(Please Read The Quick Start Section Below)
Clam Sentinel lets you scan files for malware with ClamWin Antivirus in real-time as they are added, modified, or copied to the computer. It scans permanent hard drives and USB/removable drives with ClamWin, but Clam Sentinel also uses its own system monitor to detect unknown malware that does not have a ClamWin signature. Clam Sentinel is designed especially for older computers, such as Windows 98, ME, 2000, and XP, but it has been tested on Windows Vista/Windows 7 systems and works fine on them also.
Both Clam Sentinel and ClamWin are free, open source
Clam Sentinel can be downloaded from http://sourceforge.net/projects/clamsentinel/ on the web.
ClamWin can be downloaded from http://www.clamwin.com/content/view/18/46/ on the web.
ClamWin must be installed/configured on the computer before Clam Sentinel can be installed. If you have an old version of Clam Sentinel, the installation setup will remind you to stop and exit that version before continuing. The new installation will keep your old configuration settings.
You should use C:\Program Files\ClamSentinel for the installation folder. If your download file is a ClamSentinel.exe file, download or copy the .exe file to this folder and click on it to install. If your download file is a zipped file, unzip it to this same folder, and click on the ClamSentinel.exe file to install. If your unzip program tells you that a file is already in the folder, tell it to replace the old file and all files. During installation, select Run on startup if it is offered, so that Clam Sentinel will start in real-time mode on your computer. Select to use the program for all users if asked during the install.
You must stop and exit Clam Sentinel before installing a new version of ClamWin. Be sure to re-start after ClamWin is installed.
Clam Sentinel automatically supports the default language on the computer if it is English, French, Italian, Japanese, German, Spanish, Polish, Russian, Portuguese, Bulgarian, Dutch or Azeri. English is the default for all other languages. You can force Clam Sentinel to use any of the default languages by adding a row to the Sentinel .ini configuration file like this: Language = French. Do not use a period. Lines in the .ini file without a semicolon at the start are active configurations. All other lines are just explanations.
If you would like to help the Clam Sentinel project by translating it into a new language, download this file: http://clamsentinel.cvs.sourceforge.net/viewvc/clamsentinel/ClamSentinel/Languages.txt from the web and then do the translation and send the translation file to: email@example.com
You can uninstall Clam Sentinel from the Windows Start menu, by selecting Start, All Programs, Clam Sentinel, You can also uninstall via the Windows Control Panel or via the Uninstall program in the Clam Sentinel directory.
**QUICK START SECTION**
It is best to use the Clam Sentinel default settings that are already configured. Make sure Settings are set to choose to write scan activity to logs, detect and monitor new drives, ask to scan new drives, quarantine infected files, and detect suspicious files only. Under Advanced Settings, monitor C drive and any other hard disks/removable drives (USBs are usually F and G).
Download files only from trusted web sites, do not visit porn sites or torrent sites, and do not put personal information on social networking sites.
Infected File detections are ClamWin detections. You must upload files that are falsely detected as infected files to Clam AV for signature correction. Suspicious File detections are Sentinel System Monitor detections—Clam AV can not fix them. You must Whitelist falsely detected suspicious files in Clam Sentinel. Whitelisting adds files to a list of files that are not to be scanned by Clam Sentinel. You can whitelist files in Advanced Settings, Paths Or Files Not Scanned. Read the Simple Guide section below on Paths Or Files Not Scanned for more information about whitelisting.
To minimize Clam Sentinel false positive detections during file downloads, disable the Clam Sentinel system monitor before downloading (Settings, Monitor System For New Malware, Disabled). Scan all downloaded files with the Jotti or Virus Total scanning services before you install/run them. If the file is okay, install/run it and then re-enable the system monitor.
If a file contains a real virus per Jotti/Virus Total and is not detected by Clam AV or ClamWin, upload the file to Clam AV so they can prepare an official signature. You can leave the virus file in quarantine or manually delete it from quarantine. If the file is not infected, whitelist it in Clam Sentinel per the whitelist advice above. Read the rest of this guide for more detailed information about Clam Sentinel operation.
The first settings option is Scan the memory when the program starts. This is the same as ClamWin's memory scan. You will probably not want to activate this option. You can always scan memory with ClamWin manually or during a ClamWin scheduled scan.
Write scan activity to the log
The next option is Write scan activity to the log. Clam Sentinel has 5 scan logs for real-time, memory, USB/removable drives, messages about new suspicious changes to the computer, and quarantine. All logs are activated by this one selection.
Detect And Monitor New Drives
This option is for detection on removable drives (USB, etc.) You should choose to detect new drives, but scanning takes some time, so you would probably only want to scan an entire drive with Sentinel very often. You can scan it manually with ClamWin or schedule a scan with it.
Ask To Scan New Drives Option
You should choose this option so Clam Sentinel will ask you if you want to scan a USB (or another) removable drive when it is inserted. Scan all new USB drives.
Infected File Option
The next option is What to do when an infected file is found. There are two choices: Move to quarantine or Report Only. Choosing quarantine is best. ClamWin and Clam Sentinel have protection from false positive detections on Windows system files, and you can restore false positives from quarantine via the Sentinel Recover program. Use the Move to quarantine default because you will have to manually handle infected file quarantine and removal otherwise.
Monitor System For New Malware Option
The next option is Monitor system for new malware. There are several System Monitor options: Detect suspicious files and warn about system changes, Detect suspicious files only, and Disable. There is also an option to Skip files with a valid digital signature. When Clam Sentinel detects a suspicious file, it uses this option to know what to do. Suspicious files that are quarantined should be sent to Clam AV at http://www.clamav.net/lang/en/sendvirus/ so it can prepare a normal ClamWin signature for all users.
Do not select the option to Detect suspicious files and warn about system changes unless you are an experienced user who wants to know about all changes to your computer. Users who select this option will see lots of popup messages about system changes (files put on the computer). Most system changes are okay and should not be a concern.
The default option to “Detect suspicious files only” is recommended for users. When this option is chosen, the System Monitor will give popup warning messages only when new suspicious files have been detected. There will be no popup warnings of other system changes, but an entry will still be made in the Message Log for a record. Send quarantined suspicious files to Clam AV for normal signature preparation. Whitelist Sentinel suspicious files that are falsely detected as explained below.
The option to Disable the System Monitor turns off detection of suspicious files. You should Disable the system monitor while you “whitelist” a file, but re-enable the system monitor after have whitelisted the file and restored it from quarantine via the Sentinel Recover program. If you have problems using the System Monitor, choose the Disable option, contact the Sentinel developer, and keep the System Monitor turned off until the developer answers you. You should know how to use the system monitor because it provides important extra protection to Sentinel users that ClamWin does not have.
Even if you do not download files from porn sites, torrent sites, pirated software sites, or from people you do not know, the System Monitor may give an occasional false detection warning (a false positive) when downloading “good” files. The Quick Guide to Clam Sentinel Configuration and Operation above tells how to handle this.
Upload quarantined suspicious files to Clam AV at http://www.clamav.net/lang/en/sendvirus/ on the web for normal virus signature preparation. If you check files with Jotti or Virus Total on the web, a suspicious file that is not detected by more than 3 AV programs is probably a “false positive” if the file is older than a week or two, and you can whitelist it in Sentinel. If the file is older than a week or two, there should be many AV programs that detect it if it is really infected. htelisting will exclude the file from scanning by Clam Sentinel.
If you get a suspicious warning when you are not installing a new program, malware may be trying to install itself on your computer. If you are not installing/running a new program and you get a warning about a suspicious file or a warning about a registry change, or several warnings close together, you most certainly have malware on your computer. Run a complete ClamWin scan and then do can with a cleanup scanner, such as Malwarebytes or Microsoft Safety Scanner (msert.exe). Kaspersky's TDSSKiller is very good at finding hidden malware—use it if nothing is found.
There is also an option to Skip Files With A Valid Digital Signature. It is not selected by default, but it is probably safe to select this option. Malware does not often have a valid digital signature.
Notify Of New Versions
The last Settings option is Notify of new versions. If you choose this option, Sentinel will give you a pop up message several minutes after turning on your computer if a new version is available for downloading. I suggest you keep this option turned off and just visit the Sentinel web site once a month to see if there is a new version.
ADVANCED SETTINGS OPTIONS
The advanced settings options are for expert users who want to “tweak” Sentinel. The Clam Sentinel default configurations are best for most users.
Fixed Disks To Monitor
The first Advanced option is Choose fixed disks to monitor. This is selected when you install Clam Sentinel, but you can change it at any time. Clam Sentinel can monitor hard drives, CD drives and USB/removable drives. Clam Sentinel will normally automatically choose to monitor the C drive You should monitor all other hard drives and removable drives that you use regularly. USB drives are often named drive F or G by the Windows operating system. The CD drive is often named drive D or E.
Extensions To Scan
The next option is Choose what extensions Clam Sentinel will scan. The Sentinel default option has about 130 Windows file extensions. Experienced users can configure their own scan extensions here, but they will miss any future changes made to the default extensions.
Paths Or Files Not Scanned (Whitelisting)
Operation: Disable System Monitor or Stop Verify Files, Whitelist “Good” Files, Re-Enable or Re-Start
The next option is Paths or Files not scanned. Clam Sentinel is configured so that the path on your computer with the most recent Windows activity is not scanned (whitelisted). You can add other paths, or even individual files, that you do not want to be scanned if they will trigger a false suspicious detection. You should also whitelist infected file false positive detections until Clam AV corrects their signature. Clam Sentinel has wild card support (? and *) for filenames or paths not scanned. Files not scanned are excluded from both the System monitor and the real-time monitor, so be careful what you whitelist. Verify with Jotti or Virus Total that each file you whitelist is really “clean” and not infected.
Examples: c:\temp will exclude the temp folder from scans; c:\temp\test.bat will exclude the test.bat program in the temp folder from scans; test.bat will exclude the test.bat file anywhere on your computer from scans. You can browse files/folders on your computer by selecting the little icon on the whtelist configuration page. If you use Clam Sentinel with another antivirus/antimalware program, you should whitelist the other AVs program folder, data folder, and quarantine and database folders (if separate from the data folder) from Clam Sentinel to prevent the other AV from triggering a false detection on a ClamWin virus signature. Also exclude the Clam Sentinel and ClamWin program and folders and the ClamWin data folder from the other scanner. This option is also used to exclude files from Sentinel's System Monitor warnings about suspicious files. If “good” programs that you use trigger a System Monitor warning, you can whitelist these files from the System Monitor so that future warnings will be only for “real” suspicious files. If possible, exclude individual files within a folder. Example: C:\Foldername\Filename.Extension. Excluding entire folders will mean less protection from both Sentinel's Real Time Monitor and the System Monitor.
Paths Where All Files Will Be Scanned
The next option is Paths where all files will be scanned. This is for selecting folders where all files are to be scanned—regardless of the extensions. You can browse folders on your computer by selecting the little icon on the configuration page. You will generally not need this option.
Maximum No. Of Simultaneous Scans
The next option is Maximum number of simultaneously active scans. Clam Sentinel comes configured with a 1 for this option, and most users should keep it. You might set it to 2 if you have a very large hard drive or if your computer has a powerful dual processor.
Maximum Log Size
The last advanced settings option is Maximum size for log files. The default is 5 megabytes, but 1 or 2 megabytes should be enough—especially if you have a small hard drive. Sentinel has 5 logs, and each log has this same size.
There are two options under the quarantine menu. You can access the quarantine folder or restore quarantined files. Access the quarantine folder to see what files have been quarantined.
You can also run the Clam Sentinel Quarantine Recover program to restore files from quarantine back to their original location. Sentinel comes with a separate program, SentinelRecover.exe, which is similar to ClamWin's Quarantine Browser program, to restore files from quarantine. Sentinel Recover works on all computers, and it can restore files quarantined by both Clam Sentinel and ClamWin. Operation is simple, and the options are mostly self explanatory. Before restoring an infected file (not a System Monitor suspicious file), you should visit the Clam AV Submit A File page on the web to upload it and tell them it is a false positive detection so they can correct their signature. Then you can whitelist this file for Sentinel until it is corrected by Clam. If you intend to scan a detected file with a ClamWin on-demand scan, you should also whitelist the file for ClamWin via the ClamWin filters tab. Remove the whitelisted file from both the Sentinel and ClamWin whitelists when Clam AV has corrected the signature in a few days. Never submit a file detected by the System Monitor as “suspicious” because Clam AV can do nothing about false positive System Monitor detections. You can whitelist suspicious files for Clam Sentinel only.
There are logs for the real-time monitor, quarantined files, messages (if you used the system monitor option to detect suspicious files and warn about system changes), memory scan, and drive scan. After “whitelisting” your “good” files/folders that are detected as suspicious, you will normally not get many system monitor messages, so each message can be important. Check the Message log occasionally to see if you have missed anything. Recent messages are shown at the end of each log. Recent entries are at the end of the log.
Using Clam Sentinel On A USB Drive With ClamWin On The Hard Drive
ClamWin must be installed on the computer the USB is plugged into, but it does not have to be on the USB drive. Put the Clam Sentinel program folder on the USB and put the .ini configuration file in the program folder. Manually change the UseLocalIniFile in the Sentinel .ini configuration file to UseLocalIniFile 1=yes. The 0 default puts the Clam Sentinel configuration file in C:\Users\Bob\AppData\Roaming\ClamSentinel for Windows Vista/7 computers or in Documents and Settings for Windows XP computers. Changing it to 1 will put the configuration file in the Clam Sentinel program folder on the USB. The UseLocalIniFile setting is the first item in the Clam Sentinel .ini configuration file.
Using Both Clam Sentinel And ClamWin Portable On A USB Drive
First, you must install ClamWin Portable on a USB drive/key and start it (run ClamWinPortable.exe from the ClamWinPortable directory). Configure ClamWin the way you want. Not all ClamWin options are available in the Portable version.
Then you must download the Clam Sentinel Zip file (or Sentinel.exe file) from the Clam Sentinel site to the desktop on your computer. Extract the zipped Sentinel files to the desktop of your computer. You must copy the Sentinel.exe file, the .ini file, and the Sentinel Recover file to the USB drive in the ClamWinPortable\App\clamwin\bin folder.
Next, as mentioned above, you will have to configure Clam Sentinel to use the .ini configuration file that is in the local folder from where Clam Sentinel is run (the ClamWin\bin directory on the USB). The configuration item is UseLocalIniFile 1=yes. Do not use the zero default. You can change the Clam Sentinel.ini file in Notepad or a similar text editor. Save the .ini file after making this change. The UseLocalIniFile setting is the first item in the Clam Sentinel .ini configuration file.
You must also configure Clam Sentinel to use the local ClamWin configuration file on the USB stick. To do this, make the PathClamWin=..\..\..\data\settings active. Do this by removing the semicolon (;) from the beginning of the line in the .ini file and put a semicolon (;) at the beginning of the line for any other “PathClamWin=” statements in the .ini file. This configuration always works best for me if I put PathClamWin=f:\ClamWinPortable\App\DefaultData\settings. The USB drive is usually f or g, so change it as needed.
Do not run Clam Sentinel before you make the two manual configuration changes mentioned above. Then click on the Sentinel.exe file in the ClamWin bin folder to run Clam Sentinel. You can do any other configuration via the Clam Sentinel badge in the system tray after starting. You can then delete the Clam Sentinel files on your desktop.
From now on, you can start Clam Sentinel on the USB by clicking on the ClamSentinel.exe file in the ClamWin\bin folder on the USB, and Clam Sentinel will start protecting you. I suggest that you do not configure Clam Sentinel on the USB to run on startup—start it manually each time you insert the USB. When you start Clam Sentinel, it drops an icon in the system tray—just like it does for the regular hard drive version. You can configure Clam Sentinel by clicking on the icon—just like on the hard drive version. I also suggest that you enable the System Monitor to detect suspicious files only.
After Clam Sentinel is installed on the USB, you do not have to start ClamWin Portable any more—Clam Sentinel will find the ClamWin Portable files it needs on the USB key if you configure as suggested. You do not need ClamWin Portable running in order to use Clam Sentinel, but you should have both programs configured on USB as mentioned. You will need to start ClamWin Portable, however, in order to update the ClamWin signature database. Do this at least daily, but more often if you use the internet for long periods of time.
You can make a shortcut to Clam Sentinel on the USB key and put it in the ClamWinPortable folder/directory with the ClamWinPortable.exe file. You could also make a shortcut to ClamWinPortable.exe and ClamSentinel.exe on your desktop so that you can start them from your desktop. CAUTION: before setting up or using ClamWinPortable and ClamSentinel from the USB key, you will need to STOP them from running if they are already installed on your hard drive. In fact, if you want to run ClamWin and Sentinel from USB, it is best that you do not have them installed locally on your hard drive.
You can stop both programs from running on the computer by right clicking on their icons in the system tray and then selecting Exit or Stop. When you want to remove the USB key from the computer, you will have to stop Clam Sentinel on the USB (and ClamWinPortable if it is running), and then click on the USB icon in the system tray and stop the USB from running before you can remove it without doing any USB damage.
Keep your old Clam Sentinel .exe and .ini and Sentinel Recover file from the USB when you update to a new version of ClamWin Portable and put them back in the ClamWin Portable bin folder. When future updates to Clam Sentinel are available, just copy the new Sentinel.exe file to the USB like you first did. Your old Clam Sentinel .ini file and Sentinel Recover file on the USB will still be good, and Clam Sentinel will update them during installation if needed.
Thank you for using Clam Sentinel. If you like it, please tell other people about it, and give the author, Andrea Russo, your comments and suggestions. Visit the web site monthly for news and updates.
by Robert Scroggins