[clamav-users] Inquiry about ClamAV's usage within sandbox

G.W. Haywood clamav at jubileegroup.co.uk
Wed Mar 23 01:01:19 UTC 2022 

Hi there,

On Tue, 22 Mar 2022, Yang, Jiayi via clamav-users wrote:

> ... I’m writing to inquire about the proper usage of ClamAV and
> whether it’s suggested to run ClamAV within a sandbox to avoid
> infecting other files/applications in the host if a malware is
> detected.

Vulnerabilities have been found - and fixed - in ClamAV in the past.
A sandbox or similar will probably reduce the attackable 'surface'.
I don't know what fraction of ClamAV users use sandboxing, I never
have done but I use a separate machine for the scanner and pass the
data to be scanned to  it, over a network.

> 1.  When scanning a given file, will ClamAV only do static analysis
> (based on signature database) or it will execute the file and
> analyze its behavior?

ClamAV will not attempt to execute the file.  You can scan any file,
including non-executable files.  There are some heuristics, so it's
not necessarily just using the signature database.  If the file is
something like an archive ClamAV may extract the contents, which can
be a security concern.  It's possible for example to create a small
archive which extracts to a huge file.  ClamAV has some configuration
options to mitigate this kind of risk.

> If the file is a malware and we use ClamAV to scan the file, will it
> possibly infect the scanner or infect other files/applications on
> the host?

It's unlikely but the possibility cannot be ignored if you're serious
about security.  Before attacking other parts of the system, malware
would most likely have to exploit a vulnerabililty in ClamAV.  Use of
the word 'infect' tends to imply some sort of magic.  None of this is
magic, it's just a computer doing what it's told but probably not what
was intended by its user.  I'd tend to use the word 'compromise' which
means what I said in my previous sentence.

> 2.  Is there any built-in sandbox mechanism in ClamAV so that when
> it scans a file, the file can be scanned in an isolated environment?

No.  As has been mentioned there are several approaches to protecting
systems against this kind of thing.  The ClamAV scanner might not run
on the computer which is being scanned.  (I think that's question 3. :)

Your next question should be about detection rates.

-- 

73,
Ged.

More information about the clamav-users mailing list