[Clamav-devel] Basics of ClamAV: developing for Win8 and dist thru app store
smorgan at sourcefire.com
Tue Feb 18 15:20:44 EST 2014
Some comments inline:
On Mon, Feb 17, 2014 at 9:13 PM, Northern Technical
<northtech.au at gmail.com>wrote:
> From what I can see so far, ClamAV provides a shared library which does the
> scanning and provides tools, e.g. unpacking archives for scanning, updating
> the malware databases. So perhaps providing a ClamAV app is not much more
> than a UI which calls the library to scan and update.
Pretty much. clamscan and clamd link to libclamav. clamdscan uses clamd
through tcp or unix socket. Other apps can use the clamd protocols as well,
or link to libclamav and use its api. Then there are also several utilities
such as freshclam and sigtool,
> Is that an oversimplification? I'm a little lost since I'm still learning
> how AV programs work generally. I've got the idea with virus signatures
> which AV programs look for, and they probably go through the entire FS
> looking inside files for those signatures. I don't know about how
> heuristics work, and what might be done for specific platforms, e.g.
> scanning the Windows registry for entries like login notify and other areas
> malware might hook into. Same for browser malware, e.g. scanning JS or
> whatever is done there.
> I'm thinking about a free ClamAV Suite for Windows 8/8.1 which can be
> fetched from the Windows App Store. If it's "simple" like providing a good
> UI and using the shared library, would it make sense to fork the ClamAV
> sources and, since it's originally written for UNIX-like platforms, provide
> a Windows-specific AV engine? I know Windows can support POSIX programs,
> but would a Windows AV engine using native Windows calls, threading, etc.,
> be a good idea if there's the time and patience to develop it?
Sounds good. There is windows support currently, see clamav/win32 and also
http://sourceforge.net/projects/clamav/files/clamav/win32/. There are some
other third party windows projects, and also our Immunet.
> Is there any documentation which gives me a good overall picture of how it
> works, linking to the shared library, launching scans, updating, what it
> does (if anything; would a user of the library do it?) with malware that it
> finds? On Windows, would a user of the ClamAV library do anything such as
> keep a list of hashes of known Windows system DLLs and check those, if
> that's a good idea? What about scanning the boot area?
clamav/docs. Also google around to find some presentations and papers on
> Thanks for any guidance or tips.
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
More information about the clamav-devel