[clamav-users] Inquiry about ClamAV's usage within sandbox

Joel Esler joel.esler at me.com
Wed Mar 30 19:22:08 UTC 2022 

If the purpose of doing all of this is to detect if malware is present, I would do it outside of the sandbox.  The point of a sandbox is to let malware execute and NOT stop it.

> On Mar 30, 2022, at 11:48 AM, G.W. Haywood via clamav-users <clamav-users at lists.clamav.net> wrote:
> 
> Hi there,
> 
> On Wed, 30 Mar 2022, Yang, Jiayi via clamav-users wrote:
> 
>> ... what will happen if ClamAV is compromised?  I'm guessing ...
> 
> It doesn't help to guess.  If *anything* is compromised then you
> should probably treat the entire computer to be under the control of
> criminals and act accordingly.  At the very least disconnect it from
> the network so that it does not pose a threat to other systems.
> 
>> ... it will give wrong detection result for the malware and also for
>> other files to be scanned, or the scanner will crash then cannot
>> work any more.
> 
> Nothing is certain.  If it is compromised then the malicious actor may
> 'fix' ClamAV (and the rest of the things that he has damaged) to make
> them look like they are working properly when they are not.  I have
> seen modified system command binaries like 'ps' and 'ls' which appear
> to produce process or directory listings but which in fact hide some
> processes and directories or files from the lists which they produce.
> To an unobservant system administrator everything appears normal, but
> someone who looks carefully would see that the system was being used
> for malicious purposes.
> 
> It's very likely a crash which enables the compromise.  If the Bad
> Actor knows what he's doing, after gaining access he might modify the
> scanner to make it appear to be operating normally, but despite the
> appearance fail to detect the Bad Actor's intrusion.  The timestamps
> on binaries are easily faked.  It's not easy to fake a hash, so you
> can use something like 'tripwire' to spot unexpected modifications.
> 
>> Is there also a probability that when it's compromised, it could
>> also infect other files when scanning them?
> 
> If ClamAV (or anything else on your system) is compromised it does not
> matter whether or not ClamAV is scanning files.  The game is over, and
> you lost.  It's likely time to wipe discs, look for backups, reinstall.
> 
>> I totally believe it's unlikely to happen.
> 
> There's a big difference between 'unlikely' and 'impossible'.
> 
> -- 
> 
> 73,
> Ged.
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list