[clamav-users] clamav

G.W. Haywood clamav at jubileegroup.co.uk
Sat Nov 16 15:21:06 UTC 2019 

Hi there,

On Fri, 15 Nov 2019, Paul Kosinski via clamav-users wrote:
> On Thu, 14 Nov 2019 G.W. Haywood via clamav-users wrote:
>> On Thu, 14 Nov 2019, Paul Kosinski via clamav-users wrote:
>>
>>> ClamAV also can't deal with files bigger than 4 GB. This prevents it
>>> from scanning some videos, DVD-size ISOs, etc.
>>
>> The usefulness of scanning such files is debatable, but you can split
>> large files into pieces and scan the pieces using streaming to clamd.
>

> Video files have been used to attack buggy video players, and ISOs
> that hold software distributions can easily be that big.  And
> remember that DVDs and flash disks that may be created from an ISO
> are often booted from to install whatever. This could mean your
> system is compromised at birth.  ...

None of this alters the fact that if you look for malware with ClamAV,
then, if it's not a zero-day, by my estimation you have about a one in
three chance of finding it, even if the malware is in a 900 byte file.
Of course if it _is_ a zero-day, you have practically no chance.  So,
even if you scan it, your system can *still* be compromised at birth,
except that now you'll think it isn't, because you've scanned it.

Trying to detect problems by scanning gigabytes of data for irrelevant
threats, or scanning entire Linux systems for some millions of Windows
viruses, when instead you could be doing something rational to prevent
those problems in the first place, is plain crackers.  There seems to
be a school of thought that to secure a system, all you have to do is
install an anti-virus package, regularly scan your entire filesystem,
and you're safe.  That's nonsense, and I'm not sure that the purveyors
of anti-virus packages aren't in some ways contributing to the general
misunderstanding.

If I were going to take risks like viewing random files that I'd (for
example) downloaded from the Internet using (for example) some dodgy
video player, then I'd at least first spin up a VM to do it with.  If
an employee knowingly did such a thing at work then they'd be fired;
they've already signed a bit of paper which says so.  One of the main
uses for ClamAV here is looking for emails which try to trick people
into doing just that sort of thing.  If I'm thinking of running some
installer from an .iso file I'll be looking at least for an md5sum,
and more likely quite a bit more than that.

-- 

73,
Ged.

More information about the clamav-users mailing list