Before we get started, here's some links that may be useful:
ClamAV Home Page - This is the official home page for ClamAV.
The Summit Open Source Development Group - They host a direct port of ClamAV to Windows.
ClamWin - A Windows port of ClamAV that includes a pretty slick GUI.
For this article, I have used the sosdg.org Windows port of ClamAV. Setup using ClamWin should be almost exactly the same, except that you will use different paths in the INI files.
First, download and install the desired version of ClamAV. I used the sosdg.org Windows port, and installed to the default location of C:\clamav-devel\. Once you have installed ClamAV, update the virus definitions by running the freshclam.exe program, located in the C:\clamav-devel\bin\ directory. It will automatically download and install the latest virus definitions.
Several people have reported that ClamAV does not run properly until they add the virus database path to the ClamAV commandline, like this:
--database="C:\Documents and Settings\All Users\WINNT\clamwin\db"
If this is the case, then you can do one of two things. You can either live with it (it won't hurt anything) or you can fix it. You can fix it by editing your CLAMAV.CONF file and specifying the correct location to the database files. The correct path in the clamav.conf should be something like this for ClamAV users:
DatabaseDirectory /cygdrive/c/clamav-devel/share/clamav
The exact path will change based on your OS, version of ClamAV, and the phase of the moon during the installation. Or something like that.
Apparently the installers don't do a very good job of noting the correct database location, especially on WindowsXP systems. I have not had this problem under Win98SE, NT4 Server, or 2K Pro.
Next, get a copy of VirProt. This handy little free program, created by Martin Ireland, aids in the integration of a command line AV scanner into a Mercury/32 policy. You can get a copy by sending an e-mail to 
Martin Ireland with a subject of send_virprot. Click here for a link.
Once you have ClamAV installed, unzip VirProt and place the following two files in your C:\MERCURY directory: virprot.exe, virprot.ini.
Open virprot.ini in a text editor. Comment out any existing CmdLine= entries by placing a semicolon in front of them. At the bottom of the file, and this line:
CmdLine=C:\clamav-devel\bin\clamscan.exe "%f" --log=~R
Note that if you installed ClamAV to a path other than the default, or if you used ClamWin, you will need to adjust the path to the clamscan.exe file.
Now create the Mercury/32 policy:
virprot.exe ~X ~Z ~S ~R
If you did everything right, your new policy would look like this:
That's it. You're done. To test it, download the EICAR AV test file and mail it to yourself. Almost every AV program will detect this harmless test string as a virus.
More Info and Notes Martin Ireland's VirProt utility is a great tool. Check the virprot.txt file that comes with it for more information on available options, such as automatically blocking or passing specific file extensions. It can also automatically block or pass encrypted ZIP files that are used with some viruses. Martin Ireland also includes sample command lines for other virus scanners, such as F-Prot DOS, AVG, McAfee, Norton, etc.
The ClamAV commandline scanner is a very capable and safe scanner. It has the following defaults:
All of these defaults can be changed using commandline options. Refer to the ClamAV docs for more information.
The only downfall I have seen of using clamscan.exe is that it takes approximately 5 seconds to open and scan an e-mail. This could be due to the speed of my testing system. Here's the specs, so you can judge for yourself:
PIII 500MHz
256MB RAM
Win98SE
If you have a WindowsNT based system (NT, 2K, XP) then you should run clamd.exe and use clamdscan.exe in your policy instead of clamscan.exe. For more inforemation, take a look at the ClamAV pages.
 Page Name |
Last Modified |
|---|---|
| Mercury32 | June 28, 2006 8:39 am |
| MessageProcessingFlowChart | May 12, 2006 10:11 am |