[clamav-users] Is ClamAV available on the hypervisor?

Paul Kosinski clamav-users at iment.com
Thu Jul 5 12:52:30 EDT 2018

"* If the question is about using ClamAV to analyze traffic then no,
that is not the function of ClamAV. ClamAV analyzes files, not traffic."

I use HAVP to scan HTTP traffic, and it uses libclamav and thus ClamAV
signatures etc. The future development of HAVP is uncertain,but it
still seems to work. And it's Open Source, so you could modify it to
scan other traffic. (It may be too slow to handle file server traffic.)

Take a look at http://www.havp.org/.

On Thu, 5 Jul 2018 11:49:36 +0200
Tilman Schmidt <tschmidt at cardtech.de> wrote:

> These are strange questions.
> Am 05.07.2018 um 07:59 schrieb "조정환":
> > Hello, I am using ClamAV for my organization, but I am using it
> > only on the VM server.
> I assume that by "the VM server" you mean a server which is running
> as a virtual machine, or perhaps even several of them. If not, please
> clarify.
> > 1. My supervisor asks, "Is ClamAV available on the hypervisor?"
> The answer is of course: "It depends on the hypervisor."
> If the hypervisor is running on an OS for which ClamAV is available,
> such as KVM on Linux or HyperV on Windows, then you can of course
> install ClamAV there, although I wonder why you would want to do that
> what you might be hoping to achieve by it.
> > I can not answer the question of what other VM servers do when the
> > hypervisor gets infected?
> Depends on what you mean by "infected".
> * The hypervisor is certainly not vulnerable to common infections like
> E-mail attachments, documents with malicious macros or drive-by
> downloads from web pages, because it doesn't run mail clients, office
> applications or web browsers.
> * Depending on the type of hypervisor it may not even be able to
> execute the infection.
> * If the hypervisor is compromised by whatever means then it could be
> abused to manipulate and compromise any VM running on it. A virus
> scanner such as ClamAV is however the wrong tool to detect such a
> compromise.
> > 2. I was asked if there is a capability to analyze traffic moving
> > between VM servers with ClamAV installed, but I am not listed in the
> > detection rule creation manual.
> I'm not sure I understand that question.
> * If the question is about using ClamAV to analyze traffic then no,
> that is not the function of ClamAV. ClamAV analyzes files, not
> traffic.
> * If the question is about traffic between VM servers running ClamAV
> then there is nothing to analyze. ClamAV instances on separate systems
> do not communicate directly with each other.
> * Which detection rule creation manual are you referring to, and why
> would you want to be listed in it?
> T.

More information about the clamav-users mailing list