[clamav-users] Streaming support in ClamD
David Raynor
draynor at sourcefire.com
Thu Jul 2 17:55:13 UTC 2015
Henrik's right. The simple answer is that ClamAV does not do any "status
for each segment". It scans files, including support for some filetypes
that have to be read back-to-front and using some virus signatures that are
full-file hashes. For that and more, it has to know where EOF is. So even
though clamd can be fed the data as a stream, there are no partial-file
results for streams.
Dave R.
On Thu, Jul 2, 2015 at 5:55 AM, Henrik K <hege at hege.li> wrote:
>
> Let's say you have a zip file. How do you expect ClamAV to scan it packet
> by
> packet? Or any other data really. I think there are very few wild
> signatures in database that are allowed to match any position anywhere in a
> "file". Only reliable way is to scan a complete file, so it knows the
> length and can decode it properly etc.
>
> The now abandoned HAVP proxy scanner does many tricks (filesystem mandatory
> locking to "pseudo-stream" files into clamav, zip header prefetch etc) to
> achieve near realtime scanning for large files and reduce "user hanging" to
> a minimum. I guess this is what you are after, but ICAP can't achieve such
> trickery.
>
>
> On Thu, Jul 02, 2015 at 12:57:00PM +0530, P K wrote:
> > Hi guys,
> >
> > Waiting for your reply. It should be simpler answer.
> >
> > Does ClamAv support virus checking in stream mode for large files?
> >
> > If i have file size of 10Mb do i have to send all data to clamAv and
> clamAv
> > will send status ok
> > or it can scan data in each packet and return status for each segment?
> >
> > Thanks
> >
> >
> > On Tue, Jun 30, 2015 at 12:28 PM, P K <pkopensrc at gmail.com> wrote:
> >
> > > Hi Guys,
> > >
> > > I am new to Clamd and was trying to use it for virus scanning.
> > >
> > > I used squid + icap + clamAv.
> > >
> > > But i seen once all data is recieved clamAv INSTREAM is called and
> data is
> > > passed to it.
> > >
> > > Is it issue with icap server or Clamd doesn't support streaming
> support?
> > >
> > > Any guidance will be helpful for me
> > > and how can we make ClamAv streaming support.
> > >
> > > Awaiting for reply.
> > >
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
--
---
Dave Raynor
Talos Security Intelligence and Research Group
draynor at sourcefire.com
More information about the clamav-users
mailing list