The Clam anti-virus or ClamAV is often an overlooked anti-virus solution. This free anti-virus was designed as an open source anti-virus for the Linux servers, especially for a protection of the e-mail services. Today it can be used on the different platforms, including Microsoft Windows, Apple OS X or the FreeBSD.
Although Cisco acquired ClamAV in 2013, it’s still a free open-source product. Cisco based their own (an Immunet project) on this solution. Moreover, there are few ports and independent projects based on the ClamAV base.
Today we can use ClamAV to protect the perimeter of our network. We can use it on the e-mail servers or on the proxy servers. Many Internet solutions, especially those based on the Linux, including the ClamAV packet inside. Although Linux servers can hardly be infected, they are serving other clients that can be easily infected by different viruses, Trojans and other malwares.
Even if you’re a Windows user you can use the ClamAV in the same roles. On top of that, you can protect the desktops or the servers with special version named ClamWin. Although ClamWin doesn’t have the real-time module, there is an independent project that will fill the gap. You can use the Clam Sentinel for the real-time scans.
The desktop or service version
ClamAV can be used either in the service (daemon) mode or as desktop (on-demand) application. Every aspect has it’s own advantages. The server mode is more interesting for the real-time usage on an e-mail or proxy server.
This real-time mode means that service is in memory and waiting for the client application to send a file for analysis. The service application will not scan the disks or network traffic.
For purpose of the disk scanning or traffic interception, we need some application. That application is known as the real-time module. We can have the real-time modules for different purposes. However, every real-time module will slow down the computer. Sometimes that will be minor and we will be not aware of it. Unfortunately, many times we will feel that performance is seriously degraded. That’s the eternal chase for the best balance between security and the performances.
Protecting the e-mail servers
Many e-mail solutions, either free (and an open-source) or commercial, have integrated the interface for the ClamAV. You can use ClamAV with hMail server, Mercury/32 e-mail server, XMail server or SmarterMail, just to mention some of the servers on the Microsoft Windows platform.
Virtually all Linux e-mail servers can be integrated with the ClamAV. Moreover, we can integrate the Squid proxy server with ClamAV and protect also the Web channel.
Very popular hMail server can be easily integrated with the ClamAV instead of the ClamWin in the newer versions. That will improve performance of the server. The ClamAV service will stay in the memory continuously, opposite to ClamWin which needs to load the signatures database on every scan request.
The Windows port – ClamWin
On the Windows platform you can use special version named ClamWin. This version is built on the ClamAV core and includes a graphical interface. That interface will alleviate administration and usage of the ClamWin anti-virus.
The ClamWin using the same anti-virus signatures as ClamAV, that will be downloaded from same update source.
The ClamWin can be also integrated with the Microsoft Outlook as the e-mail filter extension. That can increase e-mail security on the customer side, especially if we don’t have other anti-virus solution or we need to use public e-mail services.
The ClamWin is pure desktop application. It can scan your disk on request or by schedule. It doesn’t contain real-time disk scanning module. Bear that in mind.
Although ClamWin doesn’t contain real-time module, we can use it on low risk workstations or servers. This can be very useful when we have some isolated servers with a heavy load (like the database servers or some real-time acquisition servers) where we must have server available almost 24 hours per day. Then we can just scan some parts of the disk during some low traffic or low usage hours.
We can speed up scanning even in that time if we choose only critical and mostly possible spaces where the viruses are expected. That will include the System32 folder, the Program Files and Program Data folders and optionally, the Users folder.
On top of that, we can filter file types that we need to scan to those that can be infected or carry virus (like exe, com, dll, jar, js, cab, zip…). As most of the viruses are small, we can also target smaller files, like those under 10 megabytes.
All this will make a good balance between security and performances on our server. That means that we still accept the risk that some viruses can pass our scan. However, we will cover most of expected situations and still maintain good security.
Clam Sentinel – the real-time module for ClamWin
For most users, the ClamWin anti-virus without real-time module will be fine. However, if we need more security we need to have real-time disk scanning. That was the goal of the independent project – the Clam Sentinel.
This application needs to be installed separately. It will use ClamWin’s virus signatures for it to work. We can configure the Clam Sentinel to monitor the disk activity or the system changes.
We can include or exclude disks and folders from the scanning process. When we want to speed up operations we can just limit file types to those that are most critical to be infected.
The portable protection
When you need the portable protection, there are portable (USB based) versions of both ClamWin and the Clam Sentinel. You can put both applications on your USB drive and then use them to check any Windows based machine.
Even if you don’t have newest anti-virus database on your USB, you can upgrade it in the same way as the installed version. Moreover, you can simply copy content of the database folder from one disk to the other or from one machine to another. When you next time run the ClamWin (or the ClamAV) it will use those newer database files.
Portable version can be made easily from regular installation. Alternative version is packet from portableapps.com.
The local distribution point
When you have more than one computer using the ClamAV or the ClamWin, you will want to preserve bandwidth and make a single update point for all computers on the network. That’s possible with a simple configuration tweak.
You can download newer databases on one machine and then you can point all other computers to that one. All you need is to setup small Web server and to publish database files over it.
After that, you need to change the update server name to the local mirror and all computers in the network will use this new server as their update server. They will not try to access the Internet and to check databases on the Web.
This is especially useful if we need to protect isolated servers with the limited network access. They can safely access that one update point without needing to be exposed to the Internet, even like the update clients.
Every anti-virus is good as much as its anti-virus database. If we are looking only at the main ClamAV database, we can’t be very satisfied. Although updated on daily level, it still can miss the signatures for newer viruses. That means that we’re not protected in case of zero hour attacks.
Actually, ClamAV is open-source platform and therefore opened for the world. That bring to us opportunity to have third-party databases included in our solution. There are few producers in the world. The quality of their databases (virus signatures) varies. Some of those databases can lead to larger number of false positives.
The ClamWin will load all that databases on startup. The ClamAV service will find new databases and restart itself to load new databases in memory and it will continue to work.
How good is the ClamAV?
Honestly, there is no perfect solution. However, according to site Shadowserver, ClamAV was very good on their yearly test of the anti-virus solutions.
Using more than one anti-virus solution in the network can significantly increase the security of the network. When we are using one anti-virus, like the ClamAV, on the public servers and other anti-virus on the internal servers and workstations, we have a better chance to stop the virus outbreak in the network. Different vendors will react in different times to the new treats.
My general advice is that you should always have layered protection. And ClamAV can be used as a good first line defense.