What Is ClamXav (and do Mac users really need antivirus)
Pages: 1, 2
Setting up the ClamXav Sentry
While the ClamXav Sentry looks like just another tab in a preferences sheet, it's actually an amazing part of this application. Indeed, the Sentry brings background scanning capabilities to ClamAV on Mac OS X, but does so while staying remarkably lightweight and transparent--something most background-scanning competitors cannot do.
To start using the Sentry, simply add folders to its watch list by dropping them onto the window. Be careful not to add folders containing heavily nested folders, as this can eventually lead to slowdowns. It's better instead to create a long list of single entities--good candidates are your Public folder, Mail downloads, and the computer's Shared folder. Once the Sentry is activated, it will wake up and silently scan any file created in these locations.
Setting the Sentry to automatically start when you log into your Mac is obviously something you want--not doing so would negate the whole point of background scanning. Scanning removable media, on the other hand, can lead to serious slowdowns if you decide to mount a slow server or insert a DVD in your optical drive.
To save the Sentry settings, use the special "Save Settings and Launch ClamXav Sentry" button that will take care of all the file writing and daemon restarting involved in the operation for you.
Notice the new menu that appeared in your bar? This is the ClamXav Sentry menu, that will discretely flash every time Clamav is at work behind the scenes. If the application detects a virus, it will immediately pop up an alert window informing you of the fact.
Testing ClamXav and the Sentry
The best way to test ClamXav and its Sentry feature is to simply download a file called the EICAR test file. This file, actually a harmless text file, is an industry-standard test designed to activate antivirus applications. If your antivirus protection reacts to it, chances are that it is configured properly and working as expected.
To get it, go to this page and download the files listed at the bottom, from the left to the right. These are basically the same file but it is increasingly disguised, zipped, and stealthed to make it harder for your antivirus to detect it. Clamav should detect all the files in a flash and warn you about them.
Once you confirm that ClamXav passed the test, you can safely delete the file and go back to work.
An Interview with Mark Allan, ClamXav Developer
By now, you should be up and running with ClamXav and enjoying a new layer of protection on your Mac. As usual, I encourage you to read the ClamXav manual and website to get a complete idea of what that application can do for you. The ClamXav website also contains great community-powered forums that should assist you if you encounter any problems with the application.
For now, however, let's kick back and relax with a brief conversation with Mark Allan, ClamXav developer.
FJ: ClamXav has recently reached version 1--1.0.1 at time of writing--which seems to indicate it has reached a level of maturity. How long did it take you to get it to this point?
MA: ClamXav was a project I started during the summer of last year [2004]. At the start, it was incredibly basic consisting of a window with only three elements: a text input field to type the path of a directory to be scanned, a button to initiate the scan, and a large text box where the output of the scan would appear. As you can see from its appearance and functionality today, we've come quite a long way in the space of a year!
FJ: Indeed. I must say ClamXav is one of the most elegant Aqua-conforming antivirus applications I have seen since I started using Mac OS X. Did you get any special input from users while you were designing it?
MA: Well, to be honest, that's about the first positive comment I've had regarding the interface. Thanks! As for the rest, "special" would certainly be one word you could use to describe the feedback I've had. They range from the mildly constructive "horrible flagrant use of brushed metal" to the just plain rude.
FJ: Whoops… You followed your heart, then!
MA: I've been a Mac user for 13 years, and I have a pretty good idea of what feels "right" and "Mac-like" to me, so that's how I designed ClamXav. It looks very wrong in the non-brushed-metal theme, so I've stuck with it. If any designers out there would like to take a shot at redesigning the interface, please drop me a line.
FJ: Were you already familiar with ClamAV before starting your work?
MA: Yes I was, but not for long. I was looking for a low cost or free antivirus program for my computer, as I had just forwarded an infected Word document to a friend of mine who used Windows at the time. He's now been converted but that's another story. I came across ClamAV which was an open-source virus scanner for UNIX and its variants. When I downloaded, built and ran it, I was amazed that not only did it work, but that it also picked up the infected file I had sent to my friend.
I used it for about two weeks before getting fed up with the command line interface as is common in open-source tools. I still wanted to use the software, but needed to make it easier to use. As a result, ClamXav was born.
FJ: That sounds like one of the success stories you see on the ADC website. As the father of ClamXav, what would you say are its strong points?
MA: I think the main advantages of ClamXav are that it's free, the scanning engine is supported and maintained by a large international community of excellent programmers and, with ClamXav being written by only one person, when people have problems, questions or suggestions for new features, they get to speak directly to the programmer--me. I try my best to answer emails as soon as I can and will always endeavor to add requested features.
FJ: Excellent points. And, ClamXav being a security application, I'm sure you get plenty of e-mails! Since we're talking about requested features, the ClamXav Sentry brings elegant background scanning back to antivirus applications on the Mac. I assume this was a heavily requested addition. Was developing it particularly challenging?
MA: The ClamXav Sentry feature was the single most difficult feature I've added to ClamXav to date. Not only did it involve months investigating how to monitor folders properly for changes (i.e., not just crudely comparing the contents at specific intervals), I had to go back to my grass roots and brush up my C programming skills--a language I've not used in about 5 years.
On top of that, procedures in C/C++ cannot be used in Java, which is what ClamXav is written in. The only option was then to learn an entirely new language, Objective-C, and to program ClamXav Sentry as a completely separate entity. That, in turn, brought its own issues of how to keep ClamXav and Sentry separate but make it appear as one in the same package. I've still got some distance to go in that regard, but I think it's getting there.
FJ: You touch on the topic of security on your website. Do you feel the Mac community at large has become lenient with regard to viruses?
MA: In a way, yes, but I'm not convinced complacency when it comes to viruses is a trait unique to Mac users. If it were, then that implies that all those people on the non-Mac side of the fence have up-to-date antivirus software and are adequately protected. I very much doubt that is the case and in my opinion, the greater issue which needs to be addressed is a lack of knowledge about computer security in all computer users.
Antivirus software and other security tools (firewall, rootkit scanners etc) need to ship with all computers and come pre-configured to update themselves automatically. Until that happens, viruses and security issues will continue to crop up time and time again.
FJ: That's a great point to close with. Thanks so much for your time, Mark.
FJ de Kermadec is an author, stylist and entrepreneur in Paris, France.
Return to the Mac DevCenter
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 19 of 19.
-
Sentry does not appear to recurse sub-directories
2005-12-24 08:26:33 chinarut [Reply | View]
-
Sentry does not appear to recurse sub-directories
2005-12-28 10:45:24 FJ de Kermadec |
[Reply | View]
Hi!
First of all, thank you very much for your kind words, I really do appreciate them!
I tested the sentry on my machines by using the procedure you describe and it indeed appears the current OS/application/engine/definitions combo does not make for recursive analysis. That is definitely not consistent with the results of my initial lookups so I will be sure to bring it up to the attention of the author.
Thanks for letting us know!
FJ
-
ClamX has no Mac virus database
2005-10-04 17:22:26 ncmphoto [Reply | View]
ClamX or ClamAV is surely very useful on servers or mixed platform networks, but I'm curious as to what use it has on a Mac-only network or single user configuration.
There was a recent thread on this in the Mac-L elist and Randy Singer (Co-Author of: The Macintosh Bible (4th, 5th and 6th editions)), who claims to have discussed this with the developer of ClamX on a MacIntouch thread says that there is no Mac-specific virus definition database that ClamX refers to:
>>He admitted that there were no definitions for Mac-specific malware in the ClamAV database, and that he himself didn't know how to write definitions for Mac malware to include in the ClamAV database, nor did he have access to Mac malware to
use as a basis for creating such definitions.<<
So if an OSX virus or worm appears in the wild, just how would a user of ClamX be protected?
cheers,
ncm
-
ClamX has no Mac virus database
2005-10-05 07:35:11 FJ de Kermadec |
[Reply | View]
Hi!
First of all, thank you very much for taking the time to post!
ClamAV indeed does not contain definitions for Mac OS 9 (or earlier) viruses, which would not affect a Mac OS X only installation. It does however contain definitions for viruses of other platforms (preventing a Mac user from passing a virus along onto a network or allowing him to detect potential outbreaks) as well as cross-platform viruses or malicious applications that, while not specifically targeted at the Mac, could affect it — think some Java applets, for example.
As Mac OS X is essentially a UNIX-like operating system, the ClamAV project has recently pledged improved support for it, which includes the adding of any potential Mac OS X malware to the definitions list. Of course, this implies that the community reports such programs to the ClamAV authors and that they in return judge the threat of significance so that they act upon it.
ClamXav provides a GUI on top of ClamAV and, as such, wouldn't provide more protection than mastering ClamAV from the command line (with the notable exception of the real-time scanning it now features).
If a Mac OS X virus or worm appears in the wild, it would need to be added by the ClamAV developers to the database. While there cannot be any guarantee that it will be (much like with any other anti-virus application) everything seems to indicate it will.
FJ
-
Then what?
2005-08-23 04:02:50 miked378 [Reply | View]
I've just installed ClamXav, and all seems fine. I set up the Sentry to monitor my desktop, and then went to the test site to try out downloding the test files to the desktop -- and of course, Clamav found them.
In doing this, however, I wondered what I should do with files that Clam finds. In the article, you suggest AGAINST quarantining files, since that "can lead to unexpected movements of data." The documentation at the ClamXav site says, "What you do with them after [clam finds them] is entirely up to you!"
Should I simply trash it? In theory, in the case of an actual infected file, is there a chance that it would do some malicious act before I deleted it?
(And yes, I understand there are currently no OS X viruses, etc...) -
Then what?
2005-08-23 05:50:27 FJ de Kermadec |
[Reply | View]
Hi!
The reason the ClamXav documentation tells you what you do with the files is up to you is that ClamXav does not attempt to repair files -- an unreliable and risky process.
In this light, trashing these files is the best course of action. Provided you have never opened them and they cannot infect your Mac -- a Windows .exe virus, for example --, you should be safe. Should you have inadvertently opened a Microsoft Office file, for example, containing a malicious macro, you might want to further investigate the matter and ensure that your installation was not compromised.
In any case, you can run a system-wide scan with an updated ClamXav as well, to be on the safe side.
Let me know if this helps!
FJ
-
an elegant solution
2005-08-22 12:04:50 Outis [Reply | View]
As one who has used clamXav for a little less than a year, I have to say that I am thoroughly impressed with it.
I had read the book "Mac os X, Maximum Security". And it had a list of open source virus scanners. Clamav came highly recommended. So I headed over to the Clamav site and was pleasant surprised to find a mac client.
I had used Virex before through my .mac account. I dumped my .mac account because I needed more storage. But in so doing, I also gave up the virus scanner. But even then, Virex was horribly slow and painful to use.
I installed ClamXam and now have it scanning three times a week over night according to the cron tab.
This is the shell script I use:
#!/bin/bash
newtime=`date +%m-%d-%y_%I%M%p`
/usr/local/clamXav/bin/clamscan -v -r --mbox -i --log=/Users/stevebauer/Library/Logs/clamXav-scan.log /users/stevebauer/
groff -Thtml /Users/stevebauer/Library/Logs/clamXav-scan.log > ~/Desktop/ClamScan__$newtime.html
This script runs the scan, but also puts an html file on my desktop so that I am forced to look at it.
I don't know much about the commandline or coding at all. So, to me this is the best of what a mac has to offer: The power of a rubust unix virus scanner in an easy to use gui.
My thanks and appreciation to the clamav people and Mark Allan,
Rev. Steve Bauer
http://danbauer.org/~belisarivs/index.php
-
Sentry + Smart folder
2005-08-22 07:21:59 Sam Kuper | [Reply | View]
it would be great if Sentry could work with Smart folder; I can scan only .xls, only those in browser cache... -
Sentry + Smart folder
2005-08-22 07:27:43 FJ de Kermadec |
[Reply | View]
Hi!
First of all, thank you for taking the time to post!
It would be great indeed! The problem with smart folders, though, is that they are not, technically speaking, folders. They are merely shortcuts to Spotlight queries, in a disguised text file.
I believe Mark Allan has posted on the ClamXav website that he would investigate the matter and consider that feature for inclusion in future releases. You might want to scan the ClamXav support forums for some more up-to-date information on the issue.
Truly yours,
FJ
-
A little reminder
2005-08-22 06:24:42 FJ de Kermadec |
[Reply | View]
Hi all!
This is just a little reminder to keep your ClamXav and underlying scanning engines up-to-date. A new version has been released a few days ago!
As mentioned in the article, it is also a good idea to scan security-related sites to be kept current on potential Clamav issues and updates. The Clamav project maintains its own excellent mailing lists and security tracking sites such as the ones often referenced on the O'Reilly Network do offer RSS feeds as well. Keeping both in check is usually best.
Thanks again for all your kind comments and positive feedback!
FJ
-
No, they don't
2005-08-21 12:24:10 michael98 [Reply | View]
What Is ClamXav and do Mac users really need antivirus?
Short answer: No.
Longer answer: As the number of viruses for OS X is none, no, they don't. What part of "none" don't these people understand?
There are some 55 viruses for the Mac OS (now called "Classic" by Apple "Dark Age" would be more appropriate) if that worries you and you haven't removed it yet, follow the directions in the NSA's guide:
http://www.nsa.gov/snac/
Oh, and turn off macros in MS Office, if you're running that.
Now, you have NO malware to guard against. So why run a, hence useless, AV program? In order to slow the system down, possibly screw it up (yes, it's happened) and line the pockets of the likes of Symantec. Give me a break. -
No, they don't
2005-08-21 12:31:38 FJ de Kermadec |
[Reply | View]
Hi!
First of all, thank you for sharing your feelings with us! :^)
As you can see, this article discusses ClamXav, an open-source-based anti-virus application. While its author encourages donations, the application can be used free of charge. Also, it does not install kernel extensions and has optional background scanning capabilities.
Any application can, of course, under some circumstances, encounter (or cause) issues. Nevertheless, I feel Clamav and ClamXav address both negative points you mention above.
FJ -
No, they don't
2005-08-21 20:08:35 pmccann [Reply | View]
And more to the point, ruling that "there are no mac viruses, so no one needs AV software" is all well and good if you work in an all Mac environment. But for lots of people there's a little thing called "Windows" that lives on the same networks, and while we can work to lower the number of such beasts it's going to take a while to reduce it to zero. When sending files to Windows users it's certainly polite to not be pushing viruses, so many Mac users would like a way to ensure that that doesn't happen (**). ClamXAV is great for that: run it on-demand if you like, or just check Mail. It's low key, doesn't force itself on the user, and allows you to play nicely with others.
What more could you ask?
(**) Yes, the Windows machines should all have up to date AV software and definitions, but I'd still rather not be one of the users in the network who's passing on infected files. Management double-speak can easily turn that on its head in order to blame the Mac users for spreading the thing.
-
Virex 7.2?
2005-08-19 18:31:41 rbannon@mac.com [Reply | View]
I'm using Virex 7.2 and it seems that Network Associates updates their definition files often. Now I am wondering if I should dump Virex for ClamAV.
Some may remember the mysterious clamav account when they upgraded to Tiger, and I'm also wondering if that's still an issue. -
Virex 7.2?
2005-09-02 11:25:20 josephcarter [Reply | View]
ClamAV managed to pretty much beat the competition hands down in recent comparisons of Windows AV programs. I can't imagine that Virex is many times better than any of those.
I'm consdiering installing this just to assist in spam filtering my email. ;) -
Virex 7.2?
2005-09-03 03:04:55 FJ de Kermadec |
[Reply | View]
Hi!
ClamXav is indeed a good companion to analyze e-mail. For example, you can add the Mail Downloads folder to the ClamXav Sentry watchlist for additional protection — but be sure to give the Sentry enough time to analyze files before you open them!
FJ -
Virex 7.2?
2005-08-20 02:57:27 FJ de Kermadec |
[Reply | View]
Hi!
First of all, thank you very much for taking the time to post, I really do appreciate it!
While it is difficult to assess which of ClamXav or Virex will work best for you, I do not think that both applications would interact with each other in a damaging fashion as long as any automatic or background scanning feature is turned off.
Regarding the Clamav user account, I do not think that it should be the cause of any concern either as it will, unless used, dutifully sleep on your machine. Mark Allan is aware of the existence of the account and there was talk on the ClamXav forums to re-use it as part of the installation process of the application.
I hope this answers your question and, needless to say, remain at your entire disposition to provide you with any additional information you may deem useful.
Truly yours,
FJ -
Virex 7.2?
2005-11-28 04:12:12 Heteronymous [Reply | View]
This is an old thread, but what's the "hubbub" about there being a clamav account in Tiger Client ? There's been a "www" account in probably all past OS X client iterations.
The system accounts have a password of: *
As most here should know, this means you can't log in to a machine using said account.
I instlled Sentry and after downloading each of the eicar test files, it worked great.
"Be careful not to add folders containing heavily nested folders, as this can eventually lead to slowdowns."
I want to note that the behaviour of the Sentry doesn't appear to recurse subdirectories.
I tested this a few ways:
1) I created a subdirectory called "eicar AV test files" and downloaded all 4 files -> no detection. I dragged the file to the parent directory and it gets immediatley detected.
2) I tried to reconfigure and relaunch the Sentry thinking it might recurse on reconfiguration but nope - same behaviour.
This is just a heads up - because of the active menu bar icon, it's really easy to tell whether a directory is being monitored!