[clamav-users] Inquiry about ClamAV's usage within sandbox
Yang, Jiayi
jiayy at amazon.com
Wed Mar 30 15:18:07 UTC 2022
Hi Ged,
Thank you very much for the detailed reply! Could I ask more about what will happen if ClamAV is compromised? I'm guessing it will give wrong detection result for the malware and also for other files to be scanned, or the scanner will crash then cannot work any more. Is there also a probability that when it's compromised, it could also infect other files when scanning them? I totally believe it's unlikely to happen. Just trying to consider every possibility from the security side and decide if it's better to do the scanning for different files in separate environments.
Thanks a lot! Looking forward to hearing from you.
Best,
Jiayi
On 3/22/22, 8:03 PM, "clamav-users on behalf of G.W. Haywood via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
Hi there,
On Tue, 22 Mar 2022, Yang, Jiayi via clamav-users wrote:
> ... I’m writing to inquire about the proper usage of ClamAV and
> whether it’s suggested to run ClamAV within a sandbox to avoid
> infecting other files/applications in the host if a malware is
> detected.
Vulnerabilities have been found - and fixed - in ClamAV in the past.
A sandbox or similar will probably reduce the attackable 'surface'.
I don't know what fraction of ClamAV users use sandboxing, I never
have done but I use a separate machine for the scanner and pass the
data to be scanned to it, over a network.
> 1. When scanning a given file, will ClamAV only do static analysis
> (based on signature database) or it will execute the file and
> analyze its behavior?
ClamAV will not attempt to execute the file. You can scan any file,
including non-executable files. There are some heuristics, so it's
not necessarily just using the signature database. If the file is
something like an archive ClamAV may extract the contents, which can
be a security concern. It's possible for example to create a small
archive which extracts to a huge file. ClamAV has some configuration
options to mitigate this kind of risk.
> If the file is a malware and we use ClamAV to scan the file, will it
> possibly infect the scanner or infect other files/applications on
> the host?
It's unlikely but the possibility cannot be ignored if you're serious
about security. Before attacking other parts of the system, malware
would most likely have to exploit a vulnerabililty in ClamAV. Use of
the word 'infect' tends to imply some sort of magic. None of this is
magic, it's just a computer doing what it's told but probably not what
was intended by its user. I'd tend to use the word 'compromise' which
means what I said in my previous sentence.
> 2. Is there any built-in sandbox mechanism in ClamAV so that when
> it scans a file, the file can be scanned in an isolated environment?
No. As has been mentioned there are several approaches to protecting
systems against this kind of thing. The ClamAV scanner might not run
on the computer which is being scanned. (I think that's question 3. :)
Your next question should be about detection rates.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list