Making ClamWin Be Used In Real-Time

At the time of this writing, real-time scanning is not provided directly by ClamWin. To add that feature, there are multiple solutions, including WinPooch. This guide will show using Clam Sentinel.

Clam Sentinel
Speed warning

The author of this text has tried recommending Clam Sentinel to multiple people, and helped to get it installed. Users who were individually helped have later noted that their system is running very slowly, and similar reports surfaced when this was recommended to groups of people. The severity of the problem was so great that even a proponent of the software felt compelled to place this warning here. Failing to provide this warning would just seem irresponsible.

When helping demanding users, this solution may be unsuitable unless some modifications are made. This slowness seems to generally be from keeping the disk heavily occupied, but a Clam product (either ClamWin or Clam Sentinel) has been seen to take up a lot of RAM, and the scanning is believed to be able to be CPU intensive. (In theory, RAM consumption could lead to swapping which may take up CPU time, so RAM alone might be able to cause all of this.)

The severity probably varies between different systems. One system may be able to run this software pretty fine, while other software may be very heavily impacted.

As this is an Open Source product, internal solutions are likely addable (by adding some thresholds that alter behavior based on available system resources). Otherwise, perhaps some solutions may be found by using some other solutions to control the system slowness. One system tested some various solutions regarding handling a busy CPU. The solutions tested are discussed further in the section about handling CPU usage. Suffice it to say that there is an Open Source solution (named Battle Encoder Shirase) which may have helped, although Process Tamer did seem to be a bit more useful.

Other than CPU handling, there may be some other approaches to help with system slowness. Further discussions may be seen by checking out some resources pointed to by the section on troubleshooting slow systems; especially handling busy disks.

[#insclmsn]: Installing Clam Sentinel

Obtain the file from http://ClamSentinel.sf.net. Installation is straight-forward.

Clam Sentinel Installation screen #1
Clam Sentinel Installation screen #2
Clam Sentinel Installation screen #3
Clam Sentinel Installation screen #4
Clam Sentinel Installation screen #5
Clam Sentinel Installation screen #6
Clam Sentinel Installation screen #7

After installation, some older versions of Clam Sentinel had one item to configure in order for the software to really be useful, which is to configure what fixed drives exist, as noted by the Clam Sentinel Configuration section. This might not be needed with newer versions.

[#cfgclmsn]: Configuring Clam Sentinel

Menu option
to Choose fixed disks to monitor

Choose “Advanced settings” and then “Choose fixed disks to monitor”.

Dialog box
allowing user to choose fixed disks -> Dialog box
showing that user chose all fixed disks

With some older versions of Clam Sentinel (this might not be true any more), only “C:\” will initially be checked. This software may be intelligent enough that it only shows the drives that “My Computer” identifies as “Hard Disk Drives”, and does not show the drives identified by “My Computer” as “Devices with Removable Storage”. So, go ahead and check all the boxes before choosing the “Confirm” button.

Menu of
settings, including options for handling infected files
(The above screenshot shows a sub-menu which probably does not need any changes.)

On the other “Settings” menu, the first option, “Run Clam Sentinel on startup”, should be checked if long term protection from Clam Sentinel is desired. This option starts out unchecked, so go ahead and check it.

Also, the “Scan the memory when the program starts” is recommended to be checked if high security is the goal. This will start a memory scan which may take minutes and will be visible. (The title of the window will reflect the filename cmd.exe.) This window may be minimized. If it is too annoying, this option may be unchecked. (If this is little more than a command line option, a batch file that runs START /MIN /BELOWNORMAL may be nicer.)

Info for old versions

Older versions of Clam Sentinel had some options about using daily signatures. Those options have been removed (possibly with version 1.12). TOOGAM had asked the author, Andrea Russo, “why are the default options to not use daily.csv?” The response given was “I have deleted the use of the daily singature because don't protect from the others viruses.” TOOGAM replied, “I do not understand this section of your statement. Certainly the daily.cld files are meant to provide information that would be useful for scanning. Otherwise, why would the ClamWin team be distributing such files?” The information was forwarded to Robert Scroggins of the ClamWin team. Bob Scroggins replied, “Sentinel normally scans using both the main and daily signature databases from Clam. In an attempt to speed up Sentinel's scans, however, a Sentinel option to only use the daily signatures was included at one time. However, this option was removed because it did not provide adequate protection to the user and, in fact, might give him/her a false sense of security. In addition, this option did not significantly improve Sentinel's scan speed.” The E-Mail went on to say, “The daily signatures are composed of recent submission to Clam, and they are integrated into the main signature database approximately every three months or so. When they are integrated, there will not be many signatures in the new daily database for some time.”

The information that had seemed most reasonable to increase protection by the largest amount was a recommendation to enable these options. To do so, with versions of Clam Sentinel that supported the options, access the shortcut/context/“right-click” menu of the Clam Sentinel icon in the “system tray”/“message notification area”, and under “Settings” there are three options which were off by default. “Use daily signature for realtime scan”, “Use daily signature for memory scan”, and “Use daily signature for drives scan”.

Another option that may be customized is the “Paths not scanned” list of folders located under “Advanced Settings”. Specifically, add in any quarantine folders of any scanning programs used.

People using a trusted download source might decide to not scan content from that download source. Note that doing that would allow malicious software to enter the computer system if that software was provided by by that software source. Also, any other malicious people would be able to introduce any malicious content if they have permissions to be able to write to those locations. As an example, malicious people, who are unrelated to the organization behind the Steam software, may write to Steam's area of the hard drive if these malicious people know that Steam's area of the filesystem is not checked or enforced as rigorously. Do not just assume that Valve software is the only organization that would try to write to Steam's directory.

Steam-Specific commentary

Some quick off-topic notes: Clam Sentinel does seem to have some history of interfering with the installation, or updating, of some games. Users may find that software works better by adding those exceptions, or remembering to disable Clam Sentinel when updates occur. (For additional Steam-specific details, see: Steam-specific details related to anti-malware software. Also, the directories/paths are described by Steam-specific details related to anti-malware software.)

Another option to consider is the list of file extensions scanned. The guide “Clam Sentinel Program Description And Setup” says Sentinel “comes configured with about 120 Windows file extensions, which is very complete. Users who know what they are doing may want to configure their own custom extensions for Sentinel to scan. Any number of extensions that is less than 120 will speed up Sentinel's scanning time. Most viruses will be found in a group of only about 40-50 extensions.” (The guide does not specify which ones those are.)

Note that Clam Sentinel's Readme.txt states that having Clam Sentinel scan while ClamWin is performing a manual scan, or while another real-time Anti-Virus program is being used, may use up a lot of processor time and slow things down. The text file specifically says “I think you need to caution users not to do that.” Running multiple real-time scanners is generally not recommended, due to stacked slowdowns, possible interference of one of the programs by the other, and possible problems that are more severe to the point that such programs are often considered incompatible with one another. (However, the guide “Clam Sentinel Program Description And Setup” does reference using “Sentinel with another antivirus/antimalware program”.)

There is some information online at a page called Clam Sentinel Program Description And Setup. About the “Detect PUA (Potentially Unwanted Applications” (or “Select PUA”) option, this page says “You would not normally want to select this option” because of concerns of many false positives. The logic that only new files are likely to cause new false positives is false, because ClamWin updates could cause existing, previously-scanned-as-clean files to become detected.

A completely optional step: If one wants to limit the quarantine exclusion to only skip files that Clam Sentinel has renamed to *.infected (or *.infected.*), then something like the following “regular expression” may be used. (Be sure to customize it to whatever quarantine subdirectory is actually being used.)

<C:\\Quarant\\.*\.infected(\..*)?>

For anyone interested in customizing the above, here's an explanation: The inequality signs (< and >) specify that inside is what many computer programmers refer to as a “regular expression”. Folder names are separated by double backslashes. That should be all that one needs to know to simply change folders. The \. refers to a literal period. The other two periods refer to a single character (except for a new line character, although that exception isn't likely to be impactful in this case), similar to how many operating systems use ? to refer to a single character. The star means to repeat whatever came before it, and since the character before a dot is a wildcard for a single character, .* means a range of one or more characters. The ? in the above means to make the previous item optional, which in this case refers to the group that is created by using parenthesis. So, anything ending with .infected or .infected.* will not be scanned.

[#tstclnsn]: Testing Clam Sentinel

Clam Sentinel does show a visual indicator when it is responsible for causing ClamWin to perform scanning. The icon will change to have a yellow outline. This can be seen by the difference between the following two graphics:

Clam Sentinel inactive:

Clam Sentinel active:
,
(Clam Sentinel does also have a darker graphic, which is shown if “Stop” is chosen on the program's menu. In this graphic, the blue and purple parts of the shield are black. (This icon with the black is seen in the screenshot showing what happens when a manual ClamWin scan detects a signature.) Selecting “Start” will cause the icon to show the blue and purple colors again.) Selecting “Start” will cause the icon to show the blue and purple colors again.)

Also, when Clam Sentinel is scanning, the tooltip may have “ - Scanning...” added to the end of the regular Tooltip text.

Visit web page about the EICAR Anti-Malware Test File http://www.eicar.org/anti_virus_test_file.htm and locate some downloadable content near the bottom locate the downloads section.


(In the above example, the user logged in was named “SysOp”, an old term meaning “system operator”.)

To see the renamed file, right click on the Clam Sentinel button and select “Quarantine Folder”. An Explorer interface will show the files that are in the quarantine folder. If a file already exists with a name ending with *.infected, the next file with the same name will be given a double extension of “.infected.000” and the next file will end with “.infected.001”. Note that the file renaming may be impacted by one of the options within the Clam Sentinel software that chooses whether to “Move to quarantine folder” or “Report only”.

Signature Files

Presumably these are no different than ClamWin's signature files. In other words, presumably Clam Sentinel has no signature files of its own, and so the only signature files that are in use would be ClamWin's.

Misc comments

It appears that Clam Sentinel support requests on SourceForge may be regularly updated. See also: Clam Sentinel Support section on SourceForge (or, see also: alternate URL which redirects to Clam Sentinel Support section on SourceForge).

The main Clam Sentinel home page tends to report the version number of the latest version, while not providing any details about exactly what is new between versions. It is nice to know why effort is spent upgrading software. Perhaps some details can be determined or guessed by reviewing ClamWin CVS Repository, sorted by date.

WHSClamAV
Users of “Windows Home Server” may be pleased to know of a project made specifically for that operating system: WHSClamAV.sf.net.
Other
Tail Ace, a project on sf.net, monitors changes to files so perhaps it can be used effectively as part of a real-time solution?