ClamAV is an open-source antivirus toolkit designed to detect a wide range of malware, including viruses, on various platforms. Initially developed for Unix, it is now available on a multitude of operating systems including AIX, BSD, HP-UX, Linux, macOS, OpenVMS, OSF (Tru64), Solaris, Haiku, and Microsoft Windows. ClamAV is particularly popular for its application on mail servers, where it functions as a server-side email virus scanner.
History of ClamAV
ClamAV was first released on May 8, 2002, by Tomasz Kojm, a Polish university student, with version 0.10. Over the years, it has grown significantly and was acquired by Sourcefire in 2007. Sourcefire was then acquired by Cisco in 2013, and ClamAV is now managed under Cisco’s Talos cybersecurity division.
In 2008, Barracuda Networks faced a lawsuit from Trend Micro due to its distribution of ClamAV within its security package. Trend Micro claimed that this distribution violated a software patent related to virus filtering on Internet gateways. The free software community rallied in support of Barracuda Networks, calling for a boycott against Trend Micro. The Free Software Foundation also endorsed this boycott. Ultimately, the U.S. Patent and Trademark Office rejected Trend Micro’s patent claims in 2011.
Features of ClamAV
ClamAV includes a command-line scanner, an automatic database updater, and a multi-threaded daemon that runs on an anti-virus engine from a shared library. It supports scanning of various file formats such as ZIP, RAR, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS, mail file formats, ELF, and PE files. It can also recognize and scan files obfuscated by various packers and cryptors.
ClamAV now provides real-time protection through its ClamOnAcc application, which uses Clamd to scan files as they are accessed. By default, it operates in “notify-only mode,” alerting users to threats without blocking access. Enabling “prevention mode” can significantly impact system performance, so it’s recommended to use this feature cautiously. Configuration is primarily done through clamd.conf, with additional options available in the On-Access Scanning User Guide. Multiple instances of ClamOnAcc can run simultaneously with different configurations for customized protection.
Effectiveness
ClamAV’s effectiveness has varied over the years. In a 2008 AV-TEST comparison, it scored poorly in on-demand detection and rootkit detection. However, a 2011 Shadowserver test showed ClamAV detecting over 75% of viruses, placing it fifth among tested antivirus tools. A more recent study by Splunk in 2022 found ClamAV to be 59.94% effective at detecting malware, performing well against certain types like Trojans and Botnets but less effectively against others like Crypto Miners and Remote Access Trojans (RATs).
To improve detection rates, several unofficial databases for ClamAV are maintained by organizations like Sanesecurity, which also distributes databases from other parties like Porcupine and MalwarePatrol. SecuriteInfo.com provides additional signatures, and these unofficial signatures are particularly useful for system administrators to filter email messages.
Platforms
ClamAV is accessible on Linux, BSD, macOS, OpenVMS, and Windows platforms. On Linux and BSD servers, it can run as a daemon, servicing requests to scan files from other processes such as mail exchange programs. On desktops, it provides on-demand scanning. macOS Server has included ClamAV since version 10.4, and there are GUI options like ClamXav available for purchase. For OpenVMS, ClamAV is available for DEC Alpha and Itanium platforms. Windows variants include IA-32 and x64 versions.
Graphical Interfaces
Given that ClamAV does not inherently include a graphical user interface (GUI), third-party developers have created GUIs for various platforms. On Linux, ClamTk and KlamAV are popular options. For macOS, ClamXav offers a comprehensive GUI with additional features like a “sentry” service and integration with cron for scheduled updates and scans. On Windows, ClamWin is a widely used front-end that includes features like on-demand scanning, automatic updates, and integration with File Explorer and Microsoft Outlook.
ClamAV remains a significant tool for cybersecurity, especially for server-side email scanning and for users looking for a free, open-source antivirus solution. Its cross-platform capabilities and the active community support through unofficial databases and graphical interfaces extend its utility and make it a flexible choice for many IT environments.
