Hi,
1. http://www.clamwin.com is essentially a GUI/desktop build. It's kept
current - but doesn't have ClamD. So no good!
2. http://hideout.ath.cx/clamav/ needs CHP
(http://www.commandline.co.uk/chp/) to run in the "background", but was
unable to run this ClamD as a "service".
3. http://w32.clamav.net/ (the "official" build) does have ClamD and can use
the current signature files - BUT the build is 10 month old (whatever the
consequence of that might be). It can be made to work with Declude, using a
little Jscript that I'm attaching.
a) Declude Configuration:
#ClamAV
SCANFILE1 c:\Windows\system32\cscript.exe //nologo
D:\CMDfiles\runClamAV.JS
VIRUSCODE1 1
REPORT1 FOUND
b) Schedule this hourly to get fetch signature updates:
freshclam --daemon-notify
The Jscript file trims off the trailing "\" that Declude uses (otherwise
ClamDScan exits with code "2", file/path not found) and generates a
Report.txt file that matches Declude's expected format.
It would be helpful if someone were to either take over the "official
builds" and bring the version up to date (and teaches ClamDScan to accept
paths with trailing backslashes).
Best Regards,
Andy
-----Original Message-----
From: Andy Schmidt [mailto:andy_schm...@hm-software.com]
Sent: Sunday, January 04, 2009 6:39 PM
Hi,
The official Win32 build seems to work just fine, ClamD service and all?
a) I downloaded and installed the MSI file
b) I downloaded the pthread DLL that it required
c) I confirmed that clamscan (the command line scanner) was working - it
was.
d) I confirmed that I could run clamd from the command line. The I used
clamdscan from a second command window to scan for eicar.com, but this time
using the clamd instance - and it detected it instantly.
e) I installed clamd as a Window service:
"C:\Program Files\Windows Resource Kits\Tools\Instsrv.exe" "ClamAV ClamD"
"C:\Program Files\Windows Resource Kits\Tools\Srvany.exe"
Then added the necessary registry entry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClamAV
ClamD\Parameters]
"Application"="C:\\Program Files\\clamAV\\clamd.exe"
f) started the ClamAV ClamD service - and again confirmed with clamdscan
that it detected eicar beautifully.
Not sure if that helps anyone?
Best Regards,
Andy
// Application Constants
var strClamAV = "C:\\Program Files\\clamAV\\ClamDScan.exe";
// Get Command Line Parameter
if ( WScript.Arguments.Count() == 0 )
// nothing to scan
WScript.Quit();
var strPath = WScript.Arguments(0);
// Trim last backslash
if ( strPath.substr( strPath.length - 1 ) == "\\" )
strPath = strPath.substr( 0, strPath.length - 1 );
// Run ClamAV
var objShell = new ActiveXObject("WScript.Shell");
WScript.Echo( "Launching: " + strClamAV + " " + strPath );
var objExec = objShell.Exec( strClamAV + " " + strPath );
var strLine;
var nSeperator, nFound;
var bHaveFound = false;
while ( !objExec.StdOut.AtEndOfStream )
{
// Process ClamAV Output
strLine = objExec.StdOut.ReadLine();
if ( bHaveFound )
continue;
nFound = strLine.indexOf( " FOUND" );
if ( nFound > 0 )
{
nSeperator = strLine.indexOf( ": " );
if ( nSeperator < 1 )
continue;
// Appears to be a possible virus report
bHaveFound = true;
WScript.Echo( "Reporting: " + strLine.substring( 0, nSeperator
) + " FOUND " + strLine.substring( nSeperator + 2, nFound ) );
var objFS = new ActiveXObject("Scripting.FileSystemObject");
objTS = objFS.CreateTextFile( "Report.txt" ); //
Create Declude Report File
objTS.WriteLine( strLine.substring( 0, nSeperator ) + " FOUND "
+ strLine.substring( nSeperator + 2, nFound ) );
objTS.Close();
}
}
// Wait for completion to be able to obtain exit code
while ( objExec.Status != 1 )
WScript.Sleep(100);
WScript.Echo( strClamAV + " returned: " + objExec.ExitCode );
WScript.Quit( objExec.ExitCode );
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to <sniffer-requ...@sortmonster.com>
