• Welcome to Peterborough Linux User Group (Canada) Forum.
 

ClamTK anti virus program

Started by ssfc72, September 15, 2020, 05:06:26 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

ssfc72

So I was thinking I should just do a one time run, of an antivirus program for Linux, just to see if anything was caught.

I did a search on Google and found this :  https://www.safetydetectives.com/blog/best-really-free-antivirus-for-linux/
It showed a command line program, the Clam antivirus program, which was named ClamAV.   A GUI program,  ClamTK is also available.
I went to Synaptic in my Mint 19 and found  ClamTK  I installed this.

Anyway, the GUI was pretty easy to navigate, to set up the ClamTK settings.  I did find some annoying faults.
First, I found that you had to double click on all the settings, to start that setting.
Next I found that when I changed or adjusted a setting, it usually did not take effect. When I went back into the setting, the setting hadn't changed.  I somehow managed to figure out how to make a setting change and to take effect.
I also struggled to figure out how to get the virus signatures to update.  Initially, when I tried to update the virus signatures, the update would not happen.

So once I got the virus signatures to update and I set up the scanning parameters, I did a scan of the computer's Home directory and it did not find and threats but it did report 3 errors.   I could not find out what those errors were. :-(

So ClamTK seemed to do the Virus scan  for my Linux computer and it was good to know that it found no threats.

Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

fox

The fact that it didn't find any viruses is encouraging! However, it seems like you had several problems getting this to work, so presumably someone else would have the same problems. It would be helpful if you can recall how you solved those problems.
Ubuntu 24.10 on 2019 5k iMac
Ubuntu 24.04 on Dell XPS 13

Jason

Thanks for letting you know of your experience, Bill. It sounds like it was frustrating and I'd love to know what those errors were, too. Perhaps they were related to a permissions issue? If you can figure out how to launch the GUI from a terminal prompt, do that and it should show up any errors in the program itself that it spits out. It may show up a lot of other stuff like warnings and such that you can ignore. You're just looking for anything that has "error" with it.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

#3
Note that ClamTk is the GUI front-end to ClamAV. Since ClamAV is a dependency, it will be automatically installed with ClamAV. Curious if synaptic let you know about this.

Like you, I had to double-click options although, strangely, this wasn't consistent. After having done it at first, suddenly single-clicking worked, at least on some buttons. ??? I thought needing to double-click options was because it was built using the Tk graphic libraries but evidently that hasn't been the case since 2005.

I installed it using Discover. It was the only antivirus listed when I did a search for one.

I haven't, at least so far, had the issue you had with settings not sticking. I turned on all the options except for scanning files larger than 20 MB. One of them was PUA which is the same thing as PUP (Potentially Unwated Programs) which is referred to in some other antivirus programs. I found this out by checking the online README for ClamTK that has a section guides for usage.

I had a similar problem with updating. But it noted that automatic updating was on when I clicked on Update. And there was an option for manually updating which I picked. It didn't seem to do anything at first and then using the Back button to the main interface and choosing Update again, it did. Is that what happened to you, Bill? I should have left it for a while to see if the auto-update function worked. Just discovered in their usage section in their online README file on the project page that auto-update is what should happen.

So I'll see how the scan goes. I have a lot more files in my home directory to scan since I still have files going back as far as the early 2000s. So far in the last 15 minutes, it's checked over 44 thousand files. That's not bad considering the files are on an older Hard Disk Drive (HDD) and not a Solid State Drive (SSD). It says it's found 33 threats but I think that's because the PUA option is enabled. So they're probably just programs it doesn't recognize. I'll let you guys know how it goes if you'd like.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

Some screenshots - the main interface followed by the scan progress window.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

The usage doesn't say but I'm thinking that executables should be scanned which means the entire filesystem or at least the parts of the filesystem that have executables (/usr/bin, /bin, etc.). I would expect that most files that are infected are those, not user-created files. However, I seem to recall that Microsoft formats (DOC, DOCX, etc.) can be infected, too. I really don't much about Linux viruses. The vast majority of Linux malware is aimed at Linux servers, not desktops.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

Just found this. Apparently, the update notification could be referring to the program itself, not new signatures.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

#7
The scan finished awhile ago. I think it took about 30 minutes for 70 or 80 thousand files. But I'm not sure what to do with the results. Most of them are PUAs but they're files not programs so I'm not sure what's going on there. I'd like to save the results so I could check them later but I don't see a way to do that. I guess the only way is to do screenshots. They don't all fit on the screen even maximized (which doesn't have a button, you have to drag out). Screenshot below.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

From your screen shot, ClamTK seems to think a lot of files in your game, are Trojans.  That is somewhat concerning.
I think you should try and run another Linux AntiVirus program and see what results it comes up with.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

#9
Quote from: ssfc72 on September 16, 2020, 12:30:41 AM
From your screen shot, ClamTK seems to think a lot of files in your game, are Trojans.  That is somewhat concerning.
I think you should try and run another Linux AntiVirus program and see what results it comes up with.

They're not game files in the way most would think of them. They're books in PDF format. While I could see links in PDF files leading to external links that might have bad JavaScript code, I can't see trojans embedded in the documents themselves. So I think it's very likely they're false positives but I was thinking of giving Sophos a try anyway so I'll do that.

Btw, while there is a submit option in ClamTk to check individual results, it doesn't seem to do anything other than hold-up the program function for a bit. I think it's supposed to open a browser to do it, maybe to VirusTotal. You can submit actual files to that website and it will scan them using the signature files for multiple antivirus programs. I may try that for a few, too.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

The annoyance of having to double click an icon/setting to open it, is the default setting for ClamTK.  In the Settings menu you can unselect this action so that only a single click is needed to open a setting.

The first issue I had was with the Scheduler setup.  I initially tried to set up a scheduled scan and antivirus signatures Update.

With the Scan time setup, it was initially set for 0 hours and 0 minutes.  I changed that to an certain hour and minute and then clicked on the Close icon to get back to the main menu, thinking that the changes I made would now be set.  Instead, when I went back into the Scan Scheduler, I found the Scan time was back to 0 hours and 0 minutes.  I found I had to click on the + icon, in the Scan menu, to lock in my Scan time settings.
To adjust the Scan time, after having previously set up the Scan hour and minute, I found that just changing the hour and minute, had no effect. I had to click on the "minus" icon to change the values to zero. Then I could adjust the hour and minute, to a new value.  This seems to me to be a very clumsy way of setting the Scan time.

For the virus signatures, I found that I had to go to the Updates menu, in the Main menu. In the Updates menu there are 2 sub menus, Update and Update Assistant.  The Update Assistant, I believe, defaults to automatically receiving virus signature Updates. So I think I was unable to do a Manual signature update, until I went into the Update Assistant and changed the setting to Manual Signature updates.  This seemed to me, to be a quite clumsy way of doing this Signatures setup.


Quote from: Jason Wallwork on September 15, 2020, 03:26:18 PM
Note that ClamTk is the GUI front-end to ClamAV. Since ClamAV is a dependency, it will be automatically installed with ClamAV. Curious if synaptic let you know about this.

Like you, I had to double-click options although, strangely, this wasn't consistent. After having done it at first, suddenly single-clicking worked, at least on some buttons. ??? I thought needing to double-click options was because it was built using the Tk graphic libraries but evidently that hasn't been the case since 2005.

I installed it using Discover. It was the only antivirus listed when I did a search for one.

I haven't, at least so far, had the issue you had with settings not sticking. I turned on all the options except for scanning files larger than 20 MB. One of them was PUA which is the same thing as PUP (Potentially Unwated Programs) which is referred to in some other antivirus programs. I found this out by checking the online README for ClamTK that has a section guides for usage.

I had a similar problem with updating. But it noted that automatic updating was on when I clicked on Update. And there was an option for manually updating which I picked. It didn't seem to do anything at first and then using the Back button to the main interface and choosing Update again, it did. Is that what happened to you, Bill? I should have left it for a while to see if the auto-update function worked. Just discovered in their usage section in their online README file on the project page that auto-update is what should happen.

So I'll see how the scan goes. I have a lot more files in my home directory to scan since I still have files going back as far as the early 2000s. So far in the last 15 minutes, it's checked over 44 thousand files. That's not bad considering the files are on an older Hard Disk Drive (HDD) and not a Solid State Drive (SSD). It says it's found 33 threats but I think that's because the PUA option is enabled. So they're probably just programs it doesn't recognize. I'll let you guys know how it goes if you'd like.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

Quote from: ssfc72 on September 16, 2020, 01:16:41 AM
The annoyance of having to double click an icon/setting to open it, is the default setting for ClamTK.  In the Settings menu you can unselect this action so that only a single click is needed to open a setting.

I agree that it's the default setting but it changed to single-click at some point without me having changed anything. I don't have an option in the Settings window to change this behaviour. Perhaps we're using different versions? I'm using 6.02 - which do you have? You can click on the 'i' inside the circle in the upper right to check, assuming you have it in your version.

I agree that the scheduler setup is awkward. At least once you set up a time for the scan, it would show it afterward. For the signatures update, it may have been set up but it didn't give me any feedback to let me know as the time never changed. However, I changed a line in the preferences file regarding automatic updates so maybe it just happens at a certain time after that and that's why it won't stick, because it won't let me change it.


QuoteFor the virus signatures, I found that I had to go to the Updates menu, in the Main menu. In the Updates menu there are 2 sub menus, Update and Update Assistant.  The Update Assistant, I believe, defaults to automatically receiving virus signature Updates. So I think I was unable to do a Manual signature update, until I went into the Update Assistant and changed the setting to Manual Signature updates.  This seemed to me, to be a quite clumsy way of doing this Signatures setup.

I discovered something by checking the timestamps on the signatures files in their home directly. When you change it to manual update, it fetches the updated signatures right then (if there are any). Thereafter, you'd need to do it manually everytime since you've chosen not to receive automatic signature updates. Btw, if you want to check yourself, the directory is ~/.clamtk/db . There is also a log in that directory that is a text file so you can view it and see what it did most recently but it doesn't appear the logging shows when it checks for new signatures, just when it updates them.

I think that the first time you start it, it automatically checks for signature updates so you don't need to do this. It'd be nice if it told you it was going this though. It does note that it does this in the online readme file which is why I mentioned you should take a look at it. It also explains, sort of, why the Update Assistant is necessary to change how signatures are fetched.

Question: I noticed that you keep referring to menus. Do you have a different interface than me? As you can see by the screenshot, I have a box with icons in it. When I click on an icon, it opens up a window with other options. Just wanted to clarify that you're seeing the same thing I am.

All in all, it as most definitely an awkward program to use. At least Clamtk is. Clamav itself, may be wonderful but it is command-line.



* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

I just found something else interesting. I wanted to do a clean install just to see if clamtk does update signatures on startup. So to have a fresh start, I removed the clamtk and anything associated with it using the purge option. I also deleted the ~/.clamtk directory which wasn't purged (I thought it would be) as it had virus signatures in it and other preferences.

I reinstalled clamtk again. The ~/.clamtk directory wasn't there. When I ran clamtk, it created it. Good.

So I wanted to see if the signatures were automatically updated when I ran the program the first time. Then I went to look in this newly created directory to check the timestamp on the signature files and low and behold, there was nothing in the db directory below where they normally reside. I found out through the README file that clam keeps signatures in /var/lib/clam, at least initially. And they have the same timestamp as when I run the program.

So rather than go through all this change to manual update, then run manual update, only to have to go back to automatic setting nonsense, it was already ready to go just by starting it. It would be nice if it showed this but rather than mess around, we could have just checked the Usage section of the online README file first and it's there in the very first line. :) Sometimes, when we're building a cabinet, it's good to look at the instructions so we don't wonder later why we have 3 'extra' screws. :)

I noticed that, by default, it had the option to check for program updates in settings. Unless you plan on going to the website and downloading the new version every single time, you should turn that off. That's what it's likely meaning when it says 'An Update is Available'. Your package manager will handle the updates for the program.That message won't go away after your change the setting until you quit clam and restart it.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

I found out after a bit of searching that the "threats" I was getting was just saying the PDF files in question had JavaScript code in them. That's the "Potentially" part of "Potentially Unwanted Applications". JavaScript can be used to write applications, in a sense, so it's just warning me that the PDFs have JavaScript code in them and could contain dangerous code, not that they do. Since many of these files have come directly from the publisher, I believe they're just used for links within the documents.

Here's the webpage where I discovered this. That makes a lot of sense as I submitted one of the files to VirusTotal and none of the virus engines showed a problem with the file.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

#14
The ClamTK that I installed from the Mint 19 repositories is ver 5.25
For Update signatures, if I go in to the Update Assistant menu, it says at the bottom of the menu, that a virus signature update is available.  After doing a manual signature update, the Update Assistant no longer shows that a virus signature update is needed.


Quote from: Jason Wallwork on September 16, 2020, 01:21:51 PM
I agree that it's the default setting but it changed to single-click at some point without me having changed anything. I don't have an option in the Settings window to change this behaviour. Perhaps we're using different versions? I'm using 6.02 - which do you have? You can click on the 'i' inside the circle in the upper right to check, assuming you have it in your version.

I agree that the scheduler setup is awkward. At least once you set up a time for the scan, it would show it afterward. For the signatures update, it may have been set up but it didn't give me any feedback to let me know as the time never changed. However, I changed a line in the preferences file regarding automatic updates so maybe it just happens at a certain time after that and that's why it won't stick, because it won't let me change it.


I discovered something by checking the timestamps on the signatures files in their home directly. When you change it to manual update, it fetches the updated signatures right then (if there are any). Thereafter, you'd need to do it manually everytime since you've chosen not to receive automatic signature updates. Btw, if you want to check yourself, the directory is ~/.clamtk/db . There is also a log in that directory that is a text file so you can view it and see what it did most recently but it doesn't appear the logging shows when it checks for new signatures, just when it updates them.

I think that the first time you start it, it automatically checks for signature updates so you don't need to do this. It'd be nice if it told you it was going this though. It does note that it does this in the online readme file which is why I mentioned you should take a look at it. It also explains, sort of, why the Update Assistant is necessary to change how signatures are fetched.

Question: I noticed that you keep referring to menus. Do you have a different interface than me? As you can see by the screenshot, I have a box with icons in it. When I click on an icon, it opens up a window with other options. Just wanted to clarify that you're seeing the same thing I am.

All in all, it as most definitely an awkward program to use. At least Clamtk is. Clamav itself, may be wonderful but it is command-line.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service