[clamav-users] clamav

G.W. Haywood clamav at jubileegroup.co.uk
Thu Nov 14 14:26:25 UTC 2019 

Hi there,

On Thu, 14 Nov 2019, ALMOKBEL, RAWAN wrote:

> Good Day!

Well it's been raining here for weeks, but good day to you too! :)

> Does clamav scan embedded virus and malicious inside files ?

If you mean archive files the question has already been answered well,
but I would add that it is almost true to say that ClamAV _only_ scans
inside files.  It is only 'almost' true because you can, for example,
ask clamd to listen to a socket, and feed data directly to it via the
socket.  But most of the time it will be a file which you pipe to the
socket.  In that case, clamd itself will know nothing about the file,
except perhaps its length - or at least the amount of data it scanned
before it found something which for example matches a signature.  All
it knows is what came along from the socket - this does not include,
for example, the name of the file, and the data is normally sent in
'chunks' so clamd generally only knows the length of the 'chunks'.

Processing mail using a milter is a very common use of ClamAV, and
indeed ClamAV packages its own milter, 'clamav-milter', for that
purpose.  A milter sends data to clamd via a socket, for scanning in
the same way that clamdscan does.  Neither scans the data itself, but
simply passes the data to clamd.  (Again, 'simply' is almost true.)

I wonder if you meant to ask if ClamAV can scan memory.  Unlike some
commercial anti-virus packages, ClamAV cannot do that directly; but
you can if you wish write code to read memory and pipe the data to a
clamd process for scanning.

With existing signature databases I do not know how effective that
might be, because I do not know how many (if any) signatures have been
written with the intention of finding things in memory rather than in
files, or which might be expected to match memory content even if not
written with that intention.  Most executable files are modified when
they are loaded into memory, and it is common for the data in other
files to be modified as it is loaded, even if not for execution.  For
e.g. the 'heuristics' type signatures I'd say all bets are off.

If you have particular requirements to scan memory, in principle it
would not be difficult to produce the signatures.  But it would be a
substantial undertaking to scan memory in a multi-user, multi-tasking
operating system (which may be using paging, sharing, virtual memory,
swap and DMA) using clamd in a way which makes any real sense.  I'd be
pleased to be proven wrong, and if I'm wrong I'm sure Sourcefire would
be pleased too. :)

-- 

73,
Ged.

More information about the clamav-users mailing list