Mailing List Archive

New Version of ClamAV
Hey all,



We're currently scoping out the next version of ClamAV. We have a number
of ideas in house, but I wanted to solicit some feedback from our users
about what you might be interested in seeing.



Before you ask, we don't have a lot of information that we're ready to
share on our end about what we're planning, so I don't want to promise
anything yet. In general we're looking to expand the detection capability,
the engine's stability and make the system a little more usable. As we
firm things up, we'll let you guys know more about what we're working on.



We will also be interested, as we get further down the road, in beta
testers. I think you'll see a lot of new functionality in ClamAV and we'd
appreciate as many eyes as possible on it once we're ready to show it off.



And no, we don't have an estimated release date :)



Thanks in advance for your ideas! Please send your ideas to this list so
we can track them.



Matt
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: New Version of ClamAV [ In reply to ]
On 03/20/2013 06:35 PM, Matt Olney wrote:

> We're currently scoping out the next version of ClamAV. We have a number
> of ideas in house, but I wanted to solicit some feedback from our users
> about what you might be interested in seeing.

API to scan data that is already read (or, more practically, mmap()'ed)
into memory, a la scan_buff(void *start, size_t length, ...<options etc.>)

Thanks,

Eugene
Re: New Version of ClamAV [ In reply to ]
Hello Matt,

with Kernel 2.6.36 the fanotify API was introduced that allows
to make ClamAV an online virus scanner. Since Kernel 3.8.0 the
major errors of the implementation have been resolved. So it
is usable now.

As a prove of concept I created a project at
https://github.com/xypron/skyldav
which I am using on my Linux computers and which already helped
me to identify viruses while opening downloaded files.

A usable application should provide the following:
- A KDE or a Gnome system tray application which notifies a user
if a virus has been discovered and which allows to schedule
complete system scans.
- A deamon scanning files before read and at close after write.
This daemon should discover mount events and automatically add
new mounts to the list of watched mounts, e.g. when a network
drive is connected or a medium loaded.

I am aware of some coding for the fanotify API in the source
trunk but it seems to provide neither of:
- a system tray application
- the capability to watch complete mounts
- the capability to add new mounts to the watchlist

Best regards

Heinrich Schuchardt

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: New Version of ClamAV [ In reply to ]
On 3/20/2013 9:47 AM, Eugene Crosser wrote:
> On 03/20/2013 06:35 PM, Matt Olney wrote:
>
>> We're currently scoping out the next version of ClamAV. We have a number
>> of ideas in house, but I wanted to solicit some feedback from our users
>> about what you might be interested in seeing.
> API to scan data that is already read (or, more practically, mmap()'ed)
> into memory, a la scan_buff(void *start, size_t length, ...<options etc.>)
>
> Thanks,
>
> Eugene
>
>
>

I second that! Right now we have to write an email message to disk just so we can pass in a file descriptor.

I'd also advocate better support/documentation/testing of a "lite" ClamAV build configuration. Namely geared towards systems
with limited memory and/or smaller than normal thread stack sizes, or strict security environments, yet still capable of
examining large file(s). This would include being designed to run (as effectively as possible) without the builtin runtime.
Security audits have flagged ClamAV in the past because it ships with LLVM code and could (theoretically) execute arbitrary code
from a compromised definitions file.

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: New Version of ClamAV [ In reply to ]
Am 20.03.13 17:11, schrieb Ladar Levison:
> On 3/20/2013 9:47 AM, Eugene Crosser wrote:
>> On 03/20/2013 06:35 PM, Matt Olney wrote:
>>
>>> We're currently scoping out the next version of ClamAV. We have a number
>>> of ideas in house, but I wanted to solicit some feedback from our users
>>> about what you might be interested in seeing.
>> API to scan data that is already read (or, more practically, mmap()'ed)
>> into memory, a la scan_buff(void *start, size_t length, ...<options etc.>)
>>
>> Thanks,
>>
>> Eugene
>>
>>
>>
>
> I second that! Right now we have to write an email message to disk just so we can pass in a file descriptor.

Isn't that what most MTAs do anyway? Receiving a message over a socket
and storing it in a file.

When I added (or rather fixed) the filedescriptor passing code in
ClamAV, I did it to optimally work with sendmail milters and it did
speed up things tremendously (before, you add to pass the whole message
content over the socket to the clamav daemon process).

If you temporarily store the message content on a ramdisk, it should get
quite fast.

(speaking about a scenario with running clamd here, btw)

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: New Version of ClamAV [ In reply to ]
On 03/20/2013 09:02 PM, Marc Balmer wrote:

>>> API to scan data that is already read (or, more practically, mmap()'ed)
>>> into memory, a la scan_buff(void *start, size_t length, ...<options etc.>)
[...]
> If you temporarily store the message content on a ramdisk, it should get
> quite fast.

That's what I have to do currently. But it's extra conversion. I have my own
MIME parser, it gives me parts of the message in the form of memory areas. It's
a shame to write the data that is already read/mmaped back to a file, even if
it's on tmpfs.

Eugene
Re: New Version of ClamAV [ In reply to ]
Hi there,

On Thu, 21 Mar 2013, Matt Olney wrote:

> ... I wanted to solicit some feedback from our users about what you
> might be interested in seeing.

I want to be able to disable compilation of the bytecode interpreter
at configure time.

--

73,
Ged.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: New Version of ClamAV [ In reply to ]
G.W. Haywood,

Please try running ./configure with the --disable-llvm option.

Steve

On Fri, Mar 22, 2013 at 11:47 AM, G.W. Haywood <
clamav-devel@jubileegroup.co.uk> wrote:

> Hi there,
>
> On Thu, 21 Mar 2013, Matt Olney wrote:
>
> ... I wanted to solicit some feedback from our users about what you
>>
>> might be interested in seeing.
>>
>
> I want to be able to disable compilation of the bytecode interpreter
> at configure time.
>
> --
>
> 73,
> Ged.
>
> ______________________________**_________________
> http://lurker.clamav.net/list/**clamav-devel.html<http://lurker.clamav.net/list/clamav-devel.html>
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net