Making ClamWin Be Used In Real-Time

At the time of this writing, real-time scanning is not provided directly by ClamWin. To add that feature, there are multiple solutions, including WinPooch. This guide will show using Clam Sentinel.

Clam Sentinel
Warnings

This software may potentially be useful, but there are some considerations that this guide believes should be understood before being deployed.

Discontinued
Windows 10 not mentioned

Although ClamWin may still receive updates, Clam Sentinel is discontinued. Furthermore, the software says it was designed for (Microsoft) “Windows 98/98SE/ME/2000/XP/Vista, Windows 7 and Windows 8”. So, even after the release of Windows 11's release date of October 5, 2021, the home page still didn't mention working under Windows 10. In fact, it does function under Windows 10, but using such a software solution couild be quite challenging to professionally defend if any problems came up.

While the main web page at clamsentinel.sf.net didn't mention the discontinuation, the software remained at version 1.22 for many years (from January 18th, 2014 through at least 2022). The main page didn't mention support for any “Server” operating systems besides a general mention of Win2K, and nothing newer than Windows 8. Although, http://sf.net/projects/clamsentinel does say “Supports Windows 98 and newer computers”.

A key former developer's recommendation

http://sf.net/p/clamsentinel/wiki/Home/ mentions two members, “Andrea Russo (admin)” and “Robert Scroggins (admin)”

2019-October-13 Post by Robert Scroggins discusses the current state of “Clam Sentinel. It is dead! ClamWin is also nearly dead too! It's time to move on to another AV that provides better protection than ClamSentinel/ClamWin.” He notes, “Clam Sentinel was discontinued in 2014, and Andrea Russo has no further desire to work on it. The ClamWin developer has also shown no desire to improve ClamWin--or even maintain it for Clam AV program updates beyond a minimal level. ClamWin does not have a lot of the Clam AV improvements starting with version .95. I think ClamWin developer Alch will abandon it after it is no longer needed by Windows 98 users, which should be pretty soon--it has been 21 years since Win 98 came out!”

In fact, Alch, the creator of ClamWin, appears not to have discontinued ClamWin after version 0.95 (on June 7th of the year 2021, version 0.103.2.1 was added to http://sf.net/projects/clamwin/files/clamwin/ although that was then the latest version for over 13 months after then).

Robert went on to say, “For gap protection, good antivirus companies rely upon heuristics and/or behavior blockers,” ... “and a "back-end" that scans files/file details with artificial intelligence/machine learning. The only protection that Clam AV/ClamWin have are signatures. There are no significant heuristics/behavior blocking” ... “Clam AV is not going to devote any significant resources, other than the signatures, to protect users of a free AV.”

He also recommends protection for when someone visits a “malicious website”, and anti-virus software providing over 50,000 signatures per day (as a modern amount, as he sites an example of a reference to 30,000 signatures per day from back in the year 2013).

Robert notes, “It was at my suggestion that” Mister Andrea Russo “added the heuristics to provide some extra protection to ClamWin users. I helped with Sentinel's heuristics, testing, and some of the improvements made after he originally developed it for his personal Win 98 computer in 2012. I helped him with improvements/testing until he quit Clam Sentinel in 2014.” Adding to his knowledge of working with anti-virus software, he notes that he was, “was a sigmaker at Clam AV from 2009 to 2014.”

Examples

When trying to download its own installer from Google Chrome, the user's Downloads\5fee9604-91f7-4ac1-863d-d0d31ee1d0b5.tmp (in the user profile's main directory) wsa flagged as “A obfuscated file was moved to quarantine!” ([sic], doesn't say “An”) and (still from the same attempt to download in Google Chrome), the “A suspicious file was moved to quarantine!” which was the “File: f_052012” located under “AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\” (under the main user account's profile directory). While the software could be stopped and then this file recovered or re-downloaded, it is the opinion of the author of this text that this incident shows a certain amount of lacking polish of polish in an experience of trying to use this software.

Maybe such a detection doesn't signify the end of the world for some people, but consider that it seems exceedingly unlikely that Clam Sentinel staff will be offering support for any problems that anyone has. So, you may be rather “on your own”...

Speed warning

The author of this text has tried recommending Clam Sentinel to multiple people, and helped to get it installed. Users who were individually helped have later noted that their system is running very slowly, and similar reports surfaced when this was recommended to groups of people. The severity of the problem was so great that even a proponent of the software felt compelled to place this warning here. In light of how significant the slowdown seemed to commonly be, failing to provide this warning would just seem irresponsible.

When helping demanding users, this solution may be unsuitable unless some modifications are made. This slowness seems to generally be from keeping the disk heavily occupied, but a Clam product (either ClamWin or Clam Sentinel) has been seen to take up a lot of RAM, and the scanning is believed to be able to be CPU intensive. (In theory, RAM consumption could lead to swapping which may take up CPU time, so RAM alone might be able to cause all of these noticed causes of slowdown.)

The severity probably varies between different systems. One system may be able to run this software pretty fine, while other software may be very heavily impacted.

(Note that much/most of this section was written prior to the version that the Wayback Machine @ archive.org captured on 2014-July-1st. It does seem entirely possible that the speed difference may be notably less impacting on much newer computers.)

As this is an Open Source product, internal solutions are likely addable (by adding some thresholds that alter behavior based on available system resources). Otherwise, perhaps some solutions may be found by using some other solutions to control the system slowness. One system tested some various solutions regarding handling a busy CPU. The solutions tested are discussed further in the section about handling CPU usage. Suffice it to say that there is an Open Source solution (named Battle Encoder Shirase) which may have helped, although Process Tamer did seem to be a bit more useful.

Other than CPU handling, there may be some other approaches to help with system slowness. Further discussions may be seen by checking out some resources pointed to by the section on troubleshooting slow systems; especially handling busy disks.

Despite these warnings, the software is capable of finding some threats through signature-based scanning, in a way that is completely free and typically able to operate in a self-sustained fashion without manual intervention, using only “open source” software. These advantages may still make the project interesting, perhaps even only if used as a model upon which to update.

[#insclmsn]: Installing Clam Sentinel

Obtain the file from http://ClamSentinel.sf.net. Installation is straight-forward.

Clam Sentinel Installation screen #1
Clam Sentinel Installation screen #2
Clam Sentinel Installation screen #3
Clam Sentinel Installation screen #4
Clam Sentinel Installation screen #5
Clam Sentinel Installation screen #6
Clam Sentinel Installation screen #7

After installation, some older versions of Clam Sentinel had one item to configure in order for the software to really be useful, which is to configure what fixed drives exist, as noted by the Clam Sentinel Configuration section. This might not be needed with newer versions.

[#cfgclmsn]: Configuring Clam Sentinel

Menu option
to Choose fixed disks to monitor

Choose “Advanced settings” and then “Choose fixed disks to monitor”.

Dialog box
allowing user to choose fixed disks -> Dialog box
showing that user chose all fixed disks

With some older versions of Clam Sentinel (this might not be true any more), only “C:\” will initially be checked. This software may be intelligent enough that it only shows the drives that “My Computer” identifies as “Hard Disk Drives”, and does not show the drives identified by “My Computer” as “Devices with Removable Storage”. So, go ahead and check all the boxes before choosing the “Confirm” button.

Menu of
settings, including options for handling infected files
(The above screenshot shows a sub-menu which probably does not need any changes.)

On the other “Settings” menu, the first option, “Run Clam Sentinel on startup”, should be checked if long term protection from Clam Sentinel is desired. This option starts out unchecked, so go ahead and check it.

Also, the “Scan the memory when the program starts” is recommended to be checked if high security is the goal. This will start a memory scan which may take minutes and will be visible. (The title of the window will reflect the filename cmd.exe.) This window may be minimized. If it is too annoying, this option may be unchecked. (If this is little more than a command line option, a batch file that runs START /MIN /BELOWNORMAL may be nicer.)

Info for old versions

Older versions of Clam Sentinel had some options about using daily signatures. Those options have been removed (possibly with version 1.12). TOOGAM had asked the author, Andrea Russo, “why are the default options to not use daily.csv?” The response given was “I have deleted the use of the daily signature because don't protect from the others viruses.” TOOGAM replied, “I do not understand this section of your statement. Certainly the daily.cld files are meant to provide information that would be useful for scanning. Otherwise, why would the ClamWin team be distributing such files?” The information was forwarded to Robert Scroggins of the ClamWin team. Bob Scroggins replied, “Sentinel normally scans using both the main and daily signature databases from Clam. In an attempt to speed up Sentinel's scans, however, a Sentinel option to only use the daily signatures was included at one time. However, this option was removed because it did not provide adequate protection to the user and, in fact, might give him/her a false sense of security. In addition, this option did not significantly improve Sentinel's scan speed.” The E-Mail went on to say, “The daily signatures are composed of recent submission to Clam, and they are integrated into the main signature database approximately every three months or so. When they are integrated, there will not be many signatures in the new daily database for some time.”

The information that had seemed most reasonable to increase protection by the largest amount was a recommendation to enable these options. To do so, with versions of Clam Sentinel that supported the options, access the shortcut/context/“right-click” menu of the Clam Sentinel icon in the “system tray”/“message notification area”, and under “Settings” there are three options which were off by default. “Use daily signature for realtime scan”, “Use daily signature for memory scan”, and “Use daily signature for drives scan”.

Another option that may be customized is the “Paths not scanned” list of folders located under “Advanced Settings”. Specifically, add in any quarantine folders of any scanning programs used.

People using a trusted download source might decide to not scan content from that download source. Note that doing that would allow malicious software to enter the computer system if that software was provided by that software source. Also, any other malicious people would be able to introduce any malicious content if they have permissions to be able to write to those locations. As an example, malicious people, who are unrelated to the organization behind that source, may write to the area of the hard drive intended for that software. This could be done by any malicious people that know or suspect that area of the filesystem may not be checked or enforced as rigorously. Do not just assume that an orgainization who represetns the official maintainers of some “software distribution” software will be the only entities that would try to write to that software's directory.

Steam-Specific commentary

Some quick off-topic notes: Clam Sentinel does seem to have some history of interfering with the installation, or updating, of some games. Users may find that software works better by adding those exceptions, or remembering to disable Clam Sentinel when updates occur. (For additional Steam-specific details, see: Steam-specific details related to anti-malware software. Also, the directories/paths are described by Steam-specific details related to anti-malware software.)

For many systems using Steam on a 64-bit operating system, the following may be worth excluding.

<C:\\Program\ Files\ \(x86\)\\Steam\\steamapps\\.*>

(On a 32-bit operating system, just remove the “ (x86)” portion between the word “Files” and the two backslashes before the word “Steam”.)

Another option to consider is the list of file extensions scanned. The guide “Clam Sentinel Program Description And Setup” says Sentinel “comes configured with about 120 Windows file extensions, which is very complete. Users who know what they are doing may want to configure their own custom extensions for Sentinel to scan. Any number of extensions that is less than 120 will speed up Sentinel's scanning time. Most viruses will be found in a group of only about 40-50 extensions.” (The guide does not specify which ones those are.)

Note that Clam Sentinel's Readme.txt states that having Clam Sentinel scan while ClamWin is performing a manual scan, or while another real-time Anti-Virus program is being used, may use up a lot of processor time and slow things down. The text file specifically says “I think you need to caution users not to do that.” Running multiple real-time scanners is generally not recommended, due to stacked slowdowns, possible interference of one of the programs by the other, and possible problems that are more severe to the point that such programs are often considered incompatible with one another. (However, the guide “Clam Sentinel Program Description And Setup” does reference using “Sentinel with another antivirus/antimalware program”.)

There is some information online at a page called Clam Sentinel Program Description And Setup. About the “Detect PUA (Potentially Unwanted Applications” (or “Select PUA”) option, this page says “You would not normally want to select this option” because of concerns of many false positives. The logic that only new files are likely to cause new false positives is false, because ClamWin updates could cause existing, previously-scanned-as-clean files to become detected.

A completely optional step: If one wants to limit the quarantine exclusion to only skip files that Clam Sentinel has renamed to *.infected (or *.infected.*), then something like the following “regular expression” may be used. (Be sure to customize it to whatever quarantine subdirectory is actually being used.)

Sample patterns for ClamWin

<C:\\Quarant\\.*\.infected(\..*)?>

(or, if you did not customize the quarantine directory to an easier-to-access location...)

<C:\\ProgramData\\.clamwin\\quarantine\\.*\.infected(\..*)?>

Exclusions in Clam Sentinel

Choose “Advanced settings”, “Paths or files not scanned”. The defaulits are “%APPDATA%\Microsoft\Windows\Recent” and “*.RBF” and “*.RBS”. Make sure to add:

%TEMP%\Temp

(Or, if this works, it would be even better: %TEMP%\clamav-*.tmp\) (The details of what is supported is not something that clear documentation has been found for, yet...)

(Hmm, it is unclear if %TEMP% is being used, or perhaps %TMP% or %LOCALAPPDATA%\Temp)

Perhaps also: C:\Users\All Users\.clamwin\quarantine

Funny enough, once something is brought back from Quarantine using Clam Sentinel's own “Sentinel Recover” (or using the “Quarantine Browser” which comes with “ClamWin Antivirus”), that doesn't seem to exclude the file from being re-echecked and placed there again. (So if you want the file to remain, you might need to add an exclusion which will exclude that file from any future scanning.) Sentinel Recover does show a message, “Stop Clam Sentinel before” [attempting] “to restore the files”.

For anyone interested in customizing the above, here's an explanation: The inequality signs (< and >) specify that inside is what many computer programmers refer to as a “regular expression”. Folder names are separated by double backslashes. That should be all that one needs to know to simply change folders. The \. refers to a literal period. The other two periods refer to a single character (except for a new line character, although that exception isn't likely to be impactful in this case), similar to how many operating systems use ? to refer to a single character. The star means to repeat whatever came before it, and since the character before a dot is a wildcard for a single character, .* means a range of one or more characters. The ? in the above means to make the previous item optional, which in this case refers to the group that is created by using parenthesis. So, anything ending with .infected or .infected.* will not be scanned.

Enable Fuller Checking in Clam Sentinel

OPTIONAL, and actually not usually recommended: Choose Settings, Monitor System for new malware, and choose the top option, “Detect Suspicious Files and warn about system changes” (not the default option, which is the second option, which simply says “Detect Suspicious Files”)

If you do this, Clam Sentinel is likely to show messages (in little corner boxes, possibly using Windows Notification messages) to show when there is a “Modified folder” under C:\Users\(your-username)\AppData\Local\ (e.g. under Temp\clamav-2c7472477e3a04e4377b8c35b8ca1a04.tmp\) (e.g. DROPBOX\METRICS\STORE.BIN) (e.g. GOOGLE\CHROME SXS\TEMP\SOURCE27708_523363414\CHROME-BIN\106.0.5227.0\CHROME.DLL: Can't allocate memory ERROR) e.g. under Chrome SxS (probably C:\Users\SysOp\AppData\Local\Temp\

[#tstclnsn]: Testing Clam Sentinel

Clam Sentinel does show a visual indicator when it is responsible for causing ClamWin to perform scanning. The icon will change to have a yellow outline. This can be seen by the difference between the following two graphics:

Clam Sentinel inactive:

Clam Sentinel active:
,
(Clam Sentinel does also have a darker graphic, which is shown if “Stop” is chosen on the program's menu. In this graphic, the blue and purple parts of the shield are black. (This icon with the black is seen in the screenshot showing what happens when a manual ClamWin scan detects a signature.) Selecting “Start” will cause the icon to show the blue and purple colors again.) Selecting “Start” will cause the icon to show the blue and purple colors again.)

Also, when Clam Sentinel is scanning, the tooltip may have “ - Scanning...” added to the end of the regular Tooltip text.

Visit web page about the EICAR Anti-Malware Test File http://www.eicar.org/anti_virus_test_file.htm and locate some downloadable content near the bottom locate the downloads section.


(In the above example, the user logged in was named “SysOp”, an old term meaning “system operator”.)

To see the renamed file, right click on the Clam Sentinel button and select “Quarantine Folder”. An Explorer interface will show the files that are in the quarantine folder. If a file already exists with a name ending with *.infected, the next file with the same name will be given a double extension of “.infected.000” and the next file will end with “.infected.001”. Note that the file renaming may be impacted by one of the options within the Clam Sentinel software that chooses whether to “Move to quarantine folder” or “Report only”.

Signature Files

Presumably these are no different than ClamWin's signature files. In other words, presumably Clam Sentinel has no signature files of its own, and so the only signature files that are in use would be ClamWin's.

Misc comments

It appears that Clam Sentinel support requests on SourceForge may be regularly updated. See also: Clam Sentinel Support section on SourceForge (or, see also: alternate URL which redirects to Clam Sentinel Support section on SourceForge).

The main Clam Sentinel home page tends to report the version number of the latest version, while not providing any details about exactly what is new between versions. It is nice to know why effort is spent upgrading software. Perhaps some details can be determined or guessed by reviewing ClamWin CVS Repository, sorted by date.

Note that (at least as of version 1.22), this software does not seem to register itself with Microsoft Windows Security Center. (So, in Windows 10, this won't show up if you ran WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct get displayName,productState,timestamp /value)

https://sourceforge.net/p/clamsentinel/feature-requests/12/#780c/ecfa/d773/786a/592a/2c4d 2019-10-13 Robert Scroggins wrote, “There will be no more changes to Clam Sentinel. It is dead! ClamWin is also nearly dead too!” “Clam Sentinel was discontinued in 2014, and Andrea Russo has no further desire to work on it. The ClamWin developer has also shown no desire to improve ClamWin--or even maintain it for Clam AV program updates beyond a minimal level. ClamWin does not have a lot of the Clam AV improvements starting with version .95. I think ClamWin developer Alch will abandon it after it is no longer needed by Windows 98 users, which should be pretty soon--it has been 21 years since Win 98 came out!”

WHSClamAV
Users of “Windows Home Server” may be pleased to know of a project made specifically for that operating system: WHSClamAV.sf.net.
Other
Tail Ace, a project on sf.net, monitors changes to files so perhaps it can be used effectively as part of a real-time solution?