't read, and if notifications are simply not noticed or are ignored even if they are noticed. A reason why people might consider ignoring an alert is if the system detects problems with files that aren't important or used, such as detecting definitions files (from other software) or detecting issues with the content stored within files that are used for temporary data from web browsing sessions. (For copies of Microsoft Internet Explorer that store files in a Content.IE5 directory, such cache files may be stored rather directly, although some other browsers that may embed temporary files into some sort of container which makes it less likely that the files would be easily, even accidentally interacted with directly.) However, no susbtantial amount of real protection occurs if nothing useful happens even when a problem is detected.

Choosing to move files could cause some problems (as could the (“Remove (Use Carefully)” option), but if such problems occur, they are likely going to be able to be fixed fairly easily by someone who both understands computers well (enough to know how to boot off of an operating system CD and correct a moved file) and who also has sufficient access/permissions. On the other hand, the consequences of letting malware run rampant is more likely to cause a problem. In most cases, the safest thing for most people to do will be to choose “Move To Quarantine Folder;”. Advanced users may prefer to create a new folder and specify where quarantined items go, and that optional step should be fine to do if desired.

Other changes

The other changes may not be as critical to get ClamWin useful. The following changes are recommended:

Configuring ClamWin: Limits

For the Limits tab, increasing the limit to the maximum value may help prevent large problems from being skipped just because they are too large. The maximum size that is saved after pressing the OK button is 4096 MegaBytes. The default of 100MB is fairly small by today's standards where broadband connections and media files are often used, so changing that is recommended. Changing to a value above 4096 may appear to work although closing and re-entering the “ClamWin Preferences” window will show that it changes to 4096.

Several changes from the default configuration are recommended. Some of these improvements may be less definite. (Opinions may be more likely to vary with some of the below options.)

Unchecking the “Extract Files From Archives” button is recommended only if the general tab is not set to “Report Only” or if the actions of moving or changing archives, due to detected contents (including possible false positives), is permitted. In general, if a person does not typically manage archive files (like “.Zip” files), it may be okay to have this be checked. Those who are careful with archive contents, and do not want unoriginal archives due to automated actions such as what some AntiVirus software products should use, may want to have this be unchecked.

Configuring
ClamWin: Adjusted limits

For “Internet Updates”, do check “Update Virus Database On Logon” if there is a good chance that the system will be regularly turned off during the time of the scheduled updates (shown by the “Update Frequency section), which frequently occurs when people choose udpates in the middle of the night but then turn their computer off. Enabling the “Update Virus Database On Logon” helps make sure updates happen as regularly as the computer is online or used, either by updating when the update frequency occurs or updating during a logon. Unfortunately this adds to startup time which can be impactful when people want to use the computer shortly after turning the computer on.

If the end user is not going to apply program upgrade, then it may make sense to disable the alerts to the end user when the program has an available upgrade. This isn't referring so much to the database updates, which really should be updated regularly (automatically). However, program upgrades may be something that doesn't get handled automatically. These may commonly be released way less than once per month, but an organization that has many computers used by many employees might not want messages to be informing all of these employees the day that a new upgrade becomes available. To disable such messages, the “Internet Updates” tab has a checkbox to clear, called “Notify About New ClamWin Releases” (and then, “(No personal information is transmitted during this check)”).

As for the “Update Frequency” section of the “Internet Updates” tab, the best time of the day to update definitions may be before the scheduled scans. If a broadband Internet connection is being used, starting this to be fifteen minutes before the scanning is likely to be plenty of time before the scan starts.

Configuring
ClamWin: Internet Updates

Under the “Filter” tab, unless the “Remove (Use Carefully)” is selected on the “General” tab, the safest course of action is to remove all entries under both the “Exclude Matching Filenames:” box and the “Scan Only Matching Filenames:” box. Note that may cause increased scantimes and some additional slowdown that is often viewed as unnecessary, so some people may not find this to be desirable. Also, before removing all the pre-existing filters, it should be noted that some of the default extensions relate to logs that may be very useful to analyze if a problem does occur, so excluding these files may be particularly important if the more aggressive “Remove (Use Carefully)” option was chosen on the general tab. However, it's quite clear that if security is completely more important than even substantial speed drops, and if the Report option or Quarantine option is selected in the “Infected Files” area of the general tab, the safest option to make ClamWin less likely to overlook problems is generally to remove all exceptions from this list. This is done with the Red X buttons, which can be tabbed to if they aren't greyed out (due to a section already being empty). The recommendation is to remove all pre-existing filters if the “General” tab is not set to “Remove (Use Carefully)”, and re-add the extensions later if scanning causes too much slowdown. If scanning is being too impactful or is taking too long, particularly when opening certain programs that use files in the default exclusion list (including an Outlook program), then re-adding the default extensions may help. (The default list may include a pattern of *.dbx and similar patterns for files with an extension of tbb, pst, dat, log, evt, nsf, ntf, and chm. The list of default filters is also mentioned in the ClamWin\bin\manual_*.pdf file in the Program Files directory that is used for 32-bit programs.)

Configuring
ClamWin: Matching Filename Patterns

Having said that, though, there is one exclusion that may make some good sense: Adding the quarantine folder. (Many Anti-Virus software programs may do this by default: see forum post about ClamWin scanning its own quarantine area for a discussion on that.)

If ClamWin is using a Quarantine folder, the location of that folder is visible on the “General” tab.

If this exclusion is desired and a quarantine folder of C:\Quarant was specified, then the recommended filter would be:

<C:\\Quarant\\.*>

If a filter doesn't specify the quarantine folder, the ClamScanLog.txt file may add a couple of entries for anything already in the quarantine. The first entry will say the item was “ FOUND” and the second item will say the item was “ not moved/copied since already in quarantine”. ClamWin may also alert the user (with a pop up message notification window) that items have found. This may be desirable if one wants an end user to have additional notification that the software found something. However, if at least one item is known to remain in the quarantine, such a message is useless (and encourages the end user to ignore such messages), so this should be avoided.

The “Email Alerts” tab is a great idea to effectively use in most cases if there are E-Mail settings, including a destination address, that may be used. For computers that are not regularly maintained by saavy computer users, a wise setup may involve E-Mailing a distribution group/list so that someone helpful may also respond.

On the “Email Scanning” tab, there is a “Display Splash Screen on Startup” that users may wish to uncheck.

It is recommended that real-time scanning is performed. Continue to the Guide to making ClamWin real-time for details on how to do this.