Two questions?

goldencut
2014-05-29
2014-06-04
  • goldencut
    goldencut
    2014-05-29

    Been using CS for about a month and I'm getting used to it.
    It hogs a whopping 50% easily on my oldish x61s, so it made me wonder if using console based, so maybe somewhat 'lighter' clamav would be a better choice than clamwin, since ClamWin GUI is not needed anyway?
    Other question-request would be - why wouldn't CS have an option to update clamwin sig database? Running ClamTray just for it to run db updates seems somewhat redundant, could CS take up this task or provide a menu 'shortcut' to this task, since it's always running anyway, and save some system resources?
    Anyway, thanks for CS.

     
    • Hello:

      Thank you for using Clam Sentinel. I am sure that developer Andrea Russo
      will answer your question, but I want to take a crack at it first.

      A strictly console application based on Clam AV would probably save

      memory/code, but I think there would have to be some changes to the code
      due to Clam AV being developed for Linux email scanners. The code would
      have to accomodate the various versions of Windows, which would entail some
      precious time/effort--and it would have to be continuing as new features
      are developed by the Clam AV team. ClamWin was originally selected for the
      Clam Sentinel scanner because it is widely used and already supported
      various Windows versions. Memory usage is not such a big problem on the
      newer Windows machines. Also, we hope that ClamWin will at some point
      update to a modern version. There is not much that can be done, as Clam
      Sentinel is a separate project written in Delphi, and ClamWin is written in
      Python/C ++.

      There is no option to update the ClamWin (Clam AV) database in Clam
      Sentinel because it would duplicate the ClamWin update code. Just set
      ClamWin to update hourly, and that should be fine. Clam Sentinel is a very
      lean program since it uses the ClamWin scan code. Clam Sentinel was
      originally set up to use only the ClamWin scanner, but it now has its own
      heuristic scanner (system monitor) that is not dependent upon ClamWin and
      the Clam AV signatures for identifying malware. The Clam
      Sentinel heuristics will spot most Windows PE malware before signatures are
      even developed by the Clam AV sigmakers, which can take a week or longer.
      It appears that ClamWin is becoming a backup to Clam Sentinel!

      Regards,

      On Thu, May 29, 2014 at 4:54 PM, goldencut goldencut@users.sf.net wrote:

      Been using CS for about a month and I'm getting used to it.
      It hogs a whopping 50% easily on my oldish x61s, so it made me wonder if
      using console based, so maybe somewhat 'lighter' clamav would be a better
      choice than clamwin, since ClamWin GUI is not needed anyway?
      Other question-request would be - why wouldn't CS have an option to update
      clamwin sig database? Running ClamTray just for it to run db updates seems
      somewhat redundant, could CS take up this task or provide a menu 'shortcut'
      to this task, since it's always running anyway, and save some system
      resources?
      Anyway, thanks for CS.


      Two questions?
      https://sourceforge.net/p/clamsentinel/discussion/976132/thread/26abc2d6/?limit=25#b455


      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/clamsentinel/discussion/976132/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

       
  • Andrea Russo
    Andrea Russo
    2014-05-31

    ClamSentinel don't uses ClamWin, uses only the ClamScan.exe that differs very little from the same program that it's released with ClamAv.
    If you want to have an entry for to update the ClamWin signatures add this line in the ClamSentinel.ini file:

    UpdateClamDB=1

    With this option you can update the signatures manually (but not automatically).

    Andrea Russo

     
  • goldencut
    goldencut
    2014-06-03

    Wow, thanks for all the infos. The .ini update key works really nicely.
    In the .ini there was a key UseLocalIniFile=0. Is that same as "use .ini in program folder"?

    PS. Something I noticed - does CS tag all UPX-packed executables as 'very suspicious'?

     
    • The UseLocalIniFile setting tells Clam Sentinel where its .ini
      (configuration) file is located. Zero means it is located in the %appdata%
      roaming folder. If it is set to 1, that means it is located in the local
      (Clam Sentinel program) folder.

      Clam Sentinel only detects a file as suspicious if it has a virus
      profile--the packer/compressor used does not matter. Unfortunately, some
      "good" files have such a profile. Clam Sentinel tries to allow for this by
      looking for more than one profile in certain situations, but some "good"
      files will still meet more than one virus profile.

      Regards,

      On Tue, Jun 3, 2014 at 5:45 PM, goldencut goldencut@users.sf.net wrote:

      Wow, thanks for all the infos. The .ini update key works really nicely.
      In the .ini there was a key UseLocalIniFile=0. Is that same as "use .ini
      in program folder"?

      PS. Something I noticed - does CS tag all UPX-packed executables as 'very
      suspicious'?


      Two questions?
      https://sourceforge.net/p/clamsentinel/discussion/976132/thread/26abc2d6/?limit=25#9a59


      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/clamsentinel/discussion/976132/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/