How to set up ClamAV as a Windows Service to scan file streams on demand

by Peter Tyrrell Thursday, October 15, 2009 9:44 PM


Clam Antivirus, or ClamAV for short, is an open-source antivirus solution for UNIX. It's also the ONLY open-source antivirus solution. Naturally it would nice to have it for Windows, too, and it's absolutely possible; the hard part is finding out how to go about it.

Documentation on installing ClamAV for Windows and running its daemon clamd as a Windows Service is as scarce as hen's teeth, and the best information I could find was scattered across various unrelated forums and articles and none of it was fully up to date. So here it is, laid out as best as I can tell it, in one place: where to find a current native Win32 port of ClamAV, how to install it, how to set up clamd to run as a service, and the settings relevant to scanning file streams sent from an external client.

To give some context: I am using ClamAV to scan user-uploaded files for viruses in an ASP.NET web application, before writing them to disk. Each upload is sent as a stream from the webserver to another Windows 2003 server running the clamd service, which scans them and replies with some basic info on the outcome of the scan.

UPDATE Feb 19 2010: Extra info for installing on Windows Server 2008 x64.

Get the current version of ClamAV for Windows

Get ClamAV for Windows 0.95.2 at

I am writing on October 15, 2009 and the current version of Clam AntiVirus is 0.95.2. The best 0.95.2 native Windows port available, in my opinion - because it has an installer - is at

Another 0.95.2 alternative is at, but does not have an installer and requires you grab an additional assembly from Microsoft. On the other hand, it offers a 64 bit build.

You don't want ClamWin, which is a GUI aimed at the desktop crowd, and doesn't include clamd. Or it doesn't appear to right now. It might later. Maybe. It's hard to tell. See hen's teeth, above. Nor do you want the former native Win32 port at which is dead, dead, dead at version 0.92.1. Nor the Cygwin version, nor the Interix version. No.

UPDATE Dec 14 2010: Commenter J. Moore reports that MS Security Essentials reckons the version contains a hacking tool Hideproc.c within chp.exe. The distribution from does not contain chp.exe and doesn't throw any virus alerts.

Install ClamAV for Windows

Run the installer, ClamAV-095-2.exe. It is best to let the installer deploy to the default location, which is c:\clamav\, or you'll have to manually modify a bunch of clamav settings files afterwards.

Install clamd as a service

  1. Open a command prompt.
  2. Change directory to c:\clamav\ or wherever you installed clamav.
  3. Run clamd.exe --install
  4. Open services.msc and edit the newly installed "ClamWin Free Antivirus Scanner Service" to start Automatically and/or use credentials other than the local system account, etc.


Um, yes, that was easy.

The astute will note that the service names itself "ClamWin yada yada." Again, clamd is NOT included with ClamWin, so your guess is as good as mine as to the connection here, but there clearly *is* some connection, the true nature of which I have been unable to fathom.

You may find, if you Google for "clamd windows service", various helpful threads or articles describing how to forcibly set up clamd as a service with instsrv.exe and srvany.exe from the Windows 2003 Resource Kit Tools. And that works - but it's not necessary. I can only assume that the ClamAV Windows ports came out with a built-in "install as service" feature at some point fairly recently, but the word just hasn't got around.

I'll get to the settings for clamd next, but you need an up-to-date antivirus library first.

Schedule freshclam to update frequently

Freshclam fetches antivirus library updates. You need to run it right away to get the initial database up and going - just double-click freshclam.exe. After that, you can install it as a service in the same manner as clamd above. Or create a batch file that runs freshclam.exe on a schedule with Windows Task Scheduler. It has its own settings file: freshclam.conf.

Settings for on-demand stream scanning

Settings for clamd are in clamd.conf, and there are quite a few, but the ones most relevant for on-demand stream scanning are:

  • TCPAddr - server IP address
  • TCPSocket - port clamd will listen on, default 3310
  • StreamMaxLength - maximum size of stream to be scanned, in megabytes

Create a Windows firewall exception

The lazy way out here is to add clamd.exe as an exception to Windows firewall. Read on if you like.

You can exception just the port clamd listens on (default 3310), but a call to its STREAM method generates a reply on a random port with a range you can set in clamd.conf, which would mean you would have to add exceptions for the entire range. To problematize still further, STREAM has been deprecated in favour of INSTREAM, which sticks to the port you called it on in the first place. For now I'm just going to exception clamd.exe, though I did restrict its scope to the local subnet.

Call clamd from ASP.NET

I've found just one available .NET library that will call a clamd service, called WRAVLib: Unfortunately, it's somewhat out of date and written for .NET 1.1, but happily the source code is freely available, so you can compile for .NET 3.5 if you like. Direct link to source code is here:

It does target the deprecated STREAM method instead of INSTREAM, which I touched on above, but it's still the fastest way to get up and running. Here's a bit of pseudocode to give an idea:

// create scan agent
IVirusScanAgent agent = new ClamdStreamAgent("", 3310, false);
// create unique scan id
string scanId = Guid.NewGuid().ToString();
agent.VirusFound += ((sender, args) => {
   // do something
agent.ItemScanCompleted += ((sender, args) =>  {
   // do something
// scan filestream
agent.Scan(scanId, file.InputStream);


I wish I had more time to fill in the gaps and provide more detail, but I just don't. Even this amount of information took way too long to gather in the first place! It should provide a good foundation nevertheless.


  • This how-to on setting up ClamAV for Kerio MailServer on Windows convinced me I could run clamd as a service in the first place.
  • This forum thread on installing ClamAV Win32 with hMailserver was instrumental, guiding me with sample settings files and good pointers.

Tags: ClamAV

blog comments powered by Disqus

Month List