Clam AntiVirus — a GPL Virus Scanner

by (Thomas Hedden)

In a previous issue of Open Source Update I wrote about Cygwin, a Linux-like environment for Windows®. Readers of that article will be interested to learn about Clam AntiVirus, which will run on Cygwin, as well as on Linux and other platforms.

The only things certain in life are death and taxes, so the saying goes. And antivirus software too, of course, in the age of computers. As the number of mouths to feed in the family grows, the number of computers grows along with it, and it would be nice to be able to use the old computers in the closet that were paid for long ago. But no! It is not safe to do so without additional subscriptions to antivirus software! And commercial antivirus packages get expensive as the number of users increases.

Enter Clam AntiVirus. You can use it free, as long as you are running an operating system such as Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, or Mac OS X on a hardware platform such as Intel, Alpha, Sparc, Cobalt MIPS boxes, PowerPC, or RISC 6000. Or if you are running Windows and you have installed Cygwin. Clam AntiVirus is a standard part of the Cygwin distribution. It is not part of the "base" package, but it is freely available if requested during installation or an update.

If you run Windows and do not yet have Cygwin, see my article about Cygwin for information about getting it. When installing it, make sure to ask for Clam AntiVirus. If you have already installed Cygwin, run the Cygwin Setup program again to get it. Clam AntiVirus can be found under the "Utils" category, as shown in the following screen shot:

Screen shot of "Select Packages" window of Cygwin Setup program showing the Util packages tree expanded and the binaries selected for the package clamav.

As explained in the previous article, the plus and minus signs in the "Category" column expand and collapse the "tree" to show or hide detail, respectively. The boxes in the middle columns labeled "Bin?" and "Src?" (which may be abbreviated as "B..." and "S...", respectively), indicate whether or not a package is selected (an "x" indicates that it is selected). To toggle the selection, that is whether or not the package is selected, click on the little circles with the two arrows pointing around the circle in the clockwise direction. So, to get Clam AntiVirus, click on the plus sign next to the "Utils" category to show the details, and then click on the circle with two arrows on the line for "clamav" to select this package. After that, click on the "Next" button and proceed with the Setup program as described in the previous article.

Clam AntiVirus is used as follows. First, open the Cygwin window. Then, to scan for viruses, type the command "clamscan". If you type the command without any arguments, it will scan only the current directory. If you want it to scan a particular directory, type the command "clamscan directory_name". To scan that directory and all subdirectories of it, type the command "clamscan -r directory_name" (where the option "-r" stands for "recursive"). Remember that Cygwin establishes its own home directory, which is within the Cygwin directory. If you want to scan your "My Documents" directory, you should issue the following command:

$ clamscan -r '/cygdrive/c/My Documents'

Remember that the Cygwin shell is case-sensitive and also that folders containing spaces must be enclosed in single or double quotation marks. Also note that the shell uses forward slashes, as in the Unix world, rather than backslashes, as in DOS or Windows, even though you are working on a Windows computer. So, for example, if you want to scan a subdirectory called "Translations" within your "My Documents" directory, you should issue the following command:

$ clamscan -r '/cygdrive/c/My Documents/Translations'

To test Clam, I followed the instructions on the Symantec website for creating an EICAR test file, and put it in the "My Documents" folder:

Screen shot of Windows 2000 desktop showing Cygwin window containing the Clam command to scan the "My Documents" folder, along with the output of this command indicating that it discovered the EICAR test file in this folder; screen shot also shows the "My Documents" folder open and containing the EICAR test file.

Antivirus software is no better than its virus definitions, so they have to be kept current. To update Clam's virus definitions, type "freshclam". If you ever forget how to use Clam, type the command "clamscan -h" or "clamscan --help". To interrupt a scan that is taking too long, type "Ctrl-C". When you are done, type "exit" to close the Cygwin window.

If you want to use Clam in an environment other than Cygwin for Windows, you can get it on the Clam AntiVirus website. (If you forget the exact URL, click on "binary packages and ports" under the "Download" bullet item.

For died-in-the-wool Windows users who do not want to use a command-line program, there is also ClamWin. ClamWin is a free antivirus program for Microsoft Windows 98/Me/2000/XP/2003. It provides a graphical user interface to the Clam AntiVirus engine. It is installed in the same way as any other Windows program, by launching a Setup program. The options and questions asked during installation are very straightforward. Here is the ClamWin application window after it has been installed and launched:

Screen shot showing ClamWin application window on a Windows 2000 desktop showing the A:, C:, D: and E: drives represented by icons.

The menu commands and the icons under the menu bar are very intuitive. The only thing that I did not find entirely intuitive was that when the program first opens, the screen it displays represents the various Windows "drives" (C:, etc.) by icons rather than by the customary little squares with plus signs in them. It is necessary to double-click on these drive icons to show the detail beneath them. After that, the customary little squares are used to show or hide detail.

I tested ClamWin the same way that I tested Clam AntiVirus, this time putting the test file on a diskette. Here is the report it produced:

Screen shot of ClamWin's Scan Status window reporting discovery of EICAR test file.

Some of the better commercial antivirus packages are quite good, and include such features such as Auto-Protect, automatic LiveUpdate, etc., and Clam does not have all these bells and whistles. For example, there is no Auto-Protect feature: To detect a virus it is necessary to scan a file or directory explicitly. However, this scanning need not be done manually, that is ClamWin can be configured to do this automatically on a regular schedule. Furthermore, not all commercial packages do a very good job of automatic protection: The EICAR test file has been sitting on my laptop the entire time I have been writing this article, but McAfee still has not found it. (On the computer I used to write this article, Norton AntiVirus did find it, and did this so quickly that I had to turn off NAV to run the tests with Clam.) Another thing to consider is that features as Auto-Protect degrade performance all the time, whereas scanning at regular intervals does not. As usual, there is a tradeoff between security and convenience.

Clam's virus definitions tend to be quite up-to-date (if you remember to update them, that is), and it is extremely fast. For this reason, some systems administrators use Clam on servers and write scripts to run it automatically at regular intervals to accomplish the same thing as the "Auto-Protect" function of some commercial products.

Click here to return to Thomas Hedden's home page.

Copyright © 2006-2010 Thomas Hedden

This page is viewable with any browser.

Valid XHTML 1.0!

Valid CSS!