ClamAV

Last updated
ClamAV
Original author(s) Tomasz Kojm
Developer(s) Cisco Talos
Initial releaseMay 8, 2002;22 years ago (2002-05-08)
Stable release
1.4.1 [1]   OOjs UI icon edit-ltr-progressive.svg / 4 September 2024
Repository
Written in C, C++
Operating system Unix, AIX, BSD, HP-UX, Linux, macOS, OpenVMS, Tru64 UNIX, Windows, Haiku
Type Antivirus software
License GPL-2.0-only
Website www.clamav.net

ClamAV (antivirus) is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses. It was developed for Unix and has third party versions available for AIX, BSD, HP-UX, Linux, macOS, OpenVMS, OSF (Tru64), Solaris and Haiku. As of version 0.97.5, ClamAV builds and runs on Microsoft Windows. [2] [3] Both ClamAV and its updates are made available free of charge. One of its main uses is on mail servers as a server-side email virus scanner.

Contents

History

ClamAV was initially released with version 0.10 on May 8, 2002, by Polish university student Tomasz Kojm. [4] In 2007, it was acquired by Sourcefire, [5] which in turn was acquired by Cisco in 2013 [6] and now operates under its Talos cybersecurity division.

Patent lawsuit

In 2008, Barracuda Networks was sued by Trend Micro for its distribution of ClamAV as part of a security package. [7] Trend Micro claimed that Barracuda's utilization of ClamAV infringes on a software patent for filtering viruses on an Internet gateway. The free software community responded in part by calling for a boycott against Trend Micro. The boycott was also endorsed by the Free Software Foundation. [8] Barracuda Networks counter-sued with IBM-obtained patents in July 2008. [9] On May 19, 2011, the U.S. Patent and Trademark Office issued a Final Rejection [10] in the reexamination of Trend Micro's U.S. patent 5,623,600. [11]

Features

ClamAV includes a command-line scanner, automatic database updater, and a scalable multi-threaded daemon running on an anti-virus engine from a shared library. [2] The application features a Milter interface for sent mail and on-demand scanning. It recognizes:

The ClamAV virus database is updated at least every four hours and as of 10 February 2017 contained over 5,760,000 virus signatures [12] with the daily update Virus DB number at 23040. [13] [14]

Real-time file scanning

In older Linux application versions, ClamAV did support real-time protection via the Fanotify add-on for the Linux kernel (version 3.8 and later.) [15] Alternatively, one could use ClamFS (for any Unix-like operating system supporting FUSE).

Nowadays, the Real-Time Protection in Linux Systems, is provided through ClamAV's ClamOnAcc application (under the name of "On-Access Scanning") – which uses Clamd to provide real-time protection by scanning files when they are accessed. [16]

In other words, the On-Access Scanner can detect and prevent access to malicious files based on the verdict received from Clamd. [16] By default, it operates in "notify-only mode", alerting users of any threats detected without actively blocking file access. [16]

Enabling "prevention mode" can considerably impact performance, especially in commonly accessed directories, so it is advised to use it judiciously. [16]

In order to use ClamOnAcc, users need to first run clamd and then start the On-Access Scanner as root (to leverage its kernel event detection and intervention capabilities). [16]

Configuration for On-Access Scanning is primarily done through clamd.conf, with additional options available in the On-Access Scanning User Guide. [16]

Users can run multiple instances of ClamOnAcc simultaneously with different configurations, allowing for customized protection settings for various directories. [16]

ClamOnAcc (v0.102+) is a client application that operates alongside clamd (the ClamAV daemon), to perform On-Access Scanning. [16]

Regarding previous versions that were meant for Microsoft Windows, a free, open-source app called Clam Sentinel did use to detect file changes and scanned modified files using ClamWin. [17] It did work with Windows 98 and later. In addition to on-access scanning, it used to feature optional system change messages and proactive heuristic protection. [18]

Effectiveness

In the 2008 AV-TEST comparison of antivirus tools, ClamAV scored poorly in on-demand detection, avoiding false positives, and rootkit detection. [19]

In a Shadowserver six-month test between June and December 2011, ClamAV detected over 75.45% of all viruses tested, putting it in fifth place behind AhnLab, Avira, BitDefender and Avast. AhnLab, the top antivirus, detected 80.28%. [20]

In 2022 Splunk conducted an efficacy study involving 416,561 malware samples sourced from MalwareBazaar, bucketed as follows: 106135 Banking Trojans (trojans targeted towards stealing financial information); 26875 Botnets (malware for making the victim a part of a botnet); 190371 Information Stealers (programs designed to steal client information. E.g. Keyloggers); 52422 Loaders (program that loads one or more other malicious programs – that is, a stager that fetches harmful things directly into memory); 1321 Miners (crypto currency miners); 30251 RATs (Remote access tools. E.g. Backdoors); and 8273 Trojans (a generic multipurpose malware that harms the user in different ways – generally disguises itself and delivered by tricking the user). Splunk's study concluded ClamAV was 59.94% effective overall at detecting commodity malware – being able to detect 249,696/416,561 samples. [21]

In that same study, ClamAV performed relatively well at detecting certain types of malware in certain types of files (E.g. DOCX files, DIL files, ELF files, DOC files and EXE files), but was less effective in detecting malware in JAR files, JS files, VBS files, Z files, RAR files, and XLSB files. In addition, ClamAV performed well to detect a few top level categories of malware like Trojans & Botnets but performed poorly on other malware types like Crypto Miners, RATs and Info Stealers. [22]

Unofficial databases

The ClamAV engine can be reliably used to detect several kinds of files. In particular, some phishing emails can be detected using antivirus techniques. However, false positive rates are inherently higher than those of traditional malware detection. [23]

There are several unofficial databases for ClamAV:

ClamAV Unofficial Signatures are mainly used by system administrators to filter email messages. [26] Detections of these groups should be scored, rather than causing an outright block of the "infected" message. [24]

Platforms

Linux, BSD

ClamAV is available for Linux and BSD-based operating systems. [2] In most cases it is available through the distribution's repositories for installation.

On Linux servers ClamAV can be run in daemon mode, servicing requests to scan files sent from other processes. These can include mail exchange programs, files on Samba shares, or packets of data passing through a proxy server.

On Linux and BSD desktops ClamAV provides on-demand scanning of individual files, directories or the whole PC. [2]

macOS

macOS Server has included ClamAV since version 10.4. It is used within the operating system's email service. A paid-for graphical user interface is available from Canimaan Software Ltd [27] in the form of ClamXav. [28] Additionally, Fink, Homebrew and MacPorts have ported ClamAV.

Another program which uses the ClamAV engine on macOS, is Counteragent. Working alongside the Eudora Internet Mail Server program, Counteragent scans emails for viruses using ClamAV and also optionally provides spam filtering through SpamAssassin.

OpenVMS

ClamAV for OpenVMS is available for DEC Alpha and Itanium platforms. The build process is simple and provides basic functionality, including library, the clamscan utility, the clamd daemon, and freshclam for update. [29]

Windows

There are IA-32 and x64 variants of ClamAV available for Windows; additionally, Cisco's Immunet uses ClamAV as its engine. [30]

OS/2

A port of ClamAV is available for OS/2 (including eComStation and ArcaOS) with a native UI written in REXX. [31] [32]

Graphical interfaces

Since ClamAV does not include a graphical user interface (GUI) but instead is run from the command line, a number of third-party developers have written GUIs for the application for various platforms and uses.

These include:

ClamTk 5.27 running on Lubuntu 19.04 ClamTk 5.27.png
ClamTk 5.27 running on Lubuntu 19.04

ClamWin

ClamWin running on Windows XP ClamWin on Windows XP.png
ClamWin running on Windows XP

ClamWin is a graphical user interface front-end ClamWin Pty Ltd. developed for ClamAV on Microsoft Windows. Features include on-demand (user-started) scanning, automatic updates, scheduled scanning, and integration with File Explorer and Microsoft Outlook. ClamWin does not provide on-access scanning. A Firefox add-on enables ClamWin to scan downloaded files. [40] [41] Several other extensions allow users to process downloaded files with any software and scan the files with ClamWin. [42] [43] [44] [45]

See also

Related Research Articles

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">Spybot – Search & Destroy</span> Spyware removal software

Spybot – Search & Destroy (S&D) is a spyware and adware removal computer program compatible with Microsoft Windows. Dating back to the first Adwares in 2000, Spybot scans the computer hard disk and/or RAM for malicious software.

<span class="mw-page-title-main">ESET NOD32</span> Computer protection software

ESET NOD32 Antivirus, commonly known as NOD32, is an antivirus software package made by the Slovak company ESET. ESET NOD32 Antivirus is sold in two editions, Home Edition and Business Edition. The Business Edition packages add ESET Remote Administrator allowing for server deployment and management, mirroring of threat signature database updates and the ability to install on Microsoft Windows Server operating systems.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

<span class="mw-page-title-main">ClamWin Free Antivirus</span>

ClamWin Free Antivirus is a free and open-source antivirus tool for Windows. It provides a graphical user interface to the Clam AntiVirus engine.

<span class="mw-page-title-main">Microsoft Defender Antivirus</span> Anti-malware software

Microsoft Defender Antivirus is an antivirus software component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It has evolved into a full antivirus program, replacing Microsoft Security Essentials in Windows 8 or later versions.

Norton Internet Security, developed by Symantec Corporation, is a discontinued computer program that provides malware protection and removal during a subscription period. It uses signatures and heuristics to identify viruses. Other features include a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the original Norton 360 security suite. The suite was once again rebranded to Norton 360 in 2019.

<span class="mw-page-title-main">Windows Live OneCare</span> Discontinued Microsoft security software

Windows Live OneCare was a computer security and performance enhancement service developed by Microsoft for Windows. A core technology of OneCare was the multi-platform RAV, which Microsoft purchased from GeCAD Software Srl in 2003, but subsequently discontinued. The software was available as an annual paid subscription, which could be used on up to three computers.

<span class="mw-page-title-main">ClamTk</span> Computer antivirus software for Linux

ClamTk is a free and open-source graphical interface for the ClamAV command-line antivirus software program for Linux desktop users. It provides both on-demand and scheduled scanning. The project was started by Dave Mauroni in February 2004. As of April 2024, the program is no longer maintained.

<span class="mw-page-title-main">Kaspersky Anti-Virus</span> Antivirus solution

Kaspersky Anti-Virus is a proprietary antivirus program developed by Kaspersky Lab. It is designed to protect users from malware and is primarily designed for computers running Microsoft Windows and macOS, although a version for Linux is available for business consumers.

<span class="mw-page-title-main">Kaspersky Internet Security</span> Internet security suite developed by Kaspersky Lab

Kaspersky Internet Security is a internet security suite developed by Kaspersky Lab compatible with Microsoft Windows and Mac OS X. Kaspersky Internet Security offers protection from malware, as well as email spam, phishing and hacking attempts, and data leaks. Kaspersky Lab Diagnostics results are distributed to relevant developers through the MIT License.

<span class="mw-page-title-main">VirusTotal</span> Cybersecurity website owned by Chronicle

VirusTotal is a website created by the Spanish security company Hispasec Sistemas. Launched in June 2004, it was acquired by Google in September 2012. The company's ownership switched in January 2018 to Chronicle, a subsidiary of Google.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

<span class="mw-page-title-main">Microsoft Security Essentials</span> Discontinued antivirus product for Microsoft Windows

Microsoft Security Essentials (MSE) is a discontinued antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on Windows XP, Windows Vista, and Windows 7, but not on Windows 8 and later versions, which have built-in AV components known as Windows Defender. MSE 4.5 and later versions do not run on Windows XP. The license agreement allows home users and small businesses to install and use the product free of charge.

<span class="mw-page-title-main">Dr.Web</span> Antivirus software suite

Dr.Web is a software suite developed by Russian anti-malware company Doctor Web. First released in 1992, it became the first anti-virus service in Russia.

<span class="mw-page-title-main">Trend Micro Internet Security</span> Antivirus and online security software

Trend Micro Internet Security is an antivirus and online security program developed by Trend Micro for the consumer market. According to NSS Lab comparative analysis of software products for this market in 2014, Trend Micro Internet Security was fastest in responding to new internet threats, but as of June 2024 based on the chat support there is no known mechanism as with Microsoft Defender Antivirus to submit false positives like "Incorrectly detected as malware/malicious" or "Incorrectly detected as PUA " which may point to cutting corners and be the cause of application mislabeling e.g. as ransomware, while the mechanism for detecting real threats is not specified.

Avira Operations GmbH & Co. KG is a German multinational computer security software company mainly known for its Avira Free Security antivirus software. Although founded in 2006, the Avira antivirus application has been under active development since 1986 through its predecessor company H+BEDV Datentechnik GmbH. Since 2021, Avira has been owned by American software company NortonLifeLock, which also operates Norton, Avast and AVG. It was previously owned by investment firm Investcorp.

<span class="mw-page-title-main">FreeFileSync</span> Freeware file synchronization program

FreeFileSync is a program used for file synchronization. It is available on Windows, Linux and macOS. The project is backed by donations. Donors get access to a Donation Edition that contains a few additional features such as an auto-updater, parallel sync, portable version, and silent installation. FreeFileSync has received positive reviews.

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

References

  1. Micah Snyder (4 September 2024). "ClamAV 1.4.1, 1.3.2, 1.0.7, and 0.103.12 security patch versions published" . Retrieved 4 September 2024.
  2. 1 2 3 4 5 ClamAV (2007). "About ClamAV" . Retrieved 2008-12-25.
  3. ClamAV (2007). "ClamAV Packages and Ports". Archived from the original on 2008-07-20. Retrieved 2008-12-31.
  4. Celebrating 20 years of ClamAV
  5. Sourcefire acquires ClamAV
  6. Cisco Acquires Cybersecurity Company Sourcefire For $2.7B
  7. "Trend Micro patent claim provokes FOSS community, leads to boycott". Linux.com. 2008-02-11. Retrieved 2008-02-12.
  8. "Boycott Trend Micro". Free Software Foundation. 2008-02-11. Retrieved 2008-02-12.
  9. Paul, Ryan (2008-07-02). "Barracuda bites back at Trend Micro in ClamAV patent lawsuit". Arstechnica.com. Retrieved 2012-02-14.
  10. "Ex Parte Reexamination" (PDF). U.S. Patent and Trademark Office. 2011-05-19. Retrieved 2015-10-04.
  11. "Anatomy of a Dying Patent – The Reexamination of Trend Micro's '600 Patent". Groklaw.net. 2011-06-13. Retrieved 2015-10-04.
  12. "Introduction – ClamAV Documentation". docs.clamav.net. Retrieved 2024-03-09.
  13. "About ClamAV". Archived from the original on 2008-11-20. Retrieved 2008-12-25.
  14. "Latest Stable Release". Archived from the original on 2010-09-18. Retrieved 2010-08-21.
  15. Sola, Mickey. "Configuring On-Access Scanning in ClamAV".
  16. 1 2 3 4 5 6 7 8 "Scanning – ClamAV Documentation". docs.clamav.net. Retrieved 2024-05-02.
  17. Cyber Pillar. "Clam Sentinel – Making ClamWin Be Used In Real-Time". Archived from the original on 2014-08-19. Retrieved 2014-09-01.
  18. "Clam Sentinel" . Retrieved 2014-06-19.
  19. "Anti-virus comparison test of current anti-malware products, Q1/2008". AV-Test GmbH. 22 January 2008. Archived from the original on 15 July 2011. Retrieved 12 February 2008.
  20. "ShadowServer 180 Day Stats". shadowserver.org. 2011-08-16. Archived from the original on 2011-11-27. Retrieved 2011-12-16.
  21. "How Good is ClamAV at Detecting Commodity Malware?". Splunk-Blogs.
  22. "How Good is ClamAV at Detecting Commodity Malware?". Splunk-Blogs.
  23. Brad Wardman; Tommy Stallings; Gary Warner; Anthony Skjellum (5 August 2011). "High-Performance Content-Based Phishing Attack Detection" (PDF). uab.edu. Retrieved 19 March 2018.
  24. 1 2 Sanesecurity Phishing, Scam and Malware signatures for ClamAV Archived 2015-09-10 at the Wayback Machine
  25. SecuriteInfo.com Add 4.000.000 signatures to ClamAV Antivirus
  26. "ClamAV Unofficial Signatures Updater". sourceforge.net. 24 May 2009. Retrieved 2 September 2014.
  27. 1 2 "About us". ClamXAV. Retrieved 2017-07-15.
  28. ClamXav.com (n.d.). "ClamXAV.com" . Retrieved 2009-01-24.{{cite web}}: CS1 maint: year (link)
  29. Chupahin, Alexey (December 2008). "Clam AntiVirus OpenVMS Project News". Archived from the original on 2011-10-06. Retrieved 2008-12-25.
  30. "Alternate Versions of ClamAV". clamav.net. Cisco Systems. Archived from the original on 22 November 2021. Retrieved 26 November 2021. Immunet, powered by ClamAV, is a [...] Windows desktop anti-virus (AV) solution
  31. 1 2 "My graphical user interface for "ClamAV"" . Retrieved 2020-09-03.
  32. "Clamav, ClamAV-GUI (Rexx & QT4) & eCSClamav" . Retrieved 2020-09-03.
  33. Mauroni, Dave (December 2008). "ClamTk Virus Scanner" . Retrieved 2008-12-25.
  34. "use clamav with nodejs". manjeet.info. Retrieved 2024-07-01.
  35. Mauroni, Dave (October 2008). "ClamTk README". Archived from the original on 2011-09-14. Retrieved 2008-12-26.
  36. KlamAV F. (May 2006). "KlamAV – Main Page" . Retrieved 2013-03-04.
  37. Saracco, Emmanuel. "wbmclamav – The Webmin ClamAV Antivirus manager". wbmclamav.esaracco.fr.
  38. ClamXav.com (November 2008). "ClamXav.com" . Retrieved 2008-12-25.
  39. 1 2 "CS Anti-Virus description". Softpedia.com. 2009-03-23. Retrieved 2010-11-09.
  40. "FireClam: Use ClamAV to scan Firefox downloads for viruses". Firefox Addons. Retrieved 2009-11-02.
  41. "ClamWin Antivirus Glue for Firefox". Firefox Addons. Archived from the original on 2012-12-20. Retrieved 2008-04-15.
  42. "Download Scan". Downloadstatusbar.mozdev.org. 2005-08-19. Retrieved 2010-11-09.
  43. "Download Statusbar".
  44. "Safe Download". Extensions.geckozone.org. Retrieved 2010-11-09.
  45. ClamWin Pty Ltd (2009). "About ClamWin Free Antivirus". Archived from the original on 2010-01-25. Retrieved 2009-03-13.

Further reading