ClamAV - the free anti-virus

For the last few years I've been keeping an eye on ClamAV. For those who don't know it, ClamAV is a community developed, open source virus scanner. It has been developed with the principal aim of providing a free virus scanner that can be used by mail servers to scan incoming mail: commercial anti-virus products usually demand a license per user account, which makes them too expensive for ISPs and many businesses.

ClamAV has been developed for Unix/Linux, but as it has been developed using GNU tools it has been ported to other platforms, including Windows. However, it is purely a command line tool. There is no graphical user interface. The main tools are a command line virus scanner clamscan, and a virus scanning daemon clamd which runs in the background and can be called from other software using sockets, plus freshclam which is used to update the virus signatures.

ClamAV for Windows

For those wishing to use ClamAV under Windows, there are several versions to choose from. In chronological order of appearance (as far as I am aware) they are:

Summit Open Source Development Group [SOSDG] Cygwin port. This is the first and most long established Windows port. It relies on the Cygwin compatibility layer to translate Unix system calls to Windows. This makes it a larger download than native Windows ports, and requires Cygwin to be installed in the root directory. Performance appears to be less good than with the native Windows ports. Support from the SOSDG website is very good. There is an on-demand scanner GUI called ClamWin that makes use of this port.

Bransoft's native Windows port. Boguslaw Brandys of Bransoft has developed a native port of the core ClamAV software. This development has focussed on creating Windows DLLs that can be called directly from a Windows application and run on any Windows platform including Windows 95. These DLLs are used in a mail scanning proxy ClamMail, and an on-demand scanner ClamLite, both also developed by BranSoft. Unfortunately, because of a dogmatic interpretation of the GNU GPL by the ClamAV developers, it is not permitted to use these DLLs in software that is not also released under the GNU GPL. This port has not been incorporated into the ClamAV source tree. Development seems to be sporadic, and lags several versions behind the current "official" version.

Gianluigi Tiesi's native Windows port. Gianluigi Tiesi has produced a native Windows port of ClamAV using the Microsoft Visual Studio compiler. There are several binary packages including ones for AMD 64-bit processors. Apart from the command line scanner the port includes a DLL that can be called by other GNU GPL software to scan individual folders, but there is no implementation of clamd, so use by non-GPL software is not possible. A very simple on-demand scanner GUI is also available.

Official native Windows port. Nigel Horne of NJH Software has developed a Windows port of ClamAV, including an implementation of clamd, targeted at Windows XP and above, using Microsoft Visual Studio. This port is part of the official ClamAV source distribution. Because of the architectural differences between Unix daemons and their Windows equivalent, services, clamd has not been implemented as a Windows service. However, it can be used as a service by the traditional workaround of writing a Windows service application that controls clamd. NJH Software is developing a set of Power Tools that can be used to integrate ClamAV into the Windows environment.

Test results

To get an idea of how well ClamAV performs as a general purpose scanner, I carried out some tests. My qualitative summary of its current performance is as follows.


ClamAV still has a fair way to go before it can approach the performance of industry-leading anti-virus products such as Kaspersky AntiVirus, but it has become quite an effective tool, comparing not too badly with some commercial products. The main area in which it performs well is in detecting email-borne viruses (worms) and phishing exploits, which is the main target application for the product.