January 24, 2005

Clam AntiVirus: Open source vs. the bad guys

Author: Daniel Rubio

Protecting against viruses has become an inherent part of using a computer, thanks to the pervasiveness of email, a favorite delivery platform for malicious code. Open source software, in the form of Clam AntiVirus, can help you detect these rogue programs before they hit your inbox, whether you run Linux or Windows.

In fact, you can install ClamAV on a wide range of operating systems, either through pre-compiled binaries or by a source code build. This flexibility gives ClamAV a distinct advantage over competing products in the virus detection arena, which often ignore users with older or non-mainstream operating environments.

How does ClamAV manage to recognize new viruses? With the help of the community that uses ClamAV. If you detect a malicious executable within your network, you may submit your suspicious file to the ClamAV database for the benefit of the whole community, a process which accelerates the response and detection time for newly spreading viruses. Because the users pitch in, ClamAV doesn't have to charge for subscription updates, as most commercial vendors do.

Another factor that gives ClamAV added versatility is its capability of operating in a variety of settings, either as a standalone program on your workstation or as a server-side application that detects viruses before they hit your inbox. Research from antivirus vendor Trend Micro estimates that 87% of all viruses enter the enterprise via email, so ClamAV's ability to directly inspect email on the server side is a big plus.

Putting ClamAV to work is easy. Your first step should be deciding where you want to install ClamAV -- workstation or server. Obviously the latter is more broadly effective, since you nip any malicious executable before it propagates to your mail client. Workstation installations, however, are faster and easier, since you don't have to meddle with server configurations, and can serve as a last resort for detecting possible viruses and malicious code that come in via non-networked means -- CDs or diskettes -- so you may want to install a copy in both places.

Once you have installed ClamAV in either locale, downloading the latest virus signatures from a ClamAV mirror using the command freshclam. You can set advanced parameters for this lookup, such as proxies, log generation, specific mirrors, in the freshclam.conf file located under ClamAV's installation. One of the more useful features is the ability to configure time-based lookups, which allow ClamAV to automatically fetch updates periodically without manual intervention.

The basic ClamAV process for inspecting a file and determining if it's not a known virus is the command-line clamscan utility. Upon execution it will by default inspect every file present in the working directory against the local ClamAV database. You can pass flags to this command to invoke recursive inspection, removal of infected files, and even alarms.

clamscan and freshclam may be considered somewhat clumsy by some, since they are both command-line functions and require extracting suspicious files into specific directories for manual inspection. For those wanting a more comprehensive interface, there are also graphical front-ends like ClamWin for Windows operating systems, ClamXav for Mac OS X, and an OS-agnostic GUI utility written in Java named ClamShell.

On the server side, ClamAV can operate in daemon mode, granting on-the-fly access to inspect files from remote locations as well as streamlined operation with suites like Sendmail through clamav-milter or qmail-scanner for qmail.

ClamAV even has provisions for integrating its virus detection facilities with your own products through a wealth of libraries such as php-clamav for PHP, Mail::ClamAV for Perl developments, and pyClamAV for Python, among others. With these toolkits you can shield your own GPLed software against viruses.

ClamAV's community-driven virus detection process, along with the flexibility to tweak its parameters either through source code modifications or third-party modules, make it a compelling replacement for any commercial antivirus product, or a great addition to your arsenal in the fight against rogue executables.

Daniel Rubio is the principal consultant at Osmosis Latina, a firm specializing in enterprise software development, training, and consulting based in Mexico.


  • Security
Click Here!