ClamAV For Windows Open Beta Begins

An anonymous reader writes "The public beta for ClamAV for Windows 3.0, which includes full integration of the ClamAV engine into the Immunet Protect product, is now open. If you are interested in playing with ClamAV for Windows 3.0, please see these forums. 32-bit and 64-bit versions are available for download. ClamAV for Windows should not be confused with ClamWin, a separate project."

Huh...

[amnesiacopera]

Will it run on Windows 3.1 as well?

Re:Huh...

Wait, let me tweak my config.sys so that I have extra space in my 640kb space to load himem.sys. If that's not enough I can probably squeeze a few more kb from the I/O address space....

Re:Huh...

Only in 386 Enhanced mode.

Re:Huh...

himem.sys is what allows you to load stuff into extended memory, thereby providing more free conventional memory. You would never need to make extra space for it.

Re:Huh...

[xactuary]

Will it run on Windows 3.1 as well?

That's exactly how I read it. lol.

Re:Huh...

Sheesh, you people. Why would you switch from something that works? Windows 3.0 runs just fine and uses less resources. Not only that, but I question the need for a virus checker. It's been a long time since I've seen viruses and worms written for Windows 3.0. It's pretty safe these days.

Re:Huh...

[black6host]

Not only that but you can peek and poke to get just the perfect color scheme :)

Re:Huh...

[BatGnat]

If you want the most space use QEMM.

But seriously, upgrade to OS/2 Warp will you....

Re:Huh...

Huh? Sure you could. himem.sys has a portion that loads in conventional memory. I mean, you should be able to trade a bunch of conventional memory for that part himem.sys by loadhighing other programs. But you can definitely be in a situation where you've filled up so much of the first 640K that you can no longer load himem.

Re:Huh...

himem.sys is the first driver to be loaded if you are planning to use XMS at all. Only a fool would load a bunch of drivers into conventional memory before loading himem. A typical config.sys using XMS would look something like this.

device=C:\himem.sys
dos=high,umb
devicehigh=c:\bin\d011v109.sys /D:MSCD001 /M:1
devicehigh=c:\zansi.sys
files=20
buffers=40
lastdrive=e

Nobody who knew anything about DOS would ever try to load those other drivers (in this case, CD-ROM and ANSI drivers) before loading himem.

Re:Huh...

[antdude]

Nah, Windows for Workground v3.11 and Windows 3.2. ;)

Re:Huh...

Will it run on Windows 3.1 as well?

DOS version too? ;-}

Re:Huh...

[atisss]

I gues, it says it supports 32bit, so that should be pretty obvious. I wonder about 16bit version however.. As Windows 3.0 binaries should be compiled in 16 bit, and it's not released (only 32bit and 64bit huh), how it's going to run?

Re:Huh...

Yeah, and we all know that fools don't use computers. Believe me, I worked on enough DOS machines that I've seen people load every driver they needed, then load himem at the end. Furthermore, there were drivers that weren't compatible with himem, and you could definitely find yourself in a situation where all of your weird, kludgy drivers were loaded and you didn't have room for himem anymore. Those people would have two different boot disks, one for using their crazy hardware and one for using the computer properly.

Re:Huh...

Uhh, just no. You haven't a clue.

Editing mistake?

[froggymana]

From TFA "ClamAV 3.0 for Windows Open Beta", not "ClamAV for Windows 3.0" as the summary states.

Re:Editing mistake?

[Shikaku]

It's not incorrect to say ClamAV for Windows 3.0, but it's much less confusing to say ClamAV 3.0 for Windows.

Re:Editing mistake?

[froggymana]

ClamAV for Windows 3.0 would be correct if it were for that specific version of Windows, but it is referring to the version of ClamAV which runs on an unspecified version of Windows.

Re:Editing mistake?

[mehrotra.akash]

It gets confusing ..
is it
(ClamAV for Windows) 3.0
OR
ClamAV for (Windows 3.0)

Re:Editing mistake?

[froggymana]

Oh that makes more sense... People need to learn to use grouping parenthesis more often in their writing/typing :)

Re:Editing mistake?

[noidentity]

If the name of the product were "ClamAV for Windows", then it would be correct, though confusing, to call it ClamAV for Windows 3.0.

Re:Editing mistake?

The main page says Download ClamAV for Windows 2.0 or try the new beta!

when product branding goes wrong

Shouldn't it be titled ClamAV 3.0 for Windows? I doubt its for Windows 3.0.

Re:when product branding goes wrong

[Atti+K.]

Yeah, cause it would make so much sense to make an antivirus for Windows 3.0... In 2010, that is.

Re:when product branding goes wrong

[BlueScreenO'Life]

Yeah, cause it would make so much sense to make an antivirus for Windows 3.0...

Yeah that's right. Just run it under DOS 6.22, which comes with its own antivirus msav.exe.

What is the Immunet product and why should we risk

Could someone enlighten us what the Immunet product is? Their web page is so full of cloud computing and other buzzwords that I can't see what's different from other vendors tools

Clam. What's that?

And what this ClamAV thing is? One word or two maybe?

Re:Clam. What's that?

[KugelKurt]

An anti virus application for Windows 3.0

Re:Clam. What's that?

Then I guess it's a little outdated. Who runs Windows 3.0 these days? Some ATM maybe.

Re:Clam. What's that?

[KugelKurt]

No, they run Windows 3.11 because they require that "for Workgroups" feature.

Re:Clam. What's that?

I think it is an anti-viral medication for chlamydia. Although since chlamydia is bacterial I don't know why they need an anti-viral.

Re:Clam. What's that?

[Atti+K.]

Yeah, some mod could mod this funny, but it's actually sad but true... for some older ATMs at least. Nowadays I see quite a few running XP (you can see that on the back screen, if the ATM is in a place where you can see its back). But a few years ago I've seen a crashed ATM and it had plain MS-DOS. Then I remembered that I've used once an ATM of that particular bank, and that it seemed to me that the fonts looked just like the BGI fonts (Borland Graphics Interface - those who used Borland Pascal/C++ during the '90s know what I'm talking about), so I'm pretty sure that ATM was running plain DOS with some graphical app coded in Borland Pascal or C++ on it.

Re:Clam. What's that?

[neumayr]

I thinks it's sadder when an ATM runs XP. Those things handle sensitive data and should be kept as simple as possible, as more code always implies more bugs, no matter who's code it is.

An ATM running DOS would generally feel more trustworthy to me than one running XP.

Re:Clam. What's that?

Thereby giving the ATM application direct access to the hardware, that's a great idea! :/

Re:Clam. What's that?

[neumayr]

Why wouldn't it be? The application takes only very well defined input and the hardware is known. I don't see any problems.

Re:Clam. What's that?

[AmiMoJo]

Cost is what drives it. ATMs need network support and the banks want a flashy graphical/animated interface that advertises their shit. You could implement all that on an embedded system but it would take longer and cost more money to do, so the developers just throw XP on and figure that since the system is physically secured with a key and only ever connects to the ATM network and not the wider internet any security concerns are nullified.

In reality that isn't the case, of course.

I have a similar problem in my job. I write software for controlling building fire suppression systems. There are buttons for the Fire Fighters to override the actions of the system if needs be and they are secured with a key. Unfortunately the key tends to get given to the building manager or security grunt who then uses it to open a few vents when it gets hot in the summer. A fire starts and the buttons are already set to override the system that could easily cause the fire suppression to fail (e.g. there is an extract fan that can clear one floor, but someone opened a vent on a different floor so its flow rate is now 50% on each floor).

I fixed that by resetting all the buttons when there is a fire. You have to assume your security measures will be bypassed if at all possible.

Re:Clam. What's that?

[kc0re]

ClamAV is an opensource Antivirus program.

On Slashdot? Really?

[neumayr]

Sure, it's something to make fun of, Windows 3.0 and all that. But advertising an anti virus product beta on Slashdot's main page? C'mon.

Re:On Slashdot? Really?

[bcmm]

ClamAV is an open-source AV system. The reason a Windows version is news is that it's usually run on Linux systems, especially mail servers.

Will it run on ReactOS?

People waiting to follow the only worthy upgrade from XP want to know ;)

Re:Will it run on ReactOS?

[AndGodSed]

Well, first you have to get ReactOS to run...

ClamAV is a big deal

[iYk6]

ClamAV is an open source anti-virus. That's a pretty big deal, considering it is the only one. Or at least, the only one that is complete and still maintained.

Were you being sarcastic, or did I miss a joke?

Re:ClamAV is a big deal

[neumayr]

It's an open source product? Okay, then I guess I see the relevance. Sorry, my bad.

They could have mentioned that in the summary though..

Re:ClamAV is a big deal

They also forgot to mention in the summary that Windows is proprietary software.

Re:ClamAV is a big deal

[rubycodez]

ClamAV's main use is the Unix/Linux/BSD version for running on mail servers, but it also has the cool mode of scanning directory trees on a samba file servers for Windows clients. The virus definition databases it uses are updated multiple times a day and are automatically downloaded. I have several customers that have been using it for years, it does catch the bad wares and moves bad files to a holding directory. It understands the common archival and compression, executable, and document formats.

http://www.clamav.net/lang/en/about/

Re:ClamAV is a big deal

[ziggyzaggy]

oh no! and here I thought redmond was just being slow making my source printout request as per GPL 2. You really know how to pop someones bubble. Now what am I going to do about my nifty custom .bat file with included Windows 2008 Server R2 that's been so popular on megaupload?

Re:ClamAV is a big deal

[tgd]

And? MS Security Essentials is a zero-cost option as long as the OS isn't pirated.

If you're not in a free-as-in-whatever-the-OSS-people-are-calling-free-like-beer-or-whatever OS, why do you need AV that is?

Not sure I get it. I can totally buy an OSS virus scanner for an OSS OS, or an OSS virus scanner for a non-OSS OS that has no free options, but Windows has a free option that comes from the people who wrote the OS.

Re:ClamAV is a big deal

[beardz]

And? MS Security Essentials is a zero-cost option as long as the OS isn't pirated.

It's a zero cost option even if the OS is pirated.

Re:ClamAV is a big deal

[black6host]

I assume you're using it to scan files on a predetermined schedule? If so, obviously you would not be able to comment on real time protection (upon file access.) I take it you're satisfied though with the scanning and detection abilities. Please correct me if I'm wrong. This (CLAMAV for Windows) piques my curiosity though as currently I use, and some of my clients as well, MS Security Essentials. This is ok in a business environment with 10 or fewer computers but some of my clients, who can't afford at the moment anything else, need something free they can run on their workstations. A server/client based solution is not an option. No Exchange or web server in-house and the server is never used for web access or anything else on-line other than MS updates and our firewall is pretty good. It will be interesting to see how this pans out. I really need a free solution for workstations only in a corporate setting.

Re:ClamAV is a big deal

[melstav]

Microsoft pushes "Critical" security updates for their software so frequently it isn't funny. And that's not even taking into account vulnerabilities they go out of their way to actively keep quiet. Do you REALLY want to trust *THEM* to provide you with the software that's supposed to keep the *rest* of their library secure?

Re:ClamAV is a big deal

[QuoteMstr]

Oh, for fuck's sake, have you seen LWN's "security" page? Every week, there's some remote code execution vulnerability or another. At least distributions regularly push updates --- Apple usually waits for its next minor release. I'm sick and tired of this puerile and reflexive Microsoft-bashing.

Re:ClamAV is a big deal

Files should be scanned on creation, not access. Why let a bad file get downloaded, written to disk and sit around, just so you can scan EVERY GODDAMNED FILE on access?

Re:ClamAV is a big deal

[black6host]

First, I think you took my part about access a bit too literally. Of course files should be scanned upon first encounter. Second, if files get on a system with a new exploit that hasn't hit the virus def file yet, I'd rather it get caught at some point, and in the real time protection scenario it will be picked up on access if it's not caught sooner (provided the virus defs have been updated to pick it up.)

Lastly, no need for swearing and all those caps. One can make a point without doing so and polite discourse if my preferred mode of communication. Of course, it takes all types and the net certainly makes it easy to do as you please. One does not stay a member of most forums on the net without a thick skin though so have your say :)

Re:ClamAV is a big deal

[asdfghjklqwertyuiop]

The joke is that virus scanners in general tend to be jokes.

Re:ClamAV is a big deal

[rubycodez]

correct that file scans are scheduled, but that fits with the clients use of batch reception of scanned and pdf medical documentation.

They use a multi-tiered approach to security that also includes Fortigate and the free AVG windows client.

Re:ClamAV is a big deal

[black6host]

The Fortigate looks good at first blush (haven't used one personally.) I've become rather not fond of AVG, I got more support calls from family who I used to recommend AVG to, related to AVG, than anything else. Mostly, the update nagging and seemingly absolutely immediately required upgrades to the latest, greatest version. That plus every time I used to instruct them on how to download it they were always tripped up by all the BS that came along with the download page. Really unobtrusive free download off to the side or the much larger, screaming in your face button which of course was either the non-free version or some other unneeded security product. That plus very recently AVG missed something on a family member's system and I had to do the clean up. It was MS Security Essentials from then on. Still, doesn't work from a licensing perspective in a business with greater than 10 systems. Still looking.....

Re:ClamAV is a big deal

[hairyfeet]

If you need a good free AV for a place with over 10 (or hell anyplace for that matter) might I suggest Comodo AV or Internet Security? As you can see from this chart they will have all the major features and will only be lacking in having the live tech support, which frankly if they just stick to the defaults (or have you or someone knowledgeable do the tweaking if they want it customized) they will be just fine.

I have given both Comodo IS and MSFT SE to clients and the only real differences I've found are these: Comodo will take about a week to learn their apps, whereas MSE will "just launch" without question. Comodo by default uses a sandbox on all apps (unless told otherwise) which means if they use one or two heavy resources apps you'll want to tell Comodo not to sandbox those, whereas MSE doesn't sandbox anything.

So in conclusion Comodo IMHO has a little better security, while MSE never asks questions of the user. But considering most questions will be asked by Comodo in the first week, and consist of "did you just launch (name of app)?" it doesn't put undue strain upon the user and if you know what software they run frequently even that can be taken care of by you beforehand. And since it doesn't have a business user limit for poor companies it can be a lifesaver. They do have services that even a poor business might want to look into though, such as their server AV or the SSL certs for websites. Overall I've been using this for a couple of years now and have had no complaints and so far not a single PC I've installed Comodo on has come back infected, nor has there been any of those "oops we blocked schost" kinds of screwups like we've seen from certain other vendors. Try it, its free, and I bet you'll like it.

Re:ClamAV is a big deal

Thanks for the suggestion, I'll take a look at it.

Re:ClamAV is a big deal

[ancientt]

The article is not about ClamWin but it is a related product. It is mentioned in the summary, but I have some experience with it and can at least tentatively recommend it. ClamWin uses ClamAV resources but was designed to run on Windows and is somewhat mature. It can work with centralized updates, email notices upon virus detection and runs on any likely version of Windows. It has a plug-in for Outlook and is integrated into Explorer, though I'm not sure it does on-access scanning. (It didn't in the past, but it might now.) We most appreciate it on servers where we have little exposure to viruses but need something that can report if a potential virus is found. MS Security Essentials isn't for servers, so ClamWin comes in handy where we don't want to spend the money for other AV products. The reporting feature is handy for these machines because many of them don't have someone logging into them through the GUI more than once a month. Be wary of the option to remove viruses from the system rather than just from memory though, in the past it had a pretty high false positive rate. (They seem to have fixed that now, your mileage may vary.)

Summary is incorrect

This software will not run on Windows 3.0

Re:Summary is incorrect

[KugelKurt]

Oh no, I was just about to insert the first of my Win3.0 720Kb setup floppies to give ClamAV a spin.

Mmmmm Clams

"ClamAV for Windows should not be confused with ClamWin, a separate project." and to those of us that know nothing of either it should not be confused with regular clams that taste great with a little melted butter.

Seriously I know that submissions aren't edited but telling us what ClamAV does/is would be helpful.

Re:Mmmmm Clams

[ffreeloader]

Yeah, having to use Google to figure out something you don't know is so hateful and discriminatory.... ;)

Re:Mmmmm Clams

[ziggyzaggy]

you're a bit ambiguous yourself, are your "regular clams" the underwater or bearded variety, i.e. are you buttering and tasting marine bivalves or vulvas?

Re:Mmmmm Clams

[Teun]

What's this google?

Re:Mmmmm Clams

Actually, it's neither. "Clams" are a commong slang word for scientologists. May xenu live forever..

Re:Mmmmm Clams

[grcumb]

What's this google?

Same as that Google, only closer.

ClamAV engine poor at general malwre detection

[throwaway18]

The clamAV engine is designed for scanning incoming email. These days any sensibly configured email system deletes all email with any forum of executable attachment before it gets anywhere near the end users so email scanning is a bit of a niche market.

The ClamAV engine may be good at email scanning but that does not mean it is good for general malware scanning. Clamwin, which uses the clamAV engine in a general windows malware/virus scanner has very poor detection compared to the top few antivirus packages (Eset Nod32, AVG, kaspersky, avira paid version, panda).

Malware delivered via the web is the main source of the epidemic of crap on the windows platform these days. In geek circles I feel like a suspected plague carrier because I carry a windows laptop instead of running ubuntu or carrying an apple.

I do nearly all my browsing in windows virtual machines. The basic firefox only VM is little trouble. A vm with flash player, Sun java, acrobat reader, dotnet addon etc results in the "whats all this network traffic, shit the VM is sending spam" or "popups WTF?" every few months, followed by going back to a known good copy of the VM and redownloading lots of updates.

Over that last year I'v uploaded a couple of dozen malware .exe's from the web to virustotal, (mostly attempts to exploit user ignorance that didn't getting running on my machine eg desirable-file.pdf.exe). I keep the exe's and check how long it takes for AV companies to add detection. Kaspersky and AVG usually add detections within 36 hours, avira is usually "next day" provided next day is monday-friday.
Half the time Clamwin does not detect the malware and typically takes a couple of weeks to start detecting my sample if they get it at all.
I have little confidence in another package using the clamAV engine doing any better.

Also the ony real cleanup response for malware arriving by email is 'delete', removing malware that has installed itself into windows takes much more work. A of people rely on antivirus software to clean up messy infections instead of being organised enough to have current backups and known-good images of every machine.

Re:ClamAV engine poor at general malwre detection

[Frosty+Piss]

The clamAV engine is designed for scanning incoming email. These days any sensibly configured email system deletes all email with any forum of executable attachment before it gets anywhere near the end users so email scanning is a bit of a niche market.

Maybe end users WANT the freedom to be able to attach executables? Who says all email users (or even most) are like you?

Now, of course, I'm not talking about the rubes that clicky on any linky or attachment in their email, but you know, *I* want the ability to send *any* type of file I choose to a recipient that might be expecting said file...

Re:ClamAV engine poor at general malwre detection

I work for a manufacturing software company and we deliver products by email every day. We rarely have a problem because very few email systems mindlessly delete all executable attachments.

Re:ClamAV engine poor at general malwre detection

Quote
  Bollocks.
  Pretty well any half arsed corporate email system will automatically delete attachments that use a .exe extension and even any combination of the letters e,x & e. Don't be smart and use .sex either....

Pah.
These troll get everywhere...
I'm posting AC cause I work for a large three lettered software company.

Re:ClamAV engine poor at general malwre detection

[mspohr]

And unfortunately, the range of attachments which can be considered "executable" (on Windows) is very large. I recently encountered a company that would not accept a PDF file email attachment because of the perceived danger. No doubt the danger is real on Windows but this should prompt some more intelligent countermeasures (such as better pdf readers, virus detection, or getting rid of Windows).

Re:ClamAV engine poor at general malwre detection

[bcmm]

These days any sensibly configured email system deletes all email with any forum of executable attachment before it gets anywhere near the end users so email scanning is a bit of a niche market.

Where did you get that from? Remember that .doc is, potentially, an executable format (a Word macro can make arbitrary win32 API calls), not to mention the many exploits that rely on overflows in parsers of non-executable formats.

Re:ClamAV engine poor at general malwre detection

[neumayr]

Wow. You sure are a malware magnet. Luckily it seems to fit your hobby.

Please be aware not everyone gets attacked as much as you do and the kind of organization you wield to protect yourself would be overkill for most people.

Re:ClamAV engine poor at general malwre detection

[Lennie]

Judging by a recent 27c3-presentation, I have some doubts a good PDF reader actually exists. The format is such a mess I can't believe it:

http://www.youtube.com/watch?v=54XYqsf4JEY

Re:ClamAV engine poor at general malwre detection

[aztracker1]

The holes are in the Adobe Acrobat Reader, and exist on linux as well whenusin adobe's reader, which many on linux don't, just the same, the security hole isn't only in windows.. also, you can run a botnet node in user space on linux too.

Re:ClamAV engine poor at general malwre detection

[Sulphur]

I'm posting AC cause I work for a large three lettered software company.

FUD Inc?

Re:ClamAV engine poor at general malwre detection

Do they instead insist sending them documents in word format? (rolls eyes)

Re:ClamAV engine poor at general malwre detection

[nurb432]

In geek circles I feel like a suspected plague carrier because I carry a windows laptop instead of running ubuntu or carrying an apple.

So YOU are that guy..

Re:ClamAV engine poor at general malwre detection

[snowgirl]

Where did you get that from? Remember that .doc is, potentially, an executable format (a Word macro can make arbitrary win32 API calls), not to mention the many exploits that rely on overflows in parsers of non-executable formats.

So, now here comes the interesting tidbit of pedantry. A .doc file cannot, I repeat cannot, contain a macro.

What can contain macros are .dot files, or document templates. The problem is that .dots are virtually identical to .docs, and if you take a .dot and rename it with a .doc extension it will be indistinguishable from a proper .doc file, thus all these macro viruses spread by parading document templates as simple documents. If Word were just smart enough to recognize that it is opening a document template with the extension of ".doc" and throw up an error/warning message, macro viruses would hardly be a problem.

Re:ClamAV engine poor at general malwre detection

[mspohr]

Yeah, it is theoretically possible to run a botnet in userspace in Linux and there was even an actual botnet that attacked some Linux based modems a few years ago using their default passwords. However, perhaps because it requires exceptional stupidity on the part of users (and their lack of access to root), there aren't any actual botnets in the wild running on Linux. Just happy the I run Linux and Mac and don't have to worry about malware. I'm happy to leave the malware battles to the Windows users.

Just last week I was diving and shared some photos with another diver. He was running Windows and my memory card came back with a virus. Of course it wouldn't run on Linux and I just deleted it but it's any ugly world of Windows out there.

Re:ClamAV engine poor at general malwre detection

ClamWin isn't developed by the ClamAV Team, so comparing ClamWin stats on detection and assuming they are the same as ClamAV is misleading.

If you look at ShadowServer stats ClamAV is always in the top 10 on 0-Day detections.

Additionally, the ClamAV 3.0 for Windows has multiple detection engines for detecting threats, not just the ClamAV engine.

Re:ClamAV engine poor at general malwre detection

[fishexe]

Where did you get that from? Remember that .doc is, potentially, an executable format (a Word macro can make arbitrary win32 API calls), not to mention the many exploits that rely on overflows in parsers of non-executable formats.

So, now here comes the interesting tidbit of pedantry. A .doc file cannot, I repeat cannot, contain a macro.

Are you sure?

What can contain macros are .dot files, or document templates. The problem is that .dots are virtually identical to .docs, and if you take a .dot and rename it with a .doc extension it will be indistinguishable from a proper .doc file, thus all these macro viruses spread by parading document templates as simple documents. If Word were just smart enough to recognize that it is opening a document template with the extension of ".doc" and throw up an error/warning message, macro viruses would hardly be a problem.

So how come when i add a macro and hit save, it directly produces a doc that contains a macro? I admit it's been a lot of years since I've done this, but I've never renamed a .dot to .doc or anything like that, yet I've opened up documents to which I've added macros and, lo and behold, the macros were still in there.

Re:ClamAV engine poor at general malwre detection

[bcmm]

OK, so a genuine Microsoft Word document might not hold macros, but a .doc file most certainly can.

I know it's not the intended use, but as you say, a file ending .doc can contain any format recognised by Word and work as expected. This is in semi-common use for communicating with idiots who accept only Word documents, since Word will accept plain-text or RTF, which are both much easier to work with.

Re:ClamAV engine poor at general malwre detection

[fishexe]

A of people rely on antivirus software to clean up messy infections instead of being organised enough to have current backups and known-good images of every machine.

But what about B of people? We can't all be A-listers, you know.

Re:ClamAV engine poor at general malwre detection

[snowgirl]

Are you sure?

Hm... not entirely sure, I don't do anything with MS Word anymore really. Although, this most certainly was the case back in 1995~98. (I wrote a concept Word macro virus and had to figure this out to make it work.)

Re:ClamAV engine poor at general malwre detection

[snowgirl]

This is in semi-common use for communicating with idiots who accept only Word documents, since Word will accept plain-text or RTF...

OMG, that is just an incredible idea, lol!

Re:ClamAV engine poor at general malwre detection

[bigstrat2003]

a Word macro can make arbitrary win32 API calls

What the hell? I'm no security expert, but even I recognize what a terrible idea that is. Has Microsoft ever offered any justification for this one?

Re:ClamAV engine poor at general malwre detection

more intelligent countermeasures ( ... , or getting rid of Windows).

Getting rid of the only OS that actually allows you to work isn't very intelligent. In fact, it's fucking retarded.

Re:ClamAV engine poor at general malwre detection

[bcmm]

Personally I think it's great. Back when I was in 6th form, they had computers with cheap CRT monitors, all set, out of laziness, at Windows's default mode, which was 1024x786 at 50Hz - OK for some, but a quick way to get a migraine for me. They'd locked them down in various ridiculous ways, including no display settings or running executables from anywhere you can write to, so I used a Microsoft Word macro to change the resolution and refresh rate. Insanity, I know...

Re:ClamAV engine poor at general malwre detection

[SheeEttin]

A vm with flash player, Sun java, acrobat reader, dotnet addon etc results in the "whats all this network traffic, shit the VM is sending spam" or "popups WTF?" every few months, followed by going back to a known good copy of the VM and redownloading lots of updates.

Why not just make one known-good VM, then use whatever that feature is that discards any changes on shutdown? (I know VirtualBox has one, dunno about others.)

Re:ClamAV engine poor at general malwre detection

[aztracker1]

Well, the several million macs out there running as bot nodes would disagree with at least a portion of that statement. I'm not disagreeing that windows has a lot more virus issues... and has a history of poor security... However, I would say that the largest reason behind this is the compatibility of windows versions and market share that has been the leading driver behind this... As mac usage has risen a bit, so it too has become a malware target...

Though most mac malware comes from pirate software packages for mac... If you run an adobe product that's been downloaded illicitely, odds are you are running as a bot in userspace.

Wrong way around.

[BrokenHalo]

A way cooler project might be to backport all those nice new viruses to run on Windows 3.x. Just think of all those people who are missing out.

Not getting it.

[Khyber]

Just repaired a computer that had ClamAV installed.

It missed multiple trojans that Microsoft Security Essentials found.

Re:Not getting it.

[mick232]

It's not enough to install it. You actually have to use it and keep it up-to-date!

Re:Not getting it.

Last I heard, it wasn't one of these bloated always running in the background type of scanners. It's one of those old school scanners that you have to actually update and run.

Also, I have seen Microsoft Security Essentials as well as a number of other tools find remnants of files and registry settings dropped by Trojans and virus that other security tools supposedly already cleaned the infections from. This doesn't mean the computer is currently infected or compromised in any way, it means it found crap that was put there by something deemed bad.

I'm not sure if you are experienced enough to ever come across this, but it's pretty common when running malware tools too. Judging from your post, I suggest you stick with it a while and you will see the obvious too.

Re:Not getting it.

I've submitted 100+ viruses from the wild to ClamAV using the online form. One year later, clamAV still can't detect the very samples I sent in. They are not keeping up.

Re:Not getting it.

[citation needed]

Re:Not getting it.

[Khyber]

It was fully updated and was ran before installing and running MSE, I did that myself to confirm viability of the installed anti-virus software.

It still missed simple shit from a year or more ago.

Re:Not getting it.

I suppose there is no citation I could give you that would make you believe. I suggest you submit samples yourself using virustotal and observe how long it takes until clamAV detects that sample.

Re:Not getting it.

[anomaly256]

It has been my experience as well that clamAV and variants of it are in practice useless. Like, totally useless. I've never, ever, seen clam* successfully detect anything at all, even when up to date and used often. Even when pointed *directly at a known infected file with incredibly common malware/virii/whatever* it'll still say it's clean. When packages like that awful and bloated Nortons do a better job, I'm tempted to call clam* an outright hoax. Fire up avast!, detects it. McAffee, detects it. Nortons, detects it. Even an outdated version of CA's AV from 2001 detected it. Clam couldn't. :( This article is un-news.

Sloooooowwwww.....

[ArchieBunker]

Scanning files with ClamWin is about as fast as reading them yourself with a hex editor. I use Avast.

Re:Sloooooowwwww.....

ClamAV for Windows != ClamWin

ClamAV for Windows is a full fledge AV product. ClamWin is not.

Windows 3.0 - 64bit

I bet that's actually really fast.

Re:Windows 3.0 - 64bit

[TheRaven64]

I ran Windows NT 4 on a P166, dual-booting with DOS for games. I installed Windows 3.11 in DOS and it was amazingly fast, although running something designed for a 640x480 (16 colour!) display on a 1024x768 screen made it look a bit strange. Running on a modern system would probably be so fast that you'd barely have time to see the UI before you got the first general protection fault...

Re:Windows 3.0 - 64bit

[Khyber]

I think it more likely you hit a divide overflow before you see a GPF.

Re:Windows 3.0 - 64bit

[snowgirl]

I ran Windows NT 4 on a P166, dual-booting with DOS for games. I installed Windows 3.11 in DOS and it was amazingly fast, although running something designed for a 640x480 (16 colour!) display on a 1024x768 screen made it look a bit strange. Running on a modern system would probably be so fast that you'd barely have time to see the UI before you got the first general protection fault...

I've been stuck with an interesting dilemma a few times, where I installed a new hard drive into my netbook. Problem is, how do you install the OS? Well, the best option I had available at the time was to boot over the network with a virtual floppy and install DOS 7.0 on the machine. With that, I was actually able to at one point install Win 3.11, but the problem was that none of the drivers worked for the newer hardware, and the hardware had lost enough backwards compatibility to make the drivers that did exist not work. So, I was stuck with a vastly overspeced computer that couldn't even set the resolution above 640x480... :(

Re:Windows 3.0 - 64bit

[TheRaven64]

Are you sure? You probably have a setting for SoundBlaster emulation in the BIOS (I think it's not enabled by default now, because most stuff expects an AC97 interface, but it's possible to enable). Windows 3.1 also supported SVGA via VESA, which I think all modern graphics cards still support, although it didn't select that driver automatically. You won't get any hardware acceleration, but given that software drawing was fast enough on a 16MHz 386, that's probably not a problem...

Re:Windows 3.0 - 64bit

[snowgirl]

Well, it's a netbook... so the BIOS has hardly any options at all.

As for the SVGA via VESA, the problem is that Windows 3.1 uses VESA 1, or at least before VESA 2, which really just put up a standard that people can write drivers to support... I don't remember the details, but suffice it to say, things were horribly ill supported.

I had no idea

[Beelzebud]

that there was a 64 bit version of Windows 3.0!

Re:I had no idea

[Teun]

That's why we come here, to learn.

Re:I had no idea

[Sulphur]

that there was a 64 bit version of Windows 3.0!

It failed because of 64 bit viruses.

Re:What is the Immunet product and why should we r

[Spad]

The Immunet Community has over 0 members protected from 0 threats.

Whatever it is they do, the Immunet Community appears to rely too much on Javascript.

How is this different from ClamWin?

[Andrioid]

I've been using ClamWin (http://www.clamwin.com) for years without any problems. Does anyone know the difference?

Re:How is this different from ClamWin?

[Nocturna81]

As far as I can tell, ClamAV is the "engine" and ClamWin is the frontend

Re:How is this different from ClamWin?

ClamWin is an Ondemand scanner only. ClamAV for Windows is both OnDemand and OnAccess.

For Windows?

For Windows, aye? What else would an antivirus program be for???

ClamWin?

[scurvyj]

Where does this leave/put ClamWin then? I stopped using ClamWin because of the rising False Positives count, but then discovered all anti-virus manufacturers were suffering the same thing: the shitness of Windows.

Nowadays I just cautiously install and re-image from a backup every now and again.

A good free scanner would be good if the reliability is there (again).

WTF?

So, now here comes the interesting tidbit of pedantry. A .doc file cannot, I repeat cannot, contain a macro.

What?!? You have no idea what you are talking about! Please don't spread silly misinformation like this.

On-access scanning?

[OneAhead]

Wake me up when they have on-access scanning working. And preferably fast enough not to bring the system to a grinding halt when starting up a moderately large binary (admittedly, a lot of commercial vendors would fail that test too).

Re:On-access scanning?

On access scanning is exactly what this Windows version is about, see http://www.clamav.net/lang/en/about/win32/
With the 2.0 version you needed connection to the cloud for it to work, with 3.0 you also have the local AV engine for on-access scanning.

Re:On-access scanning?

[kc0re]

It IS in this product.

Re:What is the Immunet product and why should we r

[godefroi]

All I could find is that it gives you "the advanced protection of the cloud". That sounds really awesome, and I think I must need it desperately. Probably you too.

Re:What is the Immunet product and why should we r

[kc0re]

Immunet is a lightweight client that runs on the Desktop, the AV is done "in the cloud" as opposed to running a gigantic fat client and downloading daily updates. As a result, it's faster, adapts faster, and allows for worldwide correlation.

Re:What is the Immunet product and why should we r

[badkarmadayaccount]

Sounds like the perfect datamining operation... I wonder if they are gonna go Google and make it a free service, and sell analytics data. That would be a great business model, if they have a decent privacy policy. Hell, I think you could try the same trick and OEM Ubuntu machines, and have click-through EULA during the configuration phase (not too convulted, we want to be fair now - the lusers won't even glance at it anyway). Send tracking data for a limited period (and make tracking removal reasonably easy enough - those who bother to remove it are not gonna rack up too many support calls anyway), in return, you get to license legitimate codecs, and free support.