Using ClamWin

Getting ClamWin
The short guide for Getting ClamWin provides details on where this software may be obtained from.
Installing ClamWin
The lengthier guide for Installing ClamWin shows screenshots of the process of installing the software. This probably isn't needed for most people who have installed a fair to large amount of software on computers using modern (at least 32-bit) versions of Microsoft Windows, but the screenshots may still be useful as a reference.
Opening ClamWin

The Opening ClamWin page provides a small amount of material, essentially duplicated here, about how to open the software.

Enter the ClamWin interface. The fastest way to do that will generally be to double-click on the ClamWin scanner icon in the “system tray”, also known as the “message notification area”, which is where there are several icons next to the clock in the (usually lower-right) corner of the screen. The icon looks like a blue circle and says “ClamWin Free Antivirus” when hovered over. If that icon isn't visible, look for a left arrow that, when hovered over, refers to showing more/hidden icons. A slightly longer way with more options is to right-click on that icon and then choose “Open ClamWin.

Classic View:

Another view:

Another view (with the left arrow highlighted)

Alternatively, one may find ClamWin under the “Programs” (or “All Programs” section under the Start Menu, and specifically under the folder called “ClamWin Antivirus”. From this location, the icon to choose is called “Virus Scanner”. This simply runs the file “ClamWin\bin\ClamWin.exe” from the “Program Files” folder that is used. (On a 64-bit operating system, this may be under “C:\Program Files (x86)\”.)

Prepare to be asked to download definitions if that hasn't been done.

(Note, this is not necessarily saying to prepare to download these definitions immediately. You may choose “No” if there is no immediate scanning need, and rely on either the automatic update process or one of the subsequent times that the user may be asked this question. Without meaning to provide advice one way, or the other, about whether to proceed with such a download, this guide is simply advising to be prepared to be asked the question.)

Configuring ClamWin
The guide to Configuring ClamWin provides recommendations on how to cause the software to automatically perform useful scans. This is one of the longest sections of the guide, yet skipping these steps could cause ClamWin to never automatically detect any malware.
Adding Real-Time Scanning

At the time of this writing, real-time scanning is not provided directly by ClamWin. To add that feature, there are multiple solutions, including WinPooch. The “Adding Real-Time Scanning to ClamWin” guide may focus more on using Clam Sentinel, providing information on including obtaining/installing, configuring, and testing.

Updating ClamWin
Information about Updating ClamWin.
Testing ClamWin Software
A guide for safely testing ClamWin software is available with appropriate hyperlink(s) to information about related software.
Reviewing logs
Information about logs used by ClamWin as well as Clam Sentinel are in the page about logs used with ClamWin software.
Responding to threat reports
General process

ClamWin may try to quarantine the file. For details, see the GUI's Tools, Preferences, “General” tab (“Infected Files”) section. ClamWin's behavior may also be affected by the “Filters” tab and the “Limits” tab in the Tools, Preferences section.

Learning more about the malware

One option may be to check the archives of the “mailing list” used for submissions. This may be done by going to clamav-virusdb web archives on ClamAV's “lurker” server, and using the Search box towards the bottom of the page. The clamav-virusdb web archives are hyperlinked to from ClamAV Virus Database page (which is listed in the “Downloads” section of the website, although the page itself does provide information about downloads).

When searching for these archives, remove the “Win.” at the start of the threat name. For example, if a threat is named “Win.Trojan.Agent-######”, then just search for “Trojan.Agent-######

Another option might be to use a program called sigtool, distributed by ClamAV.

Forum thread about ClamAV shows an example of how a threat can be checked out a bit further. A group of people used the ClamAV mailing archives to figure out that ClamAV detected software based on information submitted by an organization called VirusTotal. The sigtool software by ClamAV produced a specific string of hexadecimal characters that ClamAV was paying attention to when ClamAV was detecting the threat. People were able to use that string of hexadecimal characters to locate more information from the VirusTotal website.

Submitting malware
If a false positive is found, or a controlled false negative is found, the ClamAV team may be informed by using the ClamAV VirusDB submission page.
Removing the ClamWin software
Because these programs uninstall so easily, the page for information about removing ClamWin and Clam Sentinel provides this simple paragraph:
Removing ClamWin and Clam Sentinel are straightforward. Simply go to the standard location in the operating system, locate the program, and choose to Uninstall it (using a shortcut/context/right-click menu if necessary). The standard location varies between Microsoft Windows operating systems, but generally involves going to the Control Panel and searching for an icon with a description that includes the word “Programs”. (Further assistance may be provided by part of an elaborate software installation guide.)
[#clmwnsig]: Signature Files

When combined with Clam Sentinel and another anti-malware product, the following files were identified by the other anti-malware product:


e.g., an actual filename included: clamav-1b19b78b55fb6cdd4d2a99c7613ed0d0.00001fd4.clamtmp. Other filenames had other sets of 32 hexadecimal characters (but then ended with 00001fd4.clamtmp). An earlier filter had been made for clamav-????????????????????????????????.0000109c.clamtmp, so at least the last three hexadecimal digits are believed to have been changed. It is presumed that the 00001fd4 might be variable/customizable, but that didn't seem to change.

On the system where this was seen and documented, but name of the primary username/account was “User”, so that was probably the user account that installed the software. Also, %LOCALAPPDATA% and %TEMP% and %TMP% all pointed to C:\Users\User\AppData\Local\Temp so the temporary files went into the directory that was specified by all of those environment variables. Some of that similarity/matching may be (and probably is) non-coincidental.

Other info/questions
Outdated engine

When performing a Memory Scan in Clam Sentinel, a message like the following may show:

LibClamAV Warning: ***********************************************************
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.     ***
LibClamAV Warning: *** DON'T PANIC! Read ***
LibClamAV Warning: ***********************************************************
 *** Scanning Programs in Computer Memory ***
---Please login as an Administrator to scan System processes loaded in computer
 *** Memory Scan: using ToolHelp ***

The simple recommendation for most users is to not worry about it. (That is why the phrase “DON'T PANIC!” is shown.) Simply ignore this specific warning. For those who want more details, the following explains why.

Realize that ClamWin has used technology from a separate, independent project called ClamAV. ClamWin was released way before ClamAV released their own release for Microsoft Windows. This message may occur if the latest release of ClamWin isn't using some updated software code that has been released by the ClamAV team. This does not mean that software definitions are out of date.

To respond, one may wish to check of ClamWin has been updated to use the new code by the ClamAV team. (This code is what LibClamAV is referring to and warning about). The shortcut/context/“right-click” menu of the icon in the “system tray” (a.k.a. “message notification area”) can be accessed, and then a“Check Latest Version” menu option will open up a web browser to a page that checks for the latest version. In the main program's GUI, the Help menu has a “Check Latest Version” option that goes to the same web page.

If the latest version of the ClamWin software still isn't using the updated code, then there isn't much that can be done in response to the warning. The warning will be removed if and when the ClamWin development team decides to incorporate newer code to make that message go away. Until that is done, if the ClamWin software is configured to allow such warnings to be visible, then that is simply the designed (and surely known) behavior of the ClamWin team.