Tuesday, June 22, 2010

ClamAV for Windows

Recently, we released the only official Windows-specific version of ClamAV, appropriately called ClamAV for Windows (http://www.clamav.net/lang/en/about/win32/). It is designed to use little memory and processing speed because it uses an advanced cloud-based protection mechanism, best of all it's free (as in free beer. Ummm...beeeeer). If you haven't tried it yet, I really encourage you to.

You can download ClamAv for Windows from here: http://www.clamav.net/lang/en/about/win32/ or by going to a site like download.com and typing "clamav" in the search box. There are 2 installers available: a 32-bit version and a 64-bit version. If you don't know which one to choose for your Windows operating system, you can check this page http://support.microsoft.com/kb/827218. It will tell you if you are running a 32-bit or 64-bit of Windows. If that's too complicated, just start by downloading the 64-bit version. If you have a 64-bit operating system, you will get a speed boost from running the 64-bit version of ClamAV for Windows. If it turns out that you are running a 32-bit version of Windows, don't worry, executing the 64-bit installer will generate this warning:
64-bit warning
Pic.1: Wrong installer version
That will be your cue to grab the 32-bit installer instead :-)
In the last step of the installation process, you can opt to perform a recommended initial FlashScan. A FlashScan is not as comprehensive as a full scan but is designed to be a quick check for your system to see if you have any malware running in memory. The last screen in the installation process will also ask whether you want to share that you installed ClamAV for Windows with your Facebook friends or your Twitter followers. The more people that run ClamAV for Windows, the better the protection. Every time a ClamAV for Windows user encounters a new threat, all other users are protected from that same threat in real-time.

So, now that you've installed ClamAV for Windows and run a FlashScan. You are now looking at the Scan tab. The results of the scan you just performed are displayed on the left hand side and on the right hand side you have Scan Options. Leave them set to "on" in order for future scans to look at running processes and at locations where malware can hide in order to be run every time you turn your computer on.
Pic.2: FlashScan
Under the "Settings" tab, you can choose to turn off some of the layers of protection that the software provides. Unless you have a good reason to do that, I recommend you keep everything set to "on".
Pic.3: Settings tab
Under the "History" scan, you can review the different scans that were performed on the computer.
Pic.4: History tab
Finally, the "Summary" tab give you an overview of how many people are using the product as well as how many threats the ClamAV for Windows community is protected from thanks to the power of the cloud.
Pic.5: Summary tab
The video below shows you the kind of nasty things you might encounter. On a completely clean computer, I visited a link that prompted me do download an executable called gb5339.exe. While you will hopefully not purposely visit a known bad URL, keep in mind that your computer could have automatically downloaded and executed this file via a drive-by-download (that's when a bad guy takes advantage of an vulnerability in your browser to force actions on your computer simply by visiting an infected web page), or through social engineering (eg: you get a spoofed email that appears to come from a know person that ask you to download the attached executable and run it....and you do). You can see in the video that shortly after running gb5339.exe, the background image changes to show "You are infected" in big red letters. Furthermore, a fake/rogue/bogus piece of antivirus software is loaded and reports that I have infected files on my computer. Again, I had a fresh installation of Windows XP. There are no infected files on my computer. The fake antivirus program's goal is to scare me into believing that I am infected in order to purchase a license for the software that will supposedly help fix my problems. Good thing I didn't fall for that, and neither should you.

Ransomware in action on a PC

Repeating the experiment with a clean computer and a fresh installation of Windows XP, but now with ClamAV for Windows installed, gb5339.exe is blocked as soon as I try to copy it on my hard drive (this is called blocking the file "on-access").

Ransomware being detected and it's actions blocked by ClamAV for Windows


  1. "ClamAV for Windows sends information about the files its scanning back to the cloud. This information is in the form of SHA hashes and file heuristics"

    "Additionally, in some situations the entire PE file will be uploaded to the Cloud to determine if it is malicious. "

    hmmm :/ What other information is passed to the cloud with this? (MAC, IP, Owner/System/Domain name ?)

    will there be an option to manually share or disallow sharing of particular files selected for information upload to the cloud?

  2. For performance and privacy reasons your files are not uploaded to servers, unless necessary. What is uploaded are SHA hashes and heuristics of Windows PE files. Your personal documents (Word, Excel, PDF, etc...) aren't scanned so absolutely nothing about them is collected. And when it comes to how fast an accessed executable can be declared "clean" or malicous, we try to keep the round trip any cloud lookup under 400 ms. That is a very small price to pay in terms of additional lookup time (compared to looking time against a local database) for the added benefit which is to leverage a network of users increase the detection rate of malware, as well as to identify new threats in real-time. Is there are case where more than just the hash of a PE and the necessary heuristics would be sent to our server (a case where the file itself would be sent to the ClamAV cloud)? Yes. There is no opt-out and we describe this during the installation (EULA). If you do not agree, the installation process does not complete. In ClamAV for Windows 2.0 due in a few weeks, you will have the option not to participate in uploading more than the SHA/heuristics of PE files, when needed. Information such as MAC address, IP address, owner, system information, domain name is never sent to the ClamAV could.


Post a Comment

Note: Only a member of this blog may post a comment.