Hi all,
From the clamav-win documentation, clamav-win supports memory scanning by
adding the "--memory" option to the command line.
However, after looking at the source code and tracing a running instance in
Visual Studio, it seems that the clamav-win is not scanning memory but
scanning files associated with processes in memory.
Essentially the memory scan algorithm is as follows: 1) get process list,
2) read each processes associated modules (files), 3)extract the module's
location in a file format, 4) scan the file by calling "_open" which read
only permissions
Is this correct? and if so, this seems like it is not scanning memory, but
files on disk. Can someone confirm this?
Thanks,
Jason
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32
From the clamav-win documentation, clamav-win supports memory scanning by
adding the "--memory" option to the command line.
However, after looking at the source code and tracing a running instance in
Visual Studio, it seems that the clamav-win is not scanning memory but
scanning files associated with processes in memory.
Essentially the memory scan algorithm is as follows: 1) get process list,
2) read each processes associated modules (files), 3)extract the module's
location in a file format, 4) scan the file by calling "_open" which read
only permissions
Is this correct? and if so, this seems like it is not scanning memory, but
files on disk. Can someone confirm this?
Thanks,
Jason
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32