[Clamav-devel] On write close scan with Fanotify

David Collins davetha at gmail.com
Fri Jan 25 16:52:09 EST 2019


Hi Micah,
I really appreciate the feedback, and letting me know the future
direction of on-access scan.  There are industries out there that
don't enable access scanning due to the resource issues.  Having the
on write close with periodic full FS scans would put some systems in a
better security posture.

We'll continue using and testing the patch internally.  I look forward
to see what the sandboxing looks like.

Thanks!

On Fri, Jan 25, 2019 at 3:24 PM Micah Snyder (micasnyd)
<micasnyd at cisco.com> wrote:
>
> Hi David,
>
> Interesting idea. I can appreciate the use case to only scan files that are new or modified.  Anyone who uses it though should be aware that that ClamAV's on-access scanning would have to be enabled 100% of the time.  In addition, they wouldn't be protected unless a signature for the malware has been deployed before infection.  I would recommend also configuring a regularly scheduled scan to double check existing files.
>
> On the topic of on-access scanning:
>     Mickey is actively working on separating the on-access scan feature into a separate utility.  At present, clamd must be run as root to enable on-access scanning.  Making a separate tool that interfaces with clamd, similar to clamdscan and clamav-milter, is a small step towards sandboxing the scanning engine in an unprivileged process.  I've attached the link you provided for review to our on-access scanner development task.
>
> You may want to hold off on putting in a pull request or adding any documentation until the new on-access tool is complete and has been merged into dev/0.102.
>
> -Micah
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Jan 24, 2019, at 4:13 PM, David Collins <davetha at gmail.com<mailto:davetha at gmail.com>> wrote:
>
> Hi,
> I work with a large environment that is extremely file open heavy.
> Over the years, we have either avoided access scanning all together,
> or had clam hook into file upload events in specific daemons (mail,
> ftp etc..).
>
> Many proprietary AV solutions support scan on close which work well on
> environments similar to mine.
>
> I've written a fully usable PoC, including a OnWriteClose option to
> toggle it on and off.  Before I start writing documentation for the
> option, I'd like to see if this is a feature the ClamAV would value.
>
> Link to clamav-devel fork&commit
> https://github.com/davetha/clamav-devel/commit/432e63dcb5559b43532abbc83adcaf9e780901e5
> Thanks in advance!
> _______________________________________________
> clamav-devel mailing list
> clamav-devel at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Bugzilla: http://bugzilla.clamav.net
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> clamav-devel mailing list
> clamav-devel at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Bugzilla: http://bugzilla.clamav.net
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml



More information about the clamav-devel mailing list