Sunday, April 06 2014 . 09:29 AMIntroduction
TBClamAV is an open source antivirus plugin for The Bat! email client that uses the open source too ClamAV as its scanning backend.
Main difference in TBClamAV as compared with other Antivirus plugins for The Bat! is that it loads the whole engine when first incomming message needs to be analyzed, and keeps it in memory untile The Bat! is closed. This means that scanning speed is quite fast.
Once that happens, TBClamAV scans a typical email message in less than a second. If we compare that with 5 seconds needed by TBClamWin that is also using ClamAV engine, or with the 9 seconds that AVP Manager needs using Avira Antivir ScanCL, this is an exceptional amount of time and computer resources saving.
Being TBClamAV totally integrated with The Bat!, means that you are protected, both when sending, and when receiving emails. If you try to send an email with malware content, it will be detected, and reported to you.
When a risky email is received, it will be automatically adviced to The Bat!, that will handle it properly on the Quarantine.
With user experience in mind, all time consuming processes that run behind TBClamAV, give proper user feedback:
Probably TBClamAV is the most powerful and feature-complete ClamAV antivirus plugin for The Bat! you will find.
- Compatible with any The Bat! version since 1.6 (2003) up to 5.0 (2011).
- Works on any x86 and x64 Windows version, for both workstation and server, including 95, 98, ME, NT 4, 2000, XP, 2003, Vista, 7 and 2008).
- Supports most of the ClamAV distributions such as ClamAV, ClamWin in 32 and 64 bits.
- No third party dependencies such as .NET, Java, MFC, ...
- Preconfigured to work in most cases.
- Uses clamd daemon to increase scanning speed.
- Integrated with fresclam to automatically get rid of signature database updates.
- Coded in C++ to achieve good performance with low resource usage.
TBClamAV is totally free, both for commercial, and private usage.
- Operating System: Windows 95, 98, ME, NT 4.0, 2000, XP, 2003, Vista, 7 or 2008 (x64 compatible).
- 100 Mb of free memory (most part used by ClamAV).
- 80 Mb of disk space available.
Even if its user interface is minimal, currently TBClamAV is only localized in english.
TBClamAV packages is pre-configured out of the box, so the process of configuration and installation is quite straightforward.
1) Decompress the TBClamAV package contents inside a folder called ClamAV where your The Bat! installation is, such as C:Program Files (x86)The Bat!ClamAV
2) Add the TBClamAV.BAV plugin as your antivirus plugin in The Bat!. This is usually done by accessing Options -> Preferences ->Virus/Trojan Alert -> Anti-Virus -> Add
3) Select the TBClamAV plugin and click on Configure to adjusts its settings.
The Configuration windows is composed from several tabs that will be described below. Click on OK to save and apply the changes; on Cancel to discard any configuration changed you may have done (applied or not); Apply to apply current made changes; or Help if you need further assistance.
Configuration / Options
The Options tab allows to setup basic TBClamAV settings:
- ClamAV binary folder: Choose the path were your current ClamAV installation's binary files sits on. This is typically C:Program Files (x86)The Bat!ClamAVbin and is where clamscan.exe, clamd.exe, clamdscan.exe, freshclam.exe, sigtool.exe and libclamav.dll are.
- ClamAV database folder: Choose the path were your current ClamAV signature database's files sits on. This is typically C:Program Files (x86)The Bat!ClamAVdb and contains main.cvd, daily.cvd and optionally bytecode.cvd and safebrowsing.cvd.
- Use Freshclam to update database: If enabled TBClamAV will make sure to invoke Freshclam once an hour to keep your ClamAV signatures updated.
- Use Clamd: If checked, and clamd.exe exists, TBClamAV, will keep load it as a daemon/service, in order to perform scans with clamscan.exe when needed. This mecanism is the one providing faster scan speeds, but also with the higher memory resource usage.
- Use LibclamAV: If this option is enabled, TBClamAV will use libclamav.dll to perform the scans. With this option, memory usage is a bit lower than with clamd, and scan speeds are comparable. It is important to know that if nor Use Clamd nor Use LibclamAV are checked or its corresponding executables cannot be found, it will default to on-demmand scanning using clamscan.exe, which is the slower solution, but also the one with less resource consumption.
- Show status: When it is checked, time consuming processes will show an status window indicating its progress. The status window will only appear if The Bat! is visible, and will automatically disapear when no relevant progress information exists.
- Automatically check for updates : When enabled, after checking database signature updates with Freshclam, the plugin will check for updated versions of itself.
- Reset options: Click to reset TBClamAV options to its factory defaults.
Once you are familiar with TBClamAV, you would be able to replace ClamAV binaries with the ones most suitable to you. I can recommend:
- Official ClamAV Visual C++ 2010 x64 binaries for Windows: sourceforge.net/projects/clamav/files/clamav/.
- Gianluigi Tiesi's ClamAV MingW and Visual C++ 2005 x86 and x64 binaries for Windows: oss.netfarm.it/clamav/
- Official ClamWin Visual C++ 2008 x86 binaries for Windows: www.clamwin.com
- My x86 and x64 Visual C++ 2010 ClamAV optimized builds: nikkhokkho.sourceforge.net/static.php?page=ClamAVOpt
Configuration / Information
- Settings stored at: Shows the location of the configuration file for TBClamAV. Please, if you edit it manually, be careful.
- ClamAV backend: Displays current ClamAV backed in use. It can be DLL when LibclamAV.dll is used; Daemon/Service when Clamd.exe is used; or Program when only Clamscan.exe is used.
- ClamAV version: Presents ClamAV version in use by the plugin.
- Signature version: Enumerates all the database signature files, checking its versions, and other informations.
- Last Freshclam: Indicates last time Freshclam was run to update signatures inside the plugin, for both, scheduled launches each hour, or on-demand.
- Invoke Freshclam: Will run Freshclam, to update signatures.
- Submit samples: It will guide you to the process of submiting new samples, and false positives to the ClamAV analysis laboratory.
Configuration / Statistics
This tab contains statisticall information about the TBClamAV plugin run.
The Global Statistics section contains historical information since the beginning of the time, or the last time statistics where reset by clicking on Reset statistics. The information is graphically displayed with a colored pie chart too. Green color represents clean emails, red color represents infected emails, and yellow color represents error emails. Total number of analyzed KB (Kilobytes), as well as total number of sessions is also displayed.
The Session Statistics section, contains information restricted to current session, this is since the time you opened The Bat!.
Configuration / About
The About tab contains a more detailed version information of the plugin (including revision and build date), as well as the End User License Agreement (EULA).
You can click on Check for updates to make easier to know if new TBClamAV versions are published.
Configuration / Debug
This tab contains special options and tools for the debugging of problems, and is normally not visible.
- Full package (3.0 Mb. in ZIP format). It includes the plugin bundled with x86 ClamAV binaries for Windows.
- Only the plugin (680 Kb. in ZIP format). Get it if you are familiar with TBClamAV and already have a working setup for ClamAV.
- Source code (648 Kb. in ZIP format). Download full C++ Builder 2010 sources if you want to compile or rebuild it at your own.
- 2011/09/04. Version 3.00: Support for process and analyze URL in email contents; caching of already scanned URL and files during the session, to reduce scanning times; ability to specify further freshclam, clamd, clamdscan and clamscan switches; integrate sending of detection statistics to clamav.net in Freshclam; fixes on configuration changes to enable Apply button; using ASMLib 2.21 by Agner Fog (http://www.agner.org/optimize/) to get a slight speed increase and memory usage reduce; minor speedup on file handling; other minor improvements and optimizations.
- 2011/08/18. Version 2.50: Enabled phishing URL detection (cloaked URL, and invalid SSL); enabled spyware detection (PUA Spy); autodetect registry keys from ClamAV and ClamWin to automatically configure paths; added Windows Vista/2008/7 styled message boxes if available; status window indicating ClamAV processes; implemented automatically check for updates; loading of signatures for Libclamav is done in a separate thread to improve responsiveness; simpified thread syncronization handling; fixed multi-threading problem when using Libclamav.dll; usablity and keyboard layout improvements; better multimonitor support; updated internal ClamAV API to 0.97.2 level; other minor improvements and optimizations.
- 2011/08/04. Version 2.10: Enabled libclamav.dll / libclamav32.dll integration after lots of testing, stabilization and fine-tunnings: bundled with my x86 ClamAV 0.97.2 optimized build; other minor improvements and optimizations.
- 2011/07/30. Version 2.00: Implemented settings dialog for ease of customization; added scanning statistics display with graphical chart; implemented information window; nicefier about window; using Windows memory mapped files when available for even better performance; read console output to give more detailed information about de viruses found to the user; decreased CPU usage because of optimizations on the procedure to wait for process execution; about 100 Kb. of generated code reduction; added support for BAV_CheckMemory; brand new CHM help file with integrated help button; if enabled, Freshclam is only invoked at most once an hour; major code refactoring; other minor improvements and optimizations.
- 2011/07/04. Version 1.20: Support for reading plugin preferences from TBClamAV.ini in both USERPROFILE as well as the directory where TBClamAV.BAV is; implemented BAV_GetNameAndVersionEx to be called by unicode capable The Bat versions 2.1 or later; implemented BAV_CheckStream and CheckStreamEx to increase scanning performance with newer The Bat! versions; ability to run in "classic mode" when clamd does not exist; ability to omit updating when freshclam does not exist; storing global statistics in TBClamAV.ini; other minor improvements and optimizations.
- 2011/07/03. Version 1.10: Make sure clamdscan does not quit because clamd not being ready yet; removed VCL linked code (not yet necessary) to save about 250 Kb of code; we need first to launch freshclam and them clamd to avoid an error of unexisting database first time the plugin is launched; improve detection of clamd.exe already running; make sure we terminate clamd.exe, freshclam.exe and clamdscan.exe if running before exiting; cleaned up ClamAV binaries by removing unnecesary modules; compressed with MPRESS 2.18 (about 8 Kb. of savings as compared with UPX 3.07); other minor improvements and optimizations.
- 2011/06/31. Version 1.00: First public release; moved initialization code from BAV_Initialize to BAV_CheckFile in order to speedup The Bat! loading; other minor improvements and optimizations.
- 2011/06/27. Version 0.90: Initial feature complete private beta.
Frequently Asked Questions (FAQ)
It is not working at all!
In case of problems, please take care of reading this documentation again since the beggining. If TBClamAV is still not working, double check the settings in Configuration / Options sections. After that, check that current ClamAV installation is working. This can be done by opening a Windows console, changing to the directory where ClamAV binaries are, and executing freshclam.exe, sigtool.exe, clamscan.exe, clamd.exe and clamdscan.exe. Consider also the tooltips shown in different controls of the dialogs to have more detailed information.
It is not working when libclamav.dll is used
First of all, since The Bat! is currently 32 bit only, make sure that libclamav.dll version is compiled for 32 bits. It will not work with the x64 version.
Information tab always says I am running Program ClamAV backend
TBClamAV uses a mecanism of lazy ClamAV initialization, this means that to make startup faster, ClamAV resources are not loaded until first time they are used. If when displaying the Configuration / Information tab panel, you have not yet analized any content, Daemon nor Libclamav will not be loaded, so it will display Program as in-use backend.
Why statistics show more emails than I have received?
The Bat! usually calls the antivirus plugin for each part of the email. This means that a typical email with HTML part, text part, and a couple of attachments, will perform four different scans, and this is what TBClamAV will track on the statistics.
The Bat! crashes after enabling the plugin
Even if I cannot guarantee TBClamAV is bug free, I have tried to do my best on making it safe, and solve all possible issues detected. Some users have reported exceptions raising when running The Bat! together with TBClamAV together with Libclamav. In this situation, when a problem occur on Libclamav, it gets propagated to TBClamAV, and later to The Bat!. The scenarios are a combination of different configuration together with different builds/versions of Libclamav. Try with other Libclamav versions, and if the problem still happen, send me the error report so I can review it. In the meantime, try using Clamd or Clamscan modes.
- Official TBClamAV's website: nikkhokkho.sourceforge.net/static.php?page=TBClamAV.
- Official author's website: www.javiergutierrezchamorro.com.