Mailing List Archive

On write close scan with Fanotify
Hi,
I work with a large environment that is extremely file open heavy.
Over the years, we have either avoided access scanning all together,
or had clam hook into file upload events in specific daemons (mail,
ftp etc..).

Many proprietary AV solutions support scan on close which work well on
environments similar to mine.

I've written a fully usable PoC, including a OnWriteClose option to
toggle it on and off. Before I start writing documentation for the
option, I'd like to see if this is a feature the ClamAV would value.

Link to clamav-devel fork&commit
https://github.com/davetha/clamav-devel/commit/432e63dcb5559b43532abbc83adcaf9e780901e5
Thanks in advance!
_______________________________________________
clamav-devel mailing list
clamav-devel@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel

Please submit your patches to our Bugzilla: http://bugzilla.clamav.net

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: On write close scan with Fanotify [ In reply to ]
Hi David,

Interesting idea. I can appreciate the use case to only scan files that are new or modified. Anyone who uses it though should be aware that that ClamAV's on-access scanning would have to be enabled 100% of the time. In addition, they wouldn't be protected unless a signature for the malware has been deployed before infection. I would recommend also configuring a regularly scheduled scan to double check existing files.

On the topic of on-access scanning:
Mickey is actively working on separating the on-access scan feature into a separate utility. At present, clamd must be run as root to enable on-access scanning. Making a separate tool that interfaces with clamd, similar to clamdscan and clamav-milter, is a small step towards sandboxing the scanning engine in an unprivileged process. I've attached the link you provided for review to our on-access scanner development task.

You may want to hold off on putting in a pull request or adding any documentation until the new on-access tool is complete and has been merged into dev/0.102.

-Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Jan 24, 2019, at 4:13 PM, David Collins <davetha@gmail.com<mailto:davetha@gmail.com>> wrote:

Hi,
I work with a large environment that is extremely file open heavy.
Over the years, we have either avoided access scanning all together,
or had clam hook into file upload events in specific daemons (mail,
ftp etc..).

Many proprietary AV solutions support scan on close which work well on
environments similar to mine.

I've written a fully usable PoC, including a OnWriteClose option to
toggle it on and off. Before I start writing documentation for the
option, I'd like to see if this is a feature the ClamAV would value.

Link to clamav-devel fork&commit
https://github.com/davetha/clamav-devel/commit/432e63dcb5559b43532abbc83adcaf9e780901e5
Thanks in advance!
_______________________________________________
clamav-devel mailing list
clamav-devel@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel

Please submit your patches to our Bugzilla: http://bugzilla.clamav.net

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-devel mailing list
clamav-devel@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel

Please submit your patches to our Bugzilla: http://bugzilla.clamav.net

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: On write close scan with Fanotify [ In reply to ]
Hi Micah,
I really appreciate the feedback, and letting me know the future
direction of on-access scan. There are industries out there that
don't enable access scanning due to the resource issues. Having the
on write close with periodic full FS scans would put some systems in a
better security posture.

We'll continue using and testing the patch internally. I look forward
to see what the sandboxing looks like.

Thanks!

On Fri, Jan 25, 2019 at 3:24 PM Micah Snyder (micasnyd)
<micasnyd@cisco.com> wrote:
>
> Hi David,
>
> Interesting idea. I can appreciate the use case to only scan files that are new or modified. Anyone who uses it though should be aware that that ClamAV's on-access scanning would have to be enabled 100% of the time. In addition, they wouldn't be protected unless a signature for the malware has been deployed before infection. I would recommend also configuring a regularly scheduled scan to double check existing files.
>
> On the topic of on-access scanning:
> Mickey is actively working on separating the on-access scan feature into a separate utility. At present, clamd must be run as root to enable on-access scanning. Making a separate tool that interfaces with clamd, similar to clamdscan and clamav-milter, is a small step towards sandboxing the scanning engine in an unprivileged process. I've attached the link you provided for review to our on-access scanner development task.
>
> You may want to hold off on putting in a pull request or adding any documentation until the new on-access tool is complete and has been merged into dev/0.102.
>
> -Micah
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Jan 24, 2019, at 4:13 PM, David Collins <davetha@gmail.com<mailto:davetha@gmail.com>> wrote:
>
> Hi,
> I work with a large environment that is extremely file open heavy.
> Over the years, we have either avoided access scanning all together,
> or had clam hook into file upload events in specific daemons (mail,
> ftp etc..).
>
> Many proprietary AV solutions support scan on close which work well on
> environments similar to mine.
>
> I've written a fully usable PoC, including a OnWriteClose option to
> toggle it on and off. Before I start writing documentation for the
> option, I'd like to see if this is a feature the ClamAV would value.
>
> Link to clamav-devel fork&commit
> https://github.com/davetha/clamav-devel/commit/432e63dcb5559b43532abbc83adcaf9e780901e5
> Thanks in advance!
> _______________________________________________
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Bugzilla: http://bugzilla.clamav.net
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Bugzilla: http://bugzilla.clamav.net
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-devel mailing list
clamav-devel@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel

Please submit your patches to our Bugzilla: http://bugzilla.clamav.net

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml