ClamAV
ClamAV is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses. It was developed for Unix and has third party versions available for AIX, BSD, HP-UX, Linux, macOS, OpenVMS, OSF, Solaris and Haiku. As of version 0.97.5, ClamAV builds and runs on Microsoft Windows. Both ClamAV and its updates are made available free of charge. One of its main uses is on mail servers as a server-side email virus scanner.
History
ClamAV was initially released with version 0.10 on 8 May 2002, by Polish university student Tomasz Kojm. In 2007, it was acquired by Sourcefire, which in turn was acquired by Cisco in 2013 and now operates under its Talos cybersecurity division.Patent lawsuit
In 2008, Barracuda Networks was sued by Trend Micro for its distribution of ClamAV as part of a security package. Trend Micro claimed that Barracuda's utilization of ClamAV infringes on a software patent for filtering viruses on an Internet gateway. The free software community responded in part by calling for a boycott against Trend Micro. The boycott was also endorsed by the Free Software Foundation. Barracuda Networks counter-sued with IBM-obtained patents in July 2008. On 19 May 2011, the U.S. Patent and Trademark Office issued a Final Rejection in the reexamination of Trend Micro's U.S. patent 5623600.Features
ClamAV includes a command-line scanner, automatic database updater, and a scalable multi-threaded daemon running on an anti-virus engine from a shared library. The application features a Milter interface for sent mail and on-demand scanning. It recognizes:- ZIP, RAR, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, and SIS formats
- Most mail file formats
- ELF and Portable Executable files compressed with UPX, FSG, Petite, NsPack, wwpack32, MEW, and Upack, or obfuscated with SUE, Y0da Cryptor.
- Office Open XML file formats, HTML, Rich Text Format and Portable Document Format.
Real-time file scanning
In older Linux application versions, ClamAV did support real-time protection via the Fanotify add-on for the Linux kernel Alternatively, one could use ClamFS.Nowadays, the Real-Time Protection in Linux Systems, is provided through ClamAV's ClamOnAcc application – which uses Clamd to provide real-time protection by scanning files when they are accessed.
In other words, the On-Access Scanner can detect and prevent access to malicious files based on the verdict received from Clamd. By default, it operates in "notify-only mode", alerting users of any threats detected without actively blocking file access.
Enabling "prevention mode" can considerably impact performance, especially in commonly accessed directories, so it is advised to use it judiciously.
In order to use ClamOnAcc, users need to first run clamd and then start the On-Access Scanner as root.
Configuration for On-Access Scanning is primarily done through clamd.conf, with additional options available in the On-Access Scanning User Guide.
Users can run multiple instances of ClamOnAcc simultaneously with different configurations, allowing for customized protection settings for various directories.
ClamOnAcc is a client application that operates alongside clamd, to perform On-Access Scanning.
Regarding previous versions that were meant for Microsoft Windows, a free, open-source app called Clam Sentinel did use to detect file changes and scanned modified files using ClamWin. It did work with Windows 98 and later. In addition to on-access scanning, it used to feature optional system change messages and proactive heuristic protection.
Effectiveness
In the 2008 AV-TEST comparison of antivirus tools, ClamAV scored poorly in on-demand detection, avoiding false positives, and rootkit detection.In a Shadowserver six-month test between June and December 2011, ClamAV detected over 75.45% of all viruses tested, putting it in fifth place behind AhnLab, Avira, BitDefender and Avast. AhnLab, the top antivirus, detected 80.28%.
In 2022 Splunk conducted an efficacy study involving 416,561 malware samples sourced from MalwareBazaar, bucketed as follows: 106135 Banking Trojans ; 26875 Botnets ; 190371 Information Stealers ; 52422 Loaders ; 1321 Miners ; 30251 RATs ; and 8273 Trojans. Splunk's study concluded ClamAV was 59.94% effective overall at detecting commodity malware – being able to detect 249,696/416,561 samples.
In that same study, ClamAV performed relatively well at detecting certain types of malware in certain types of files, but was less effective in detecting malware in JAR files, JS files, VBS files, Z files, RAR files, and XLSB files. In addition, ClamAV performed well in detecting a few top level categories of malware like Trojans & Botnets but performed poorly on other malware types like Crypto Miners, RATs and Info Stealers.
Unofficial databases
The ClamAV engine can be reliably used to detect several kinds of malicious files. In particular, some phishing emails can be detected using antivirus techniques. However, false positive rates are inherently higher than those of traditional malware detection.There are several unofficial databases for ClamAV:
- Sanesecurity is an organization that maintains a number of such databases; in addition, they distribute and classify a number of similar databases from other parties, such as Porcupine, Julian Field, MalwarePatrol.
- SecuriteInfo.com also provides additional signatures for ClamAV.
Platforms
Linux, BSD
ClamAV is available for Linux and BSD-based operating systems. In most cases it is available through the distribution's repositories for installation.On Linux servers ClamAV can be run in daemon mode, servicing requests to scan files sent from other processes. These can include mail exchange programs, files on Samba shares, or packets of data passing through a proxy server.
On Linux and BSD desktops ClamAV provides on-demand scanning of individual files, directories or the whole PC.
macOS
has included ClamAV since version 10.4. It is used within the operating system's email service. A paid-for graphical user interface is available from Canimaan Software Ltd in the form of ClamXav. Additionally, Fink, Homebrew and MacPorts have ported ClamAV.Another program which uses the ClamAV engine on macOS is Counteragent. Working alongside the Eudora Internet Mail Server program, Counteragent scans emails for viruses using ClamAV and also optionally provides spam filtering through SpamAssassin.
OpenVMS
ClamAV for OpenVMS is available for DEC Alpha and Itanium platforms. The build process is simple and provides basic functionality, including library, theclamscan utility, the clamd daemon, and freshclam for update.Windows
There are IA-32 and x64 variants of ClamAV available for Windows; additionally, Cisco's Immunet uses ClamAV as its engine.OS/2
A port of ClamAV is available for OS/2 with a native UI written in REXX.Graphical interfaces
Since ClamAV does not include a graphical user interface but instead is run from the command line, a number of third-party developers have written GUIs for the application for various platforms and uses.These include:
File:ClamTk 6.18.1 screenshot.webp|thumb|ClamTk 6.18 running on openSUSE
- Linux
- * ClamTk using gtk3-perl; project is named for the Tk libraries that were used when it began
- * KlamAV for TDE
- * wbmclamav is a webmin module to manage Clam AntiVirus
- macOS
- * ClamXav is a port which includes a graphical user interfaces and has a "sentry" service which can watch for changes or new files in many cases. There is also an update and scanning scheduler through a cron job facilitated by the graphical interface. ClamXav can detect malware specific to macOS, Unix, or Windows. The ClamXav application and the ClamAV engine are updated regularly. ClamXav is written and sold by Canimaan Software Ltd.
- * Tiger Cache Cleaner is shareware software which installs and presents a graphic interface for using ClamAV to scan for viruses, and provides other unrelated functions.
- Microsoft Windows
- * Immunet
- * ClamWin
- * CS Antivirus
- * Graugon AntiVirus
- * Clam Sentinel
- OS/2
- * ClamAV-GUI
ClamWin