ClamAV - the free anti-virus
For the last few years I've been keeping an eye on ClamAV. For those who don't know it, ClamAV is a community developed, open source virus scanner. It has been developed with the principal aim of providing a free virus scanner that can be used by mail servers to scan incoming mail: commercial anti-virus products usually demand a license per user account, which makes them too expensive for ISPs and many businesses.
ClamAV has been developed for Unix/Linux, but as it has been developed using GNU tools it has been ported to other platforms, including Windows. However, it is purely a command line tool. There is no graphical user interface. The main tools are a command line virus scanner clamscan, and a virus scanning daemon clamd which runs in the background and can be called from other software using sockets, plus freshclam which is used to update the virus signatures.
ClamAV for Windows
For those wishing to use ClamAV under Windows, there are several versions to choose from. In chronological order of appearance (as far as I am aware) they are:
Summit Open Source Development Group [SOSDG] Cygwin port. This is the first and most long established Windows port. It relies on the Cygwin compatibility layer to translate Unix system calls to Windows. This makes it a larger download than native Windows ports, and requires Cygwin to be installed in the root directory. Performance appears to be less good than with the native Windows ports. Support from the SOSDG website is very good. There is an on-demand scanner GUI called ClamWin that makes use of this port.
Bransoft's native Windows port. Boguslaw Brandys of Bransoft has developed a native port of the core ClamAV software. This development has focussed on creating Windows DLLs that can be called directly from a Windows application and run on any Windows platform including Windows 95. These DLLs are used in a mail scanning proxy ClamMail, and an on-demand scanner ClamLite, both also developed by BranSoft. Unfortunately, because of a dogmatic interpretation of the GNU GPL by the ClamAV developers, it is not permitted to use these DLLs in software that is not also released under the GNU GPL. This port has not been incorporated into the ClamAV source tree. Development seems to be sporadic, and lags several versions behind the current "official" version.
Gianluigi Tiesi's native Windows port. Gianluigi Tiesi has produced a native Windows port of ClamAV using the Microsoft Visual Studio compiler. There are several binary packages including ones for AMD 64-bit processors. Apart from the command line scanner the port includes a DLL that can be called by other GNU GPL software to scan individual folders, but there is no implementation of clamd, so use by non-GPL software is not possible. A very simple on-demand scanner GUI is also available.
Official native Windows port. Nigel Horne of NJH Software has developed a Windows port of ClamAV, including an implementation of clamd, targeted at Windows XP and above, using Microsoft Visual Studio. This port is part of the official ClamAV source distribution. Because of the architectural differences between Unix daemons and their Windows equivalent, services, clamd has not been implemented as a Windows service. However, it can be used as a service by the traditional workaround of writing a Windows service application that controls clamd. NJH Software is developing a set of Power Tools that can be used to integrate ClamAV into the Windows environment.
Test results
To get an idea of how well ClamAV performs as a general purpose scanner, I carried out some tests. My qualitative summary of its current performance is as follows.
- Worm detection: ClamAV is excellent at detecting email worms, phishing emails and other email exploits.
- In the wild viruses: ClamAV is about average at detecting "in the wild" COM, EXE and macro viruses.
- Other viruses: ClamAV has an average detection rate of viruses that are not found "in the wild."
- Polymorphic viruses: ClamAV is fairly poor at detecting polymorphic viruses (viruses that employ variable encryption methods so as to avoid detection by simple signature matching.) It can detect some polymorphics reliably, it detects only a percentage of some, while others are not detected at all.
- Boot sector viruses: I was unable to test the detection of boot sector viruses.
- False alarms: ClamAV sometimes produces false alarms, though there are well-known commercial products that are just as bad or worse in this respect.
- Cleaning: ClamAV is unable to clean files (in other words, remove viruses from infected files.) This is really not a disadvantage as in most cases it is better to delete the infected file and replace it with a new copy, but for use as a general purpose anti-virus solution it would be useful to have a tool that could remove macros from documents so that users don't lose the contents.
- Speed: ClamAV is slow, especially at scanning large executable files and compressed files. Scan times can be considerably reduced by using external software to drive the scanner and perform a "smart scan", checking only certain file types that are likely to be infected.
- Resource usage: ClamAV has a moderate memory usage, but does use quite a bit of CPU when checking compressed executables and archives
- Updates: Updates to the virus database are fast and frequent. A network of mirrors provides a local update source for users in most countries. Updates are easy and quick to obtain even when using a dial-up connection.
Conclusion
ClamAV still has a fair way to go before it can approach the performance of industry-leading anti-virus products such as Kaspersky AntiVirus, but it has become quite an effective tool, comparing not too badly with some commercial products. The main area in which it performs well is in detecting email-borne viruses (worms) and phishing exploits, which is the main target application for the product.