Hey, ClamSentinel is awesome, but it would be even more useful if you would ask the user what to do with the suspicious file (ignore forever / ignore once / quarantine / delete) ...and mention the file and it's path as well as the category (virus or pua or Trojan horse) and the name as mentioned in the definitions.
Eg.:
"Virus XYZ is found by Clam Sentinel.
C:/Virus/virus.exe
Execution of the file has been stopped so far.
What would you like to do with the suspicious file?
[ignore forever] [ignore once] [quarantine (recommended)] [delete from system (not recommended)] "
If user presses [ignore once] Clam Sentinel will ask the same question next time again. If user selects [ignore forever] Clam Sentinel will remember the file and will not ask again, except file is changed,
Clam Sentinel does not stop the execution of a file. There is already a setting for what to do when an infected file is found.
Yet I think blocking files is essential for proper functionality of an av. I just run eicar test string and it was displayed, so in real world I'm fubar, the only difference is that I know it.
EICAR is harmless. It is merely a test. It is not executable and
therefore can not harm a computer. Behaviour blockers and similar
AV/security software do not detect EICAR. Clam Sentinel is designed to
initially detect a malicious executable file when it is added to, copied
to, or modified on your computer. It does this with the built-in system
monitor, and it will detect a malicious executable in a very short time (it
has been tested to detect/quarantine 30 executables in about 10/12
seconds). If the executable file is not detected as malicious, then Clam
Sentinel will scan it with ClamWin to see if it matches a ClamWin
signature. Sentinel also relies entirely on the ClamWin signatures to
detect files that are not executable--like documents, PDF, html,
etc. Unfortunately, ClamWin scans very slowly, and the ClamWin signatures
are mediocre, so we can only hope that a malicious file is not active
before ClamWin scans it. That is why we recommend at least 1 daily scan
with Malwarebytes Free or Microsoft Security Essentials as extra protection.
Regards,
On Mon, Feb 24, 2014 at 2:26 AM, ctrl ctrlbru@users.sf.net wrote:
Related
Feature Requests: #7
I beg to differ: the EICAR test string is of course executable and that's exactly its peculiarity. It has been designed to be easy to copy and paste because it's a sequence if ascii chars, but it's a "regular" com file using int21 to write to stdout. It doesn't run anymore on x64 architecture just because NTVDM is missing there, but still runs on 32 bits and displays a text string in console.
It is not harmful, right, but all av software detect it as a regular threat because it's a test, otherwise it wouldn't be useful at all, and so does clamav, of course:
dario@sandy:~$ clamscan /tmp/vtest.com
/tmp/vtest.com: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 3233585
Engine version: 0.97.8
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 4.688 sec (0 m 4 s)
So I don't know if clamsentinel has some specific logic on the EICAR test, but I don't see why it should. I thought this program was there to fill the gap between clamav and a windows native antivirus, since clamav lacks a realtime scanner. So as a consequence I imagined it would lock access to files waiting for clamav clearance, but since it doesn't with EICAR (I was able to save the file on my pc with clamsentinel active and then run it), I guess I misunderstood and it's not the way it's meant to be, my bad.