Tuesday, June 22, 2010

ClamAV for Windows

Recently, we released the only official Windows-specific version of ClamAV, appropriately called ClamAV for Windows (http://www.clamav.net/lang/en/about/win32/). It is designed to use little memory and processing speed because it uses an advanced cloud-based protection mechanism, best of all it's free (as in free beer. Ummm...beeeeer). If you haven't tried it yet, I really encourage you to.

You can download ClamAv for Windows from here: http://www.clamav.net/lang/en/about/win32/ or by going to a site like download.com and typing "clamav" in the search box. There are 2 installers available: a 32-bit version and a 64-bit version. If you don't know which one to choose for your Windows operating system, you can check this page http://support.microsoft.com/kb/827218. It will tell you if you are running a 32-bit or 64-bit of Windows. If that's too complicated, just start by downloading the 64-bit version. If you have a 64-bit operating system, you will get a speed boost from running the 64-bit version of ClamAV for Windows. If it turns out that you are running a 32-bit version of Windows, don't worry, executing the 64-bit installer will generate this warning:
64-bit warning
Pic.1: Wrong installer version
That will be your cue to grab the 32-bit installer instead :-)
In the last step of the installation process, you can opt to perform a recommended initial FlashScan. A FlashScan is not as comprehensive as a full scan but is designed to be a quick check for your system to see if you have any malware running in memory. The last screen in the installation process will also ask whether you want to share that you installed ClamAV for Windows with your Facebook friends or your Twitter followers. The more people that run ClamAV for Windows, the better the protection. Every time a ClamAV for Windows user encounters a new threat, all other users are protected from that same threat in real-time.

So, now that you've installed ClamAV for Windows and run a FlashScan. You are now looking at the Scan tab. The results of the scan you just performed are displayed on the left hand side and on the right hand side you have Scan Options. Leave them set to "on" in order for future scans to look at running processes and at locations where malware can hide in order to be run every time you turn your computer on.
flashscan
Pic.2: FlashScan
Under the "Settings" tab, you can choose to turn off some of the layers of protection that the software provides. Unless you have a good reason to do that, I recommend you keep everything set to "on".
settings
Pic.3: Settings tab
Under the "History" scan, you can review the different scans that were performed on the computer.
history
Pic.4: History tab
Finally, the "Summary" tab give you an overview of how many people are using the product as well as how many threats the ClamAV for Windows community is protected from thanks to the power of the cloud.
summary
Pic.5: Summary tab
The video below shows you the kind of nasty things you might encounter. On a completely clean computer, I visited a link that prompted me do download an executable called gb5339.exe. While you will hopefully not purposely visit a known bad URL, keep in mind that your computer could have automatically downloaded and executed this file via a drive-by-download (that's when a bad guy takes advantage of an vulnerability in your browser to force actions on your computer simply by visiting an infected web page), or through social engineering (eg: you get a spoofed email that appears to come from a know person that ask you to download the attached executable and run it....and you do). You can see in the video that shortly after running gb5339.exe, the background image changes to show "You are infected" in big red letters. Furthermore, a fake/rogue/bogus piece of antivirus software is loaded and reports that I have infected files on my computer. Again, I had a fresh installation of Windows XP. There are no infected files on my computer. The fake antivirus program's goal is to scare me into believing that I am infected in order to purchase a license for the software that will supposedly help fix my problems. Good thing I didn't fall for that, and neither should you.

Ransomware in action on a PC



Repeating the experiment with a clean computer and a fresh installation of Windows XP, but now with ClamAV for Windows installed, gb5339.exe is blocked as soon as I try to copy it on my hard drive (this is called blocking the file "on-access").

Ransomware being detected and it's actions blocked by ClamAV for Windows

Add to Technorati Favorites Digg! This
Post a Comment