ClamWin or something else? (alternatives)

Discussion in 'other anti-virus software' started by Seer, Feb 8, 2008.

Thread Status:
Not open for further replies.
  1. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello.

    I rarely post in AV forum as my experience with AVs is rather modest. Except NOD, which I ran for the last 2 years (yes, a past tense, NOD is gone for good), I had a short adventure with Kaspersky and that pretty much sums it all. So I could use a little help in choosing an AV :)
    What I actually need is a dedicated on-demand AV with a command line scanner. A CL scanner is essential, as I want to integrate it in SSM. (SSM will then give the option to manually scan every triggered file directly from the popup)
    ClamWin first came to my mind and I thought it would fit perfectly in the equation. It does not run in any way until requested and has a command-line executable. No service, no driver, no unnecessary bloat whatsoever. Just a scanner. I actually like it very much (yes GUI too lol), but ClamWin is somewhat out of focus on Wilders, to say the least, so that makes me a bit wary. iirc when I last looked its detection rates were not stellar, is this getting better? If Clam's generally not recommended, are there similar alternatives? I don't need an AV with 99% detection rate, but I wouldn't mind using one as long as it satisfies all my needs - 0 resources, 0 drivers/services, CL scanner. How about Avira or AVG? Avira has a driver loaded even if the guard is not installed, right? I may be wrong though...
    Being free is not a requirement, but on-demand AVs usualy are.
    All suggestions are welcome,
    thanks,
     
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  3. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    over the last year, clam has scored really poor at shadowserver.

    however, recently they always score high.

    improvements/improved?....... maybe

    only time will tell i suppose.


    personally, id use something else. ;)
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    ClamAV isn't that bad as an on-demand scanner; it has one of the fastest response times. AFAIK, Dr.Web offers an up-to-date CLI scanner (paid IIRC)
     
  5. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    ClamAV, though much maligned here, does have some amazing response times due to it's open source nature. I see often 10 updates per day (vs. <1 per day for my current paid AV).
    Detection rates however still remain mediocre at best when compared to the "big boys". Updates are tedious.
    The Dr.'s Console Scanner may be your best bet, though it's not priced much lower than their AV for Windows.
    Much depends on your "risk profile" with regards to detection efficacy required.
     
    Last edited: Feb 8, 2008
  6. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    They all have drivers loaded, otherwise they could not access the file system fast enough. You must be up in arms about Bitdefender and its multiple services. Clam can be unloaded, what I am not sure of is if it stays loaded after it is run. Perhaps there is a command line option to unload it.

    Please explain what happens with SSM. Is it when there is some event that causes SSM to give a warning the file is scanned?
     
  7. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Interesting. Yearly stats unimpressive, but weekly, monthly very impressive.
    That is IF you put credence in Shadowserver's ratings (but that's a whole other thread :) ).
     
  8. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    regardless if you trust the testers or not, the results are from the same tester.

    and recent ones are quite impressive, although over the year ... poor.

    so maybe, its improving quite well Bob.
     
  9. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I suspect there has been a rel improvement. Every few days the yearly number for Clam moves up a bit reflecting more of the newer good performance and less of the old. You might notice some similar statistics for Avast.
     
  10. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Obviously. Now I'm not qualified to judge Shadowserver's ratings...
    But do you believe that the Clam is right on the heels of NOD32 & Antivir?
    Or that it's detection (based on monthly, weekly stats) is superior to (dare I say it) DrWeb, or Kaspersky, Bitdefender and others?
     
  11. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    these are zero day tests,

    and if you look over the year, clam has performed poorly.

    but very very recently, they score better than most.

    they have to keep it up though, to improve their detection rates.

    nod32 kaspersky and bitdefender dont seem to do very well at all.
     
  12. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Even the suggestion of the above will evoke flaming responses from NOD & KAV devotees, and the subsequent "Shadowserver's ratings are worthless" response!
    They may be right? Dunno. We'll all keep an eye on the Clam though.

    Cheers
     
  13. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    of course it will, i know that Bob.

    dont matter,

    thats what makes this place fun sometimes :D
     
  14. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Thank you all for your responses so far.

    I have ClamWin running for a few days and I noticed the same, it looked pretty much active and 'alive'. So I thought to ask here.

    thanks, I will try these to see how they run with SSM. Ewido looks appealing. It will take a few days though.

    Yes, what I meant is - not loaded all the time.

    Every triggered event. You need to enter CL scanner path here -

    ssm1.jpg

    and then -

    ssm2.jpg

    Cheers,
     
  15. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    @nick

    That's an interesting concept. Sort of a hybrid on access scanner that only works when something else is happening.

    I suppose if you are real careful about what you put on your machine, use HIPS or LUA/SRP or Anti-Executable and run full scans fairly regularly then on access scanning just might not accomplish that much. The frequent full scans are necessary because even an installer scanned for several times before its use might turn out to be bad later. The reality is I have never had a file go positive that did not have certain easily identifiable characteristics as to source and purpose. Those get to run in Sandboxie or a VM.

    However, the real time scanner does pick up stuff that is packed and gets scanned while unpacking and attempting to run.

    You may have noticed another one of my threads which alludes that when working with non mainstream files such as gray ware, game cheats etc. The detection characteristics of different AV's vary so much as to make it difficult to evaluate positives.
     
  16. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    Sorry to destroy the image of clam yet again, it is bad. Really bad. It's technology is very very basic, and it cannot do anything against complex threats. It has detection routines for only 4 or 5 polymorphic threats, the rest of the detections is purely signature based. No emulation at all, runtime unpacking that doesn't even deserve the name as it does not properly rebuild the binaries for the very limited number of supported packers. No heuristics whatsoever (heuristics IMHO are doomed to fail in an open source project).

    They are relatively fast at adding non-complex widespread threats, if those are simple to add (signature), but anything else is very likely to never get added at all.

    And no, shadowserver stats don't show that part of an AV as the number of different threats in their stats is really low.

    If you want it as a second opinion scanner, ok, but don't rely on it being even close to equal in terms of raw detection power to the top scanners around.
     
  17. DjMaligno

    DjMaligno Hispasec/VirusTotal

    Joined:
    Feb 22, 2005
    Posts:
    63
    Location:
    Spain
    That's because they've recently added a 'PUA' feature that, for instance, tends to show as positive executables with certain packers.
     
  18. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Bitdefender free does that as well, and I believe it can not be turned off as with Avira. The problem with this technique is lots of false positives.

    As for Clam lacking Heuristics, the same could be said of several popular AV's inluding Avast and AVG.

    One approach to this problem would be to install something like Avast or Avira without on access scanning, accept that a service or two will be running and see which one has the least effect on overall performance.
     
  19. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello

    @all - please bear in mind that I am not really an AV type. Blacklists, packers-unpackers, heuristics and such mean very little to me. I could've as well went with no AV at all, but I thought since SSM is staying, why not make a use of it's features and integrate a CL scanner. I guess "Scan..." on the popup will be very rarely used, but I like to have it there just for the peace of mind (or for the heck of it), as I am still a recent NOD user. So Clam could've done it as well, but as it is -
    a-squared fit perfectly (for now). There's a2update.dll, so I made a click-to-update icon. I have always updated NOD manually and I kinda miss something to update every day :)

    I haven't, but I don't mind a FP here or there, especially with those you mention. With such software (game cheats, toolbars i.e.) FPs are quite expected. They can be (and are) annoying, but it's certainly not something I'd lose sleep over.

    I knew this was one of the options, and I was even considering it (accepting a running service for occasional scan), but I tend to be very strict about what is running and more importantly why. So I was kinda hoping to avoid this solution.

    Again thank you all, I shall consider this matter settled. As I said - for now. More research pending...

    Cheers,
     
  20. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I'm curious to know why you think so. Is it a technical matter, or just a practical one? (the whole cat and mouse AV's play)
     
  21. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    An open source heuristic/unpacking/emulation engine would be very easy to bypass.
     
  22. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Sure, but then your signatures would be more effective. You can only gain from it no?
    I could even imagine a user selectable level of aggressiveness. If it is for a gateway, there could be a demand (for some people) to flag anything suspicious (FP's let them come).
    Signatures alone don't give you any choice. It is or it isn't a known virus/trojan/etc.
     
  23. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Your argument, apparently, is if the crooks know what the heuristics are, they could work around it. As far as unpacking an executable, or running it in a sandbox to unpack and scan it against a signature, there is no way that having the source code known would give the bad guys a better chance. As for the remaining heuristics, the present method of trial and error checking checking seems to work well enough for the bad guys.
     
  24. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    May want to try "Clam on a stick" (sounds good, huh?).
    ClamAV on a USB portable stick with a convenient GUI.
    Run entirely from USB memory stick. Updates (not automatic) have to be invoked.
     

    Attached Files:

  25. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas

    F-PROT has a good one.
     
Thread Status:
Not open for further replies.