[clamav-users] Is ClamAV available on the hypervisor?

Joel Esler (jesler) jesler at cisco.com
Thu Jul 5 12:54:07 EDT 2018

ClamAV is not for traffic.  Snort is for traffic.  (www.snort.org<http://www.snort.org>)

On Jul 5, 2018, at 12:52 PM, Paul Kosinski <clamav-users at iment.com<mailto:clamav-users at iment.com>> wrote:

"* If the question is about using ClamAV to analyze traffic then no,
that is not the function of ClamAV. ClamAV analyzes files, not traffic."

I use HAVP to scan HTTP traffic, and it uses libclamav and thus ClamAV
signatures etc. The future development of HAVP is uncertain,but it
still seems to work. And it's Open Source, so you could modify it to
scan other traffic. (It may be too slow to handle file server traffic.)

Take a look at http://www.havp.org/.

On Thu, 5 Jul 2018 11:49:36 +0200
Tilman Schmidt <tschmidt at cardtech.de<mailto:tschmidt at cardtech.de>> wrote:

These are strange questions.

Am 05.07.2018 um 07:59 schrieb "조정환":
Hello, I am using ClamAV for my organization, but I am using it
only on the VM server.

I assume that by "the VM server" you mean a server which is running
as a virtual machine, or perhaps even several of them. If not, please

1. My supervisor asks, "Is ClamAV available on the hypervisor?"

The answer is of course: "It depends on the hypervisor."
If the hypervisor is running on an OS for which ClamAV is available,
such as KVM on Linux or HyperV on Windows, then you can of course
install ClamAV there, although I wonder why you would want to do that
what you might be hoping to achieve by it.

I can not answer the question of what other VM servers do when the
hypervisor gets infected?

Depends on what you mean by "infected".

* The hypervisor is certainly not vulnerable to common infections like
E-mail attachments, documents with malicious macros or drive-by
downloads from web pages, because it doesn't run mail clients, office
applications or web browsers.

* Depending on the type of hypervisor it may not even be able to
execute the infection.

* If the hypervisor is compromised by whatever means then it could be
abused to manipulate and compromise any VM running on it. A virus
scanner such as ClamAV is however the wrong tool to detect such a

2. I was asked if there is a capability to analyze traffic moving
between VM servers with ClamAV installed, but I am not listed in the
detection rule creation manual.
I'm not sure I understand that question.

* If the question is about using ClamAV to analyze traffic then no,
that is not the function of ClamAV. ClamAV analyzes files, not

* If the question is about traffic between VM servers running ClamAV
then there is nothing to analyze. ClamAV instances on separate systems
do not communicate directly with each other.

* Which detection rule creation manual are you referring to, and why
would you want to be listed in it?

clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>

Help us build a comprehensive ClamAV guide:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180705/93b3a2d6/attachment.html>

More information about the clamav-users mailing list