Mailing List Archive: [clamav-users] clamav

[clamav-users] clamav

almokbelra at NGHA

Nov 13, 2019, 11:49 PM

Post #1 of 8 (829 views)

Good Day!
I have a question regarding clamav scan,
Does clamav scan embedded virus and malicious inside files ?
Kind regards,

________________________________
This Email and any files transmitted may contain confidential and/or privileged information and is intended solely for the addressee(s) named. If you have received this information in error, or are being posted by accident, please notify the sender by return Email, do not redistribute this email message, delete it immediately and keep no copies of it. All opinions and/or views expressed in this email are solely those of the author and do not necessarily represent those of NGHA. Any purchase order, purchase advice or legal commitment is only valid once backed by the signed hardcopy by the authorized person from NGHA.

Re: [clamav-users] clamav [ In reply to ]

uhlar at fantomas

Nov 14, 2019, 12:15 AM

Post #2 of 8 (829 views)

On 14.11.19 10:49, ALMOKBEL, RAWAN wrote:
>I have a question regarding clamav scan,
>Does clamav scan embedded virus and malicious inside files ?

clamav supports scaning file archives and files inside them.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav [ In reply to ]

clamav-users at lists

Nov 14, 2019, 12:15 AM

Post #3 of 8 (829 views)

That's a pretty broad question, but in general, the answer is yes, as long as ClamAV can recognize the format of the file. That does include many archives, but I believe there are a few that cannot be expanded. There are also some size restrictions on how much of a large file will be scanned due to RAM restrictions.

If you can narrow down your question to some specific file types, we could give you a more accurate answer.

-Al-

> On Nov 13, 2019, at 23:49, ALMOKBEL, RAWAN <almokbelra@NGHA.MED.SA <mailto:almokbelra@NGHA.MED.SA>> wrote:
>
> Good Day!
> I have a question regarding clamav scan,
> Does clamav scan embedded virus and malicious inside files ?
>
> Kind regards,

Re: [clamav-users] clamav [ In reply to ]

clamav-users at lists

Nov 14, 2019, 6:26 AM

Post #4 of 8 (828 views)

Hi there,

On Thu, 14 Nov 2019, ALMOKBEL, RAWAN wrote:

> Good Day!

Well it's been raining here for weeks, but good day to you too! :)

> Does clamav scan embedded virus and malicious inside files ?

If you mean archive files the question has already been answered well,
but I would add that it is almost true to say that ClamAV _only_ scans
inside files. It is only 'almost' true because you can, for example,
ask clamd to listen to a socket, and feed data directly to it via the
socket. But most of the time it will be a file which you pipe to the
socket. In that case, clamd itself will know nothing about the file,
except perhaps its length - or at least the amount of data it scanned
before it found something which for example matches a signature. All
it knows is what came along from the socket - this does not include,
for example, the name of the file, and the data is normally sent in
'chunks' so clamd generally only knows the length of the 'chunks'.

Processing mail using a milter is a very common use of ClamAV, and
indeed ClamAV packages its own milter, 'clamav-milter', for that
purpose. A milter sends data to clamd via a socket, for scanning in
the same way that clamdscan does. Neither scans the data itself, but
simply passes the data to clamd. (Again, 'simply' is almost true.)

I wonder if you meant to ask if ClamAV can scan memory. Unlike some
commercial anti-virus packages, ClamAV cannot do that directly; but
you can if you wish write code to read memory and pipe the data to a
clamd process for scanning.

With existing signature databases I do not know how effective that
might be, because I do not know how many (if any) signatures have been
written with the intention of finding things in memory rather than in
files, or which might be expected to match memory content even if not
written with that intention. Most executable files are modified when
they are loaded into memory, and it is common for the data in other
files to be modified as it is loaded, even if not for execution. For
e.g. the 'heuristics' type signatures I'd say all bets are off.

If you have particular requirements to scan memory, in principle it
would not be difficult to produce the signatures. But it would be a
substantial undertaking to scan memory in a multi-user, multi-tasking
operating system (which may be using paging, sharing, virtual memory,
swap and DMA) using clamd in a way which makes any real sense. I'd be
pleased to be proven wrong, and if I'm wrong I'm sure Sourcefire would
be pleased too. :)

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav [ In reply to ]

clamav-users at lists

Nov 14, 2019, 1:23 PM

Post #5 of 8 (827 views)

ClamAV also can't deal with files bigger than 4 GB. This prevents it
from scanning some videos, DVD-size ISOs, etc.

This is a shame, since Linux (and I presume most other modern OSes)
have been able to deal with "large" files (with 64-bit lengths and
offsets) for years now.

On Thu, 14 Nov 2019 00:15:47 -0800
Al Varnell via clamav-users <clamav-users@lists.clamav.net> wrote:

> That's a pretty broad question, but in general, the answer is yes, as
> long as ClamAV can recognize the format of the file. That does
> include many archives, but I believe there are a few that cannot be
> expanded. There are also some size restrictions on how much of a
> large file will be scanned due to RAM restrictions.
>
> If you can narrow down your question to some specific file types, we
> could give you a more accurate answer.
>
> -Al-
>
> > On Nov 13, 2019, at 23:49, ALMOKBEL, RAWAN <almokbelra@NGHA.MED.SA
> > <mailto:almokbelra@NGHA.MED.SA>> wrote:
> >
> > Good Day!
> > I have a question regarding clamav scan,
> > Does clamav scan embedded virus and malicious inside files ?
> >
> > Kind regards,

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav [ In reply to ]

clamav-users at lists

Nov 14, 2019, 2:26 PM

Post #6 of 8 (827 views)

Hi there,

On Thu, 14 Nov 2019, Paul Kosinski via clamav-users wrote:

> ClamAV also can't deal with files bigger than 4 GB. This prevents it
> from scanning some videos, DVD-size ISOs, etc.

The usefulness of scanning such files is debatable, but you can split
large files into pieces and scan the pieces using streaming to clamd.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav [ In reply to ]

clamav-users at lists

Nov 15, 2019, 2:21 PM

Post #7 of 8 (822 views)

On Thu, 14 Nov 2019 22:26:58 +0000 (GMT)
"G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Thu, 14 Nov 2019, Paul Kosinski via clamav-users wrote:
>
> > ClamAV also can't deal with files bigger than 4 GB. This prevents it
> > from scanning some videos, DVD-size ISOs, etc.
>
> The usefulness of scanning such files is debatable, but you can split
> large files into pieces and scan the pieces using streaming to clamd.
>

Video files have been used to attack buggy video players, and ISOs that
hold software distributions can easily be that big. And remember that
DVDs and flash disks that may be created from an ISO are often booted
from to install whatever. This could mean your system is compromised at
birth.

Also, splitting files may split in the middle of a signature. Plus, if
an archive file is split, the pieces will no longer be proper archives.

P.S With regard to files bigger than 4 GB -- "nobody needs more than
640 K of RAM", "4 billion IP addresses are more than enough", "31 bit
time stamps will last for 70 years", "64-bit addressing is unnecessary
for home computers", and, "disks with more than X 512-byte blocks are
overkill". (Note that X has had to have been increased 7 times -- from
508 MB to 2.1 GB, to 4.2 GB, to 8.4 GB, to 33.8 GB, to 137 GB, to 2 or
4 TB, and now to 128 PB with LBA 48. This lack of foresight makes the
Y2K issue seem like good planning.)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav [ In reply to ]

clamav-users at lists

Nov 16, 2019, 7:21 AM

Post #8 of 8 (822 views)

Hi there,

On Fri, 15 Nov 2019, Paul Kosinski via clamav-users wrote:
> On Thu, 14 Nov 2019 G.W. Haywood via clamav-users wrote:
>> On Thu, 14 Nov 2019, Paul Kosinski via clamav-users wrote:
>>
>>> ClamAV also can't deal with files bigger than 4 GB. This prevents it
>>> from scanning some videos, DVD-size ISOs, etc.
>>
>> The usefulness of scanning such files is debatable, but you can split
>> large files into pieces and scan the pieces using streaming to clamd.
>

> Video files have been used to attack buggy video players, and ISOs
> that hold software distributions can easily be that big. And
> remember that DVDs and flash disks that may be created from an ISO
> are often booted from to install whatever. This could mean your
> system is compromised at birth. ...

None of this alters the fact that if you look for malware with ClamAV,
then, if it's not a zero-day, by my estimation you have about a one in
three chance of finding it, even if the malware is in a 900 byte file.
Of course if it _is_ a zero-day, you have practically no chance. So,
even if you scan it, your system can *still* be compromised at birth,
except that now you'll think it isn't, because you've scanned it.

Trying to detect problems by scanning gigabytes of data for irrelevant
threats, or scanning entire Linux systems for some millions of Windows
viruses, when instead you could be doing something rational to prevent
those problems in the first place, is plain crackers. There seems to
be a school of thought that to secure a system, all you have to do is
install an anti-virus package, regularly scan your entire filesystem,
and you're safe. That's nonsense, and I'm not sure that the purveyors
of anti-virus packages aren't in some ways contributing to the general
misunderstanding.

If I were going to take risks like viewing random files that I'd (for
example) downloaded from the Internet using (for example) some dodgy
video player, then I'd at least first spin up a VM to do it with. If
an employee knowingly did such a thing at work then they'd be fired;
they've already signed a bit of paper which says so. One of the main
uses for ClamAV here is looking for emails which try to trick people
into doing just that sort of thing. If I'm thinking of running some
installer from an .iso file I'll be looking at least for an md5sum,
and more likely quite a bit more than that.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml