{"id":1175,"date":"2008-08-31T04:21:55","date_gmt":"2008-08-31T12:21:55","guid":{"rendered":"https:\/\/blog.mhvt.net\/?p=1175"},"modified":"2008-12-18T22:17:33","modified_gmt":"2008-12-19T06:17:33","slug":"mac-software-review-clamxav-111","status":"publish","type":"post","link":"https:\/\/blog.mhvt.net\/?p=1175","title":{"rendered":"Mac Software Review: ClamXav 1.1.1"},"content":{"rendered":"

\"ClamXav<\/a>
\n\"Mac<\/a>
\n
<\/br>
\n
<\/br>
\n15 years ago, Many Mac users had a free virus program called Disinfectant<\/strong> installed inside their system folders. It was one of the first programs that I downloaded with a dial-up modem back in November, 1992. Disinfectant was developed by a Northwestern University professor. These day, ‘free anti-virus software’ sends a totally different message. Free is a word that cyber criminals widely use to lure naive Internet users, right? If you are a Windows OS user, would you like to try executing a file titled AntiMalwareGuard_Free.exe<\/strong> that is distributed at http://antimalwareguard.com? (See Screenshot 01.) The website says the file is free. (See Screenshot 02.) Even the file name implies it’s free. And if I use Sophos Anti-Virus<\/strong> to scan this file… Ahh… The file contains malicious codes driven by a Trojan Horse<\/strong> derivative. (See Screenshot 03.) Not surprisingly, you will get something undesirable in the name of getting freeware or saving money.
\n
<\/br>
\n
<\/br><\/p>\n\n\n
\"ClamXav<\/a>
\nScreenshot 01<\/td>\n		\"ClamXav<\/a>
\nScreenshot 02<\/td>\n		\"ClamXav<\/a>
\nScreenshot 03<\/td>\n<\/tr>\n<\/table>\n

<\/br>
\n
<\/br>
\nHow about ClamXav<\/strong>? According to its website (http:// www.clamxav.com),
\n
<\/br>
\n
<\/br>
\nClamXav is a free virus checker for Mac OS X. It uses the tried, tested and very popular ClamAV open source antivirus engine as a back end<\/i>.
\n
<\/br>
\n
<\/br>
\nWe don’t believe this freeware title contains malicious codes like AntiMalwareGuard<\/strong>. In fact, we just want to find out how good ClamXav is. So let’s see what ClamAV does for Mac users. 
\n
<\/br>
\n
<\/br><\/p>\n\n\n
\"ClamXav<\/a>
\nScreenshot 04<\/td>\n		\"ClamXav<\/a>
\nScreenshot 05<\/td>\n		\"ClamXav<\/a>
\nScreenshot 06<\/td>\n<\/tr>\n<\/table>\n

<\/br>
\n
<\/br>
\nFirst, let me install ClamXav on my iMac. I’m going to drag and drop the application file found inside the downloaded disk image into the Applications folder, ironically just below the folder containing Norton AntiVirus. (See Screenshot 04.) If I launch ClamXav for the first time, a window will pop up. It says that the Clam Anti-virus engine has to be installed. (See Screenshot 05.) Then I’m prompted to enter system administrator’s password. (See Screenshot 06.) Okay, that’s no problem. But wait a second. How do I remove it if I decide that I no longer need ClamXav? According to software developer’s FAQ page, I need to download Engine Remover<\/strong>. (See Screenshot 07.) Furthermore, f I double-click on the file titled clamavEngineREMOVER.command<\/strong>, the Terminal<\/strong> launches itself, and it looks like removal will be performed after entering system administrator’s password. (See Screenshot 08.)
\n
<\/br>
\n
<\/br><\/p>\n\n\n
\"ClamXav<\/a>
\nScreenshot 07 – Source: clamxav.com<\/td>\n		\"ClamXav<\/a>
\nScreenshot 08<\/td>\n		\"ClamXav<\/a>
\nScreenshot 09<\/td>\n<\/tr>\n<\/table>\n

<\/br>
\n
<\/br>
\nAll right. What I want to do next is to scan a file containing malicious codes with ClamXav. Hmm… Where can I possibly get one? Ahh… How about AntiMalwareGuard_Free.exe? Hold on. Let me click on Update virus definitions<\/strong> to render ClamXav up-to-date. (See Screenshot 09.) Then I’m going to click on Choose what to scan…<\/strong> to designate the virus-containing file. (See Screenshot 10.) And if I click on open<\/strong>… ClamXav says no infected files were found. (See Screenshot 11.) Ohh… Scanning a Windows file with Mac anti-virus software is not a good idea, is it? Silly me.
\n
<\/br>
\n
<\/br><\/p>\n\n\n
\"ClamXav<\/a>
\nScreenshot 10<\/td>\n		\"ClamXav<\/a>
\nScreenshot 11<\/td>\n		\"ClamXav<\/a>
\nScreenshot 12<\/td>\n<\/tr>\n<\/table>\n

<\/br>
\n
<\/br>
\nSo I should scan a Mac file with ClamXav. I’m going to stop playing dumb. We know a ton of websites distributing files that contain Mac-targeting computer viruses. About 7 weeks ago, we introduced several websites with Chinese top-level domains at our SEO\/Internet security website. One of the domains mentioned in our report of July 10 is mnhor8.cn<\/strong>. If I access this domain, I will be forced to download a file titled wotcodec.v.4.221.dmg<\/strong> against my will. (See Screenshot 12.) This file is hosted by a notorious California-based company called Cernel, Inc<\/strong>. Anyway, if I open the disk image, I find a file titled install.pkg<\/strong>. (See Screenshot 13.)
\n
<\/br>
\n
<\/br><\/p>\n\n\n
\"ClamXav<\/a>
\nScreenshot 13<\/td>\n		\"ClamXav<\/a>
\nScreenshot 14<\/td>\n		\"ClamXav<\/a>
\nScreenshot 15<\/td>\n<\/tr>\n<\/table>\n

<\/br>
\n
<\/br>
\nLet me scan install.pkg with the Mac version of Norton AntiVirus<\/strong> quickly. After launch the anti-virus software program, I’m going to click on Choose Files<\/strong> and choose install.pkg. (See Screenshot 14.) And Norton AntiVirus says the file contains OSX.RSPlug.A<\/strong>. (See Screenshot 15.) <\/p>\n

Okay. Let’s see what ClamXav has to say about this virus-containing file. Once again, I’m going to select install.pkg inside the disk image and then press Open. (See Screenshot 16.) Ohh… ClamXav says no infected files were found. (See Screenshot 17.)
\n
<\/br>
\n
<\/br><\/p>\n\n\n
\"ClamXav<\/a>
\nScreenshot 16<\/td>\n		\"ClamXav<\/a>
\nScreenshot 17<\/td>\n		\"ClamXav<\/a>
\nScreenshot 18<\/td>\n<\/tr>\n<\/table>\n

<\/br>
\n
<\/br>
\nLet’s give ClamXav another try. 2 months ago, we reported at our SEO\/Internet security website that a spam message targeting Colonial Bank<\/strong> customers went around. Clicking on the URL in the message sent one to a website distributing a file that contained a collection of Trojan Horse derivatives for Windows OS. (Symantec calls this collection Backdoor.Trojan<\/strong>.) The file was titled ColonialBankECERTv04510.exe<\/strong>. We keep a copy. So let’s scan it with ClamXav. (See Screenshot 18.) It’s a Windows file. So we can’t expect that ClamXav finds anything suspicious. Actually, it says it has found Trojan.Dropper-10268<\/strong>. (See Screenshot 19.) Whoa… Good job!
\n
<\/br>
\n
<\/br><\/p>\n\n\n
\"ClamXav<\/a>
\nScreenshot 19<\/td>\n		\"ClamXav<\/a>
\nScreenshot 20<\/td>\n		\"ClamXav<\/a>
\nScreenshot 21<\/td>\n<\/tr>\n<\/table>\n

<\/br>
\n
<\/br>
\nOkay. One more, one more file! Celebrity Spammers<\/strong> has been circulating a number of spam messages implicating Paris Hilton<\/strong> for the past 10 days or so. They want Internet users to download files titled video_1.exe<\/strong>, video_2.exe<\/strong>, video_3.exe<\/strong> and others. Let’s scan video_1.exe with ClamXav. We know that this file contains malware driven by a Trojan Horse derivative. Anyway, if I scan it… ClamXav says no infected files were found. (See Screenshot 20-1.)<\/p>\n

We used ClamXav to scan 4 files that all contains malicious codes. ClamXav did not find anything on a Mac disk image that contains a computer virus. 3 other files that we scanned are intended for Windows OS users. ClamXav successfully found Trojan.Dropper-10268 in one of them. In the end, that’s the only file where ClamXav found malicious codes.
\n
<\/br>
\n
<\/br><\/p>\n

  • Developer: Unknown (http://www.clamxav.com)<\/li>\n
  • Developer’s location: Unknown<\/li>\n
  • Latest version: ClamXav 1.1.1 (Compatible with PPC, Intel Mac, Compatibility with Leopard)\n
  • Prices: Free<\/li>\n
  • MacHouse recommendation<\/strong>: As we cannot confirm the identity of the organization distributing this freeware title, we avoid recommending fellow Mac users to use ClamXav. If you really need an anti-virus software program for Mac OS, you are strongly advised to get one from a respectful vendor like Intego, McAfee, Sophos, Symantec and others. Saving money will only put you in more trouble.
    \n
    <\/br>
    \n
    <\/br>
    \nClamXav is a product of an unknown organization.
    \n
    <\/br>
    \n
    <\/br><\/p>\n\n\n
    Click for<\/td>\n\"Mac<\/a><\/td>\n<\/tr>\n<\/table>\n

    <\/br>
    \n
    <\/br>
    \nReferences: <\/p>\n

    Celebrity Spammers Circulate More Spam Messages With Paris Hilton to Distribute Malware<\/a>
    \n    Sick of Paris Hilton Spam Messages?<\/a>
    \n    Beware of ENDCODEC.NET with Disk Image Containing Mac-Targeting Computer Virus<\/a>
    \n    Active Scam Website Found Targeting Colonial Bank Customers with Backdoor.Trojan (2)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    15 years ago, Many Mac users had a free virus program called Disinfectant installed inside their system folders. It was one of the first programs that I downloaded with a dial-up modem back in November, 1992. Disinfectant was developed by … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":342,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[204,205],"class_list":["post-1175","post","type-post","status-publish","format-standard","hentry","category-apple-mac","tag-clamxav","tag-mac-free-anti-virus-software"],"_links":{"self":[{"href":"https:\/\/blog.mhvt.net\/index.php?rest_route=\/wp\/v2\/posts\/1175","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.mhvt.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mhvt.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mhvt.net\/index.php?rest_route=\/wp\/v2\/users\/342"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mhvt.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1175"}],"version-history":[{"count":0,"href":"https:\/\/blog.mhvt.net\/index.php?rest_route=\/wp\/v2\/posts\/1175\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mhvt.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1175"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mhvt.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1175"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mhvt.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1175"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}