I have started a project which right now supports on creation scanning for all locigal drives its written in vb.net https://sourceforge.net/projects/csav/
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I want to thank you for this very beautiful application !
However on access scan is so important, without it its not a usefull scanner for a win workstation.
I know how to handle unknown files, you know it, but does a regular user know this ?
The answer is no...
Ill hope there is a OAS functionality very soon, keep up good work !
Gerard
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm currently reading up on file system filter drivers. Once I get a skeleton driver created, I'll try to hook in clam av. If anyone is working on this already let me know.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I already have a file system filer. What needs to be done is a user-mode service that incorporates clamav scanning. I am waiting for clamav to include the mingw build in the source tree.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have a working kernel filter driver for use on Windows 2k/XP/2003 that uses ClamAV as the scanning engine. Controlled by a user-mode GUI, specific filesystems can be hooked and scanned on access.
To balance performance with reliability the kernel keeps a running list of recent scans of files. If the file remains unchanged since the last scan, the GUI can configure the driver to allow access to the file without another scan.
The project is almost ready for public beta testing and the website will be up soon (www.clamrt.com)
-Adam
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the info and your earlier emails. I'd be very interested to take a look at your driver. As I already mentioned in some of the mailing list posts and bug reports - I have a version of filter driver ready too (but nothing to say that it is better then yours, and I will consider all options).
However the main problem at the moment is with porting clamav to native windows code to eliminate cygwin layer which is very slow. There is a port by Boguslaw Brandys
www.bransoft.com however it has not yet been merged with clamav source tree. We are currently trying to get this done ad hopefully there will be results very soon.
I also have a question how do you determine if the file is unchanged?
Regards,
Alex
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The instructions at Boguslaw Brandys website is what I used to port ClamAV to Windows and compile the necessary LIB and DLL files for v0.83. The cygwin layer adds a huge overhead which I wanted to avoid in the real-time scanner and so far the native version is working out well.
What I do to determine if the file is unmodified is to keep a hash of recent files in memory and when a file is modified (through calls such as IRP_MJ_WRITE or via IoQueryFileInformation) then it is flagged for a re-scan.
If you would like, maybe we can try out my driver with ClamWin and see how much of a difference the cygwin makes as opposed to not? I'm not really familiar with Python or I'd be tempted to give it a shot :)
-Adam
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You should have no problem with those patches , lastly I stick to old revision number and that was all problems I didn't realized for a long time sorry :-(
Regards
Boguslaw Brandys
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Whats about "After Access", this should be more simple to impemetent and it's good enough.
If I have a "scanned System", I must only scan the added Files. To execute a Virus, he must first written on Disk (download / installation) and it needs some time until he is executed (start the App.). During this time the file can be scanned.
The system performance is not slowing down to much.
it is being developed and will be released but I am sorry to say I don't know when. It's mor complicated then originally thought and I have very little spare time to work on it.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think it would be great if a donation option was posted on the main page and in the form for people to donate specificly toward hiring a programmer (maybe at www.rentacoder.com or something) to implement this.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello, I am the above anonymous poster, and I would like to contribute an idea (although it wasn't mine, I found it on an open source anti virus written in VB, found at http://pscode.com/vb/scripts/ShowCode.asp?txtCodeId=53497&lngWId=1 ). That idea is, instead of pure on-access scanning, automatically scanning the directory currently being browsed in windows explorer. I think this would be a great temporary fix.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I strongly oppose such a temporary solution. Sanning a file of rolder being open in Windows Explorer would only give users false sense of security.
There are a lot of ways how to execute a program without opening it in windows explorer . One simple example a batch file that executes a program in a different folder.
The proposed solution would do more harm potentially.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
re proposal: automatically scanning the directory currently being browsed in windows explorer as an opyion in Clamwin turned off by default.
it wouldn't make sense, beacuse a lot of users that aren't security conscious will turn it on. And those who are and usually scan suspicious files before opening can right-click on a folder and scan it.
What you suggest is a very dangeorus and easily exploitable. Even users who know what are they doing would miss a virus much easier with such feature.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
A thought about an approach to On-Access scanning. Python in Windows (with pywin) is able to list the current running processes by name and by executable path (have a rough working script if anyone is interested).
The list of Executable Paths (and name of process) can then be scanned by the engine to see if it matches the virus database (have checked and can use the command line version of ClamWin to do this with the Executable Path list).
This could easily be integrated into ClamWin by allowing the user to set a preference to check running processes every so often (once a day, every 10 minutes, etc) or on request even.
Whilst this is not real On Access scanning it can pick up running viruses eventually (more quickly than scanning physical folders).
If any of this is useful post a reply and I'll forward any material that I have, else thanks for a wonderful piece of software ;-).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
well this solution does not enhance the system security.
it will detect a virus when it's already too late. And how often should it scan running processes, every X seconds, what if a virus only need milliseconds to do it's job and exit?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
hi alch
see that you are changing to native Windows, I hope that the wasting of memory that ClamWin make now will stop.I am looking to Task Manager (process window) and see the following:
ClamWin.exe 11,826 KB:
clamscan.exe 8,916 KB;
ClamTray.exe 2,756 KB;
OlAddin.exe 4,967 KB despite MS Outlook.exe 3,228KB
regards
danny
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
>Is there any way to avoid scanning those files, for which modification
>time haven't been changed since the recent >Clam-Win/access scan on it? This would stop those files >again and again, If I re-schedule the scan
>every day ;)
no, such feature is not available
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have started a project which right now supports on creation scanning for all locigal drives its written in vb.net https://sourceforge.net/projects/csav/
I want to thank you for this very beautiful application !
However on access scan is so important, without it its not a usefull scanner for a win workstation.
I know how to handle unknown files, you know it, but does a regular user know this ?
The answer is no...
Ill hope there is a OAS functionality very soon, keep up good work !
Gerard
I'm currently reading up on file system filter drivers. Once I get a skeleton driver created, I'll try to hook in clam av. If anyone is working on this already let me know.
I already have a file system filer. What needs to be done is a user-mode service that incorporates clamav scanning. I am waiting for clamav to include the mingw build in the source tree.
I'm glad to hear progress is being in this area. I can't wait to try it out. Any ETA to the beta for this?
I have a working kernel filter driver for use on Windows 2k/XP/2003 that uses ClamAV as the scanning engine. Controlled by a user-mode GUI, specific filesystems can be hooked and scanned on access.
To balance performance with reliability the kernel keeps a running list of recent scans of files. If the file remains unchanged since the last scan, the GUI can configure the driver to allow access to the file without another scan.
The project is almost ready for public beta testing and the website will be up soon (www.clamrt.com)
-Adam
Yipee! can't wait.
Hi Adam,
Thanks for the info and your earlier emails. I'd be very interested to take a look at your driver. As I already mentioned in some of the mailing list posts and bug reports - I have a version of filter driver ready too (but nothing to say that it is better then yours, and I will consider all options).
However the main problem at the moment is with porting clamav to native windows code to eliminate cygwin layer which is very slow. There is a port by Boguslaw Brandys
www.bransoft.com however it has not yet been merged with clamav source tree. We are currently trying to get this done ad hopefully there will be results very soon.
I also have a question how do you determine if the file is unchanged?
Regards,
Alex
The instructions at Boguslaw Brandys website is what I used to port ClamAV to Windows and compile the necessary LIB and DLL files for v0.83. The cygwin layer adds a huge overhead which I wanted to avoid in the real-time scanner and so far the native version is working out well.
What I do to determine if the file is unmodified is to keep a hash of recent files in memory and when a file is modified (through calls such as IRP_MJ_WRITE or via IoQueryFileInformation) then it is flagged for a re-scan.
If you would like, maybe we can try out my driver with ClamWin and see how much of a difference the cygwin makes as opposed to not? I'm not really familiar with Python or I'd be tempted to give it a shot :)
-Adam
That is great,
I haven't realised how close you are. Would you like to be added to the list of developers and send me the beta code so we can join forces?
Cheers,
Alex
Hi,
Alch :Windows port patches updated to current ClamAV CVS are on my WWW page : http://www.bransoft.com/clamav.html :-)
You should have no problem with those patches , lastly I stick to old revision number and that was all problems I didn't realized for a long time sorry :-(
Regards
Boguslaw Brandys
thanks Boguslaw I will check it out
just out of curiosity: anything going on with on-access-scanning? this thread seems to be dead for almost two months...
Hi,
"On Access" should be difficult ...
Whats about "After Access", this should be more simple to impemetent and it's good enough.
If I have a "scanned System", I must only scan the added Files. To execute a Virus, he must first written on Disk (download / installation) and it needs some time until he is executed (start the App.). During this time the file can be scanned.
The system performance is not slowing down to much.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/fs/findfirstchangenotification.asp
http://cvs.sourceforge.net/viewcvs.py/syn/syn/uFileWatch.pas?rev=1.8.2.5
http://www.koders.com/delphi/fid5C70E0924B589CFBB2E0D899CD5E0444623221FE.aspx
Regards
Uwe
it is being developed and will be released but I am sorry to say I don't know when. It's mor complicated then originally thought and I have very little spare time to work on it.
I think it would be great if a donation option was posted on the main page and in the form for people to donate specificly toward hiring a programmer (maybe at www.rentacoder.com or something) to implement this.
Hello, I am the above anonymous poster, and I would like to contribute an idea (although it wasn't mine, I found it on an open source anti virus written in VB, found at http://pscode.com/vb/scripts/ShowCode.asp?txtCodeId=53497&lngWId=1 ). That idea is, instead of pure on-access scanning, automatically scanning the directory currently being browsed in windows explorer. I think this would be a great temporary fix.
I strongly oppose such a temporary solution. Sanning a file of rolder being open in Windows Explorer would only give users false sense of security.
There are a lot of ways how to execute a program without opening it in windows explorer . One simple example a batch file that executes a program in a different folder.
The proposed solution would do more harm potentially.
Could it be an option that is defaulted to off then? That way, only people that knew what they were doing could use it?
re proposal: automatically scanning the directory currently being browsed in windows explorer as an opyion in Clamwin turned off by default.
it wouldn't make sense, beacuse a lot of users that aren't security conscious will turn it on. And those who are and usually scan suspicious files before opening can right-click on a folder and scan it.
What you suggest is a very dangeorus and easily exploitable. Even users who know what are they doing would miss a virus much easier with such feature.
Greetings
A thought about an approach to On-Access scanning. Python in Windows (with pywin) is able to list the current running processes by name and by executable path (have a rough working script if anyone is interested).
The list of Executable Paths (and name of process) can then be scanned by the engine to see if it matches the virus database (have checked and can use the command line version of ClamWin to do this with the Executable Path list).
This could easily be integrated into ClamWin by allowing the user to set a preference to check running processes every so often (once a day, every 10 minutes, etc) or on request even.
Whilst this is not real On Access scanning it can pick up running viruses eventually (more quickly than scanning physical folders).
If any of this is useful post a reply and I'll forward any material that I have, else thanks for a wonderful piece of software ;-).
well this solution does not enhance the system security.
it will detect a virus when it's already too late. And how often should it scan running processes, every X seconds, what if a virus only need milliseconds to do it's job and exit?
hi alch
see that you are changing to native Windows, I hope that the wasting of memory that ClamWin make now will stop.I am looking to Task Manager (process window) and see the following:
ClamWin.exe 11,826 KB:
clamscan.exe 8,916 KB;
ClamTray.exe 2,756 KB;
OlAddin.exe 4,967 KB despite MS Outlook.exe 3,228KB
regards
danny
>Is there any way to avoid scanning those files, for which modification
>time haven't been changed since the recent >Clam-Win/access scan on it? This would stop those files >again and again, If I re-schedule the scan
>every day ;)
no, such feature is not available