Clam Sentinel lets users scan files for malware with ClamWin Antivirus in real-time as they are added, modified, or copied to their computer. It scans permanent hard drives and USB/removable drives with ClamWin but also has its own system monitor that scans for unknown malware that does not yet have a ClamWin signature. Sentinel is designed especially for older computers, such as Windows 98, ME, 2000, and XP, but it has been tested on Windows Vista, and Windows 7 machines and works fine on them too.
Both Clam Sentinel and ClamWin are free, open source
programs.
Clam Sentinel can be downloaded from
http://sourceforge.net/projects/clamsentinel/
on the web.
ClamWin can be downloaded from
http://www.clamwin.com/content/view/18/46/
on the web.
INSTALLATION
ClamWin must be installed/configured on the computer before Clam Sentinel can be installed. The Sentinel installation setup will remind you to stop and exit an existing version of Sentinel during installation. New versions will keep your old configuration settings and add any new settings needed during installation.
You should use C:\Program Files\ClamSentinel for the Sentinel installation directory. If your Sentinel download file is the ClamSentinel.exe file, download or copy the .exe file to this directory and click on it to install. If your Sentinel download file is a zipped file, unzip it to this same directory, and click on the ClamSentinel.exe file to install. If your unzip program tells you that a file is already in the directory, tell it to replace the old file and all files. During installation, select Run on startup if it is offered, so that Sentinel will start in real-time mode with wour computer. Select to use Sentinel for all users if asked during the install.
Stop and exit Sentinel before installing a new version of ClamWin and start (via the Sentinel desktop icon or via clicking on the ClamSentinel.exe file in the Sentinel directory) when finished.
Language Support
Sentinel automatically supports the default language on the computer if it is English, French, Italian, Japanese, German, Spanish, Polish, Russian, Portuguese, or Bulgarian. English is used if the default is not one of these languages. You can force Sentinel to use any of these languages by adding a row to the Sentinel .ini configuration file like this: Language = French. Do not use a period. Lines in the .ini file without a semicolon at the start are active.
If you would like to help the Sentinel project by translating Sentinel into a new language, download this file: http://clamsentinel.cvs.sourceforge.net/viewvc/clamsentinel/ClamSentinel/Languages.txt from the web and then do the translation and send the translation file to: dynclient@users.sourceforge.net
Uninstalling
You can uninstall Sentinel from the Windows Start menu, by selecting Start, All Programs, Clam Sentinel, You can also uninstall via the Windows Control Panel or via the Uninstall program in the Sentinel directory.
**A SUMMARY OF CLAM SENTINEL CONFIGURATION AND OPERATION**
It is best to use the default settings with which Sentinel is already configured. Under Settings, choose to write scan activity to logs, detect and monitor new drives, and ask to scan new drives. Do not choose to detect PUA. Choose to quarantine infected files, and to detect suspicious files only. Under Advanced Settings, choose to monitor C drive and any other hard disks and removable drives (USBs are usually F and G). Download files only from trusted web sites, do not visit porn sites or torrent sites, and do not put personal information on social networking sites. Infected file detections are ClamWin detections. You must send false positive detected files to Clam AV for signature correction. Detected suspicious files are Sentinel system monitor detections. You must whitelist suspicious files that are falsely detected by Sentinel—Clam AV can do nothing about them. Whitelist files in Advanced Settings, Paths Or Files Not Scanned.
To minimize Sentinel false positive detections that are not really viruses, set up a download directory, and whitelist it in Sentinel. Download all files to that directory before you run/install them. Scan each file with Jotti or VirusTotal before you install/run it. If the file is okay, then install/run it. If Sentinel ever quarantines an installed file as suspicious, check it with Jotti/VirusTotal. If it is okay, disable the system monitor, whitelist the file, restore the file via the Sentinel Recover program, and turn the system monitor back on. Read the rest of this guide for more information.
SETTINGS OPTIONS
Run Sentinel On Startup
You should choose this option when you first install Sentinel. Sentinel will not scan in real-time until this option is activated. Sentinel supports multiple users with the ClamSentinel.ini file created in %APPDATA%\ClamSentinel\, and PowerUsers or Administrators will be asked if they want to start Clam Sentinel for all users during the setup.
Memory Scan
The next option is Scan the memory when the program starts. This is the same as ClamWin's memory scan. You will probably not want to activate this option. You can always scan memory whenever you want, or during a ClamWin scheduled scan.
Write scan activity to the log
The next option is to Write scan activity to the log. Sentinel has 5 scan logs for real-time, memory, USB/removable drive, messages about new malware or suspicious changes, and quarantine. All logs are activated by this one selection. For most users, the message log and quarantine logs are probably the most important logs. The real-time log is very “busy” when the user is on the world wide web.
New Drive Detection & Scanning Configuration
This option is for detection on removable drives (USB, etc.) There are two options: Detect new drives and Ask to scan new drives. You should choose to detect new drives, but scanning takes some time, so you would probably not want to scan new drives unless you are using a USB drive for the first time. You can scan a USB manually with ClamWin.
PUA Detection Option
The next option is Select PUA. This option for expert users.You will not normally want to select this option because it does not identify actual viruses--it only identifies Potentially Unwanted Applications that could be virus tools or files that were created with such tools--such as packers, scripts, and remote communication/control programs. If you surf the internet with PUA enabled, you will get too many PUA false positives in the temporary internet folder from “good” scripts and packed scripts used by web sites.
Infected File Option
The next option is What to do when an infected file is found. There are two choices: Move to quarantine or Report Only. Choosing quarantine is best. ClamWin and Sentinel have protection from false positive detections on Windows system files, and you can restore false positives from quarantine via the Sentinel Recover program. Use the Report Only option if you are not sure what to choose, but you will have to manually handle infected file quarantine or removal.
Monitor System For New Malware Option
The next option is Monitor system for new malware. There are three System Monitor options: Detect suspicious files and warn about system changes, Detect suspicious files only, and Disable. When Sentinel detects a suspicious file, it is put in quarantine (if you choose one of the detection options) with the type of detection included in the filename. Suspicious files that are quarantined should be sent to Clam AV at http://www.clamav.net/lang/en/sendvirus/ so they can prepare a normal signature for all users.
Do not select the option to Detect suspicious files and warn about system changes unless you are an experienced user who wants to know about all changes to your computer system. Users who select this option will see lots of popup messages about system changes (files put on the computer). Most system changes are okay and should not be a concern.
The option to “Detect suspicious files only” is the default option and is recommended for most users. When this option is chosen, the System Monitor will give popup warning messages only when new suspicious files have been detected. There will be no popup warnings of other system changes, but an entry will still be made in the Message Log for a record. Send quarantined suspicious files to Clam AV for normal signature preparation. Whitelist Sentinel suspicious files that are false positive detections as explained below.
The option to Disable the System Monitor turns off detection of suspicious files. You can also Disable the system monitor while you “whitelist” a file to prevent it from being falsely recognized as suspicious and quarantined, but re-enable the system monitor after you whitelist the file and restore it from quarantine via the Sentinel Recover program. If you have problems using the System Monitor, choose the Disable option, contact the Sentinel developer, and keep System Monitor turned off until the developer answers you. Learn to use the System Monitor because it provides important extra protection to Sentinel users.
Even if you do not download files from porn sites, pirated software sites, or from people you do not know, the System Monitor may give an occasional false positive warning when downloading “good” files. Read the section in this guide titled A SUMMARY OF CLAM SENTINEL CONFIGURATION AND OPERATION.
System Monitor warnings are okay if you have used the program before, or if you have already scanned the file with ClamWin or Jotti/VirusTotal. With the sytem monitor set to notify you of all suspicious files, when you install Windows patches each month, you may get lots of suspicious file warnings (mostly for C:\Windows\System32\catroot files). These patch warnings are okay. There are just too many files to whitelist, and the file names may change every month. Sentinel/ClamWin users are also against quarantine of important Windows system files. Only whitelist files that you use regularly--because whitelisting removes files from both the System Monitor and from the real-time scanner. You can whitelist either the filename and extension (such as Filename.exe) or the entire file listing from your computer's directory (such as C:\Program Directory\Program\Filename.exe). I recommend that you whitelist the entire directory listing, to prevent whitelisting malware with the same name and extension that may be somewhere else on your computer.
Upload quarantined suspicious files to Clam AV at http://www.clamav.net/lang/en/sendvirus/ on the web for normal virus signature preparation. If you check files with Jotti or Virus Total on the web, a suspicious file that is not detected by more than 3 AV programs is probably a “false positive”, which you can whitelist in Sentinel.
If you get a suspicious warning when you are not installing a new program, malware may be trying to install itself on your computer. If you are not installing/running a new program and you get a warning about a suspicious file or a warning about a registry change, or several warnings close together, you most certainly have malware on your computer. Run a complete ClamWin scan and then do can with a cleanup scanner, such as Malwarebytes, House Call, Dr. Web Cureit, or Norman Malware Cleaner.
Notify Of New Versions
The last Settings option is Notify of new versions. If you choose this option, Sentinel will give you a pop up message several minutes after turning on your computer if a new version is available for downloading at the Sentinel web site. Turn off the notification if it annoys you and just visit the Sentinel web site once a month to see if there is a new version.
ADVANCED SETTINGS OPTIONS
The five advanced settings options are for expert users who want to “tweak” Sentinel. The defaults are okay for most users.
Fixed Disks To Monitor
The first Advanced option is Choose fixed disks to monitor. This is selected when you install Sentinel, but you can change it at any time. Sentinel can monitor hard drives, CD drives and USB drives. Sentinel will normally automatically choose to monitor the C drive You should monitor all other hard drives and any removable drives you use regularly. USB drives are often named drive F or G by the Windows operating system. The CD drive is often called drive D or E.
Extensions To Scan
The next option is Choose what extensions Sentinel will scan. Most users should use the Sentinel default option of about 120 Windows file extensions. Experienced users can configure their own custom scan extensions here, but they will miss any future changes made to the default extensions.
Paths Or Files Not Scanned (Whitelist)
Operation: Disable System Monitor or Stop Sentinel, Verify Files, Whitelist “Good” Files, Re-Start/Enable
The next option is Paths or Files not scanned. Sentinel comes configured so that the path on your computer for the most recent Windows activity is not scanned so that it will not be unnecessarily busy. You can add other paths, or even individual files, that you do not want to be scanned because they will trigger an unwanted Sentinel suspicious detection. You can also whitelist infected file false positive detections until Clam AV corrects their signature. Sentinel has wild card support (? and *) for filenames or paths not scanned. Files not scanned are excluded from both the System monitor and real-time monitor, so be careful what you whitelist. Make sure it is not really infected.
Examples: c:\temp will exclude the temp folder from scans; c:\temp\test.bat will exclude the test.bat program in the temp folder from scans; test.bat will exclude the test.bat file anywhere on your computer from scans. You can browse files/folders on your computer by selecting the little icon on the configuration page. If you use Sentinel with another antivirus/antimalware program, you should exclude the other AVs program folder, data folder, and quarantine folder and database folder (if separate from data folder) from Sentinel to prevent the other AV from triggering a false detection on a ClamWin virus signature. Also exclude Sentinel and ClamWin program and data folders from the other scanner. This option is also used to exclude files from Sentinel's System Monitor warnings about suspicious files. If “good” programs that you use trigger a System Monitor warning, you can exclude these files from System Monitor so that future warnings will be for “real” suspicious files. If possible, only exclude individual files within a folder. Example: C:\Foldername\Filename.Extension. Excluding entire folders will mean less protection from both Sentinel's Real Time Monitor and the System Monitor.
Paths Where All Files Will Be Scanned
The next option is Paths where all files will be scanned. This is for selecting paths or directories, where all files are to be scanned—regardless of the extensions. You can browse paths or folders on your computer by selecting the little icon on the Sentinel configuration page. You will generally not need this option.
Maximum No. Of Simultaneous Scans
The next option is Maximum number of simultaneously active scans. Sentinel comes configured with a 1 for this option, and most people should leave at that. You might set it to 2 if you have a very large hard drive or if your computer has a powerful dual processor. Do not make Sentinel work too hard.
Maximum Sentinel Log Size
The last advanced settings option is Maximum Sentinel log file size. Sentinel comes configured with a large 5 megabyte size, but 1 or 2 megabytes is enough for most users. Sentinel has 5 logs: realtime, memory, drives, messages, and quarantine. Each log has this same size.
Logs
There are logs for the real-time monitor, quarantined files, messages (System Monitor) with some registry changes (if you used the full system monitor option), memory scan, and drive scan. After “whitelisting” your “good” files/folders that are detected as suspicious, you will normally not get many system monitor messages, so each message can be important. Check the Message log occasionally to see if you have missed anything. Recent messages are shown at the end of each log.
You can locate any file warned about by looking at the System Monitor Message Log (the most recent files are shown at the end of the log). You can look at the Quarantine log to learn about suspicious files put in the ClamWin Quarantine folder.
Sentinel Recover (Restore From Quarantine) Browser—A Separate Program (Included)
Operation: Stop Sentinel, Start Recover, See Files, Select Files, Whitelist Files, Restore Files, Start Sentinel
Sentinel comes with a separate program, SentinelRecover.exe, which is similar to ClamWin's Quarantine Browser program to restore files from quarantine. Sentinel Recover works on all computers, and it can restore files quarantined by both Sentinel and ClamWin. Operation is simple, and the options are mostly self explanatory. To restore files, you should follow the operation steps above. Before restoring an infected file (not a System Monitor suspicious file), you should visit the Clam AV Submit A File page on the web to upload it and tell them it is a false positive detection so they can correct their signature. Then you can whitelist it for Sentinel until it is corrected. If you intend to scan a detected file with a ClamWin on-demand scan, you should also whitelist it via the ClamWin filters tab. Remove the whitelisted file from both Sentinel and ClamWin whitelists when Clam AV has corrected the signature in a few days. Never submit a file detected by the System Monitor to Clam AV--Clam AV can do nothing about false positive System Monitor detections. All you need to do is whitelist them for Sentinel.
Using Clam Sentinel On A USB Stick/Drive/Key
To run Sentinel on a USB stick, the user can manually configure Sentinel to use the .ini configuration file that is in the same USB folder from where Sentinel is run. The configuration item is UseLocalIniFile (1=yes; 0=no, which is the default). The local option is enabled by manually changing it to 1. ClamWin must be installed on the computer before you use Sentinel on USB, but you do not have to install ClamWin on the USB if it is already installed on the computer. See below for an explanation of how to use both Sentinel and ClamWin Portable on USB.
Using Both Clam Sentinel And ClamWin Portable On USB
First, you must install ClamWin Portable on a USB drive/key and start it (run ClamWinPortable.exe from the ClamWinPortable directory). Configure ClamWin the way you want—just like you would if it is installed on a hard drive (not all ClamWin options are available in the Portable version).
Then you must download the Clam Sentinel Zip file (or Sentinel.exe file) from the Clam Sentinel site to the desktop on your computer. Extract the zipped Sentinel files to the desktop of your computer. You must copy the Sentinel.exe file, the .ini file, and the Sentinel Recover file to the USB in the ClamWinPortable\App\clamwin\bin folder.
Next, as mentioned above, you will have to configure Sentinel to use the .ini configuration file that is in the same folder from where Sentinel is run (in the ClamWin\bin directory on the USB). The configuration item is UseLocalIniFile (1=yes; 0=no, which is the default). This option is enabled by manually changing it to 1. Open the Sentinel.ini file in Notepad or similar text editor and make the manual change and save the .ini file.
Then you must also configure Sentinel to use the local ClamWin configuration file on the USB stick. To do this, make the PathClamWin=..\..\..\data\settings active. Do this by removing the semicolon (;) from the beginning of the line in the .ini file and put a semicolon (;) at the beginning of the line for any other “PathClamWin=” statements in the .ini file. This configuration always works best for me if I put PathClamWin=f:\ClamWinPortable\App\DefaultData\settings. The USB drive is usually f or g, so change it as needed.
Do not run Sentinel before you make the two manual configuration changes mentioned above. Then click on the Sentinel.exe file in the ClamWin bin folder to run Sentinel. You can do any other configuration via the Sentinel badge in the system tray after starting. You can then delete the Sentinel files on your desktop.
From now on, you can start Clam Sentinel on the USB by clicking on the ClamSentinel.exe file in the ClamWin\bin folder on the USB, and Sentinel will start protecting you. I suggest that you do not configure Sentinel on the USB to run on startup—start it manually like this each time you insert the USB. When you start Sentinel, it drops an icon in the system tray—just like it does for the regular hard drive version. You can configure Sentinel by clicking on the icon—just like the regular version. Be sure to enable the System Monitor to detect suspicious files only. System Monitor does not detect USB changes, but the real-time monitor is active on the USB.
After Sentinel is installed on the USB, you do not have to start ClamWin Portable any more—Sentinel will find the ClamWin Portable files it needs on the USB key. You do not need ClamWin Portable running in order to use Sentinel, but you should have both programs configured on USB as mentioned. You will need to start ClamWin Portable, however, in order to update the ClamWin signature database. Do this at least daily, but more often if you use the internet for long periods of time.
You can make a shortcut to Sentinel on the USB key and put it in the ClamWinPortable folder/directory with the ClamWinPortable.exe file. You could also make a shortcut to ClamWinPortable.exe and ClamSentinel.exe on your desktop so that you can start them from your desktop. CAUTION: before setting up or using ClamWinPortable and ClamSentinel from the USB key, you will need to STOP them from running if they are already installed on your hard drive. In fact, if you want to run ClamWin and Sentinel from USB, it is best if you do not have them installed locally on your computer.
You can stop both programs from running locally on the computer by right clicking on their icons in the system tray and then selecting Exit or Stop. When you want to remove the USB key from the computer, you will have to stop Sentinel on the USB (and ClamWinPortable if it is running), and then click on the USB icon in the system tray and stop the USB from running before you can remove it without doing any USB damage.
Be sure to keep your old Sentinel .exe and .ini and Sentinel Recover file from the USB when you update to a new version of ClamWin Portable. When future updates to Sentinel are available, just copy the new Sentinel.exe file to the USB like you first did. Your old Sentinel .ini file and Sentinel Recover file on the USB will still be good, and Sentinel will update them during installation if needed.
Thank You
Thank you for using Clam Sentinel. If you like it, please tell other people about it, and give the author, Andrea Russo, your comments and suggestions. Visit the Sentinel web site monthly for news and updates.
by Robert Scroggins