[clamav-users] Question about LLVM...

J.R. themadbeaker at gmail.com
Wed Dec 12 13:01:15 EST 2018

> So I would like to ask, does bytecode have access to its environment
> (like ActiveX unfortunately did) and, how well is bytecode sandboxed?

Well, first of all, only bytecode signatures published by Cisco/Talos
are considered "trusted" and will run by default. You would have to
manually specify if you wanted to run unsigned bytecode signatures.

>From what I've read, the bytecode is C-like, but it is limited in that
it can't access system calls or memory, can only access the file to be
scanned, it does have an internal timeout, and other security measures
to prevent it from arbitrarily doing what it wants.

You can always look through the source code if you want.

It doesn't seem like the bytecode database gets updated very often. I
suppose it is reserved for complex scanning when the pattern matching
of the regular databases just won't cut it...

More information about the clamav-users mailing list