Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. devel
Re: Clamav-win32 Memory Scan
jjgionta at ncsu
Apr 9, 2012, 6:31 AM
Post #1 of 3 (1975 views)
Permalink
Bump... Can anyone confirm that clamav-win does not scan memory resident
files but files associated with resident processes from disk?

Thanks,

Jason

On Thu, Mar 8, 2012 at 4:45 PM, Jason Gionta <jjgionta@ncsu.edu> wrote:

> Hi all,
>
> I tried to get an answer from the clam-av mailing list but I haven't
> gotten any help so I was hoping the development list might help.
>
> From the clamav-win documentation, clamav-win supports memory scanning by
> adding the "--memory" option to the command line.
>
> However, after looking at the source code and tracing a running instance
> in Visual Studio, it seems that the clamav-win is not scanning memory but
> scanning files associated with processes in memory.
>
> Essentially the memory scan algorithm is as follows: 1) get process list,
> 2) read each processes associated modules (files), 3)extract the module's
> location in a file format, 4) scan the file by calling "_open" which read
> only permissions
>
> Is this correct? and if so, this seems like it is not scanning memory, but
> files on disk. Can someone confirm this?
>
> Thanks,
>
> Jason
>
>


--
Jason Gionta
Cyber Defense Lab
North Carolina State University
jjgionta@ncsu.edu
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: Clamav-win32 Memory Scan [ In reply to ]
sherpya at netfarm
Apr 9, 2012, 10:03 AM
Post #2 of 3 (1903 views)
Permalink
On 09/04/2012 15:31, Jason Gionta wrote:
> Bump... Can anyone confirm that clamav-win does not scan memory resident
> files but files associated with resident processes from disk?
>
> Thanks,

ClamWin (not clamav-win32 the official port) scans on disk processes
loaded in memory (as you think), and if an executable "looks" (by using
some heuristics) packed it gets dumped from memory and then scanned,
tough not very useful because of missing signatures of such kind
It's not really scanning memory, but it can easy spot loaded malware
without scanning the whole system

Regards

--
Gianluigi Tiesi <sherpya@netfarm.it>
EDP Project Leader
Netfarm S.r.l. - http://www.netfarm.it/
Free Software: http://oss.netfarm.it/

Q: Because it reverses the logical flow of conversation.
A: Why is putting a reply at the top of the message frowned upon?
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: Clamav-win32 Memory Scan [ In reply to ]
jjgionta at ncsu
Apr 9, 2012, 10:25 AM
Post #3 of 3 (1906 views)
Permalink
Thanks for the follow up. I had the wrong impression. I'll have to take
another look.

You also raised another concern of mine. Is it correct that clamav does
not contain signatures for memory resident only malware?

Thanks again,

Jason



On Mon, Apr 9, 2012 at 1:03 PM, Gianluigi Tiesi <sherpya@netfarm.it> wrote:

> On 09/04/2012 15:31, Jason Gionta wrote:
>
>> Bump... Can anyone confirm that clamav-win does not scan memory resident
>> files but files associated with resident processes from disk?
>>
>> Thanks,
>>
>
> ClamWin (not clamav-win32 the official port) scans on disk processes
> loaded in memory (as you think), and if an executable "looks" (by using
> some heuristics) packed it gets dumped from memory and then scanned, tough
> not very useful because of missing signatures of such kind
> It's not really scanning memory, but it can easy spot loaded malware
> without scanning the whole system
>
> Regards
>
> --
> Gianluigi Tiesi <sherpya@netfarm.it>
> EDP Project Leader
> Netfarm S.r.l. - http://www.netfarm.it/
> Free Software: http://oss.netfarm.it/
>
> Q: Because it reverses the logical flow of conversation.
> A: Why is putting a reply at the top of the message frowned upon?
>



--
Jason Gionta
Cyber Defense Lab
North Carolina State University
jjgionta@ncsu.edu
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal