Mailing List Archive

Michael Kang:
It depends on what you are trying to detect. The signatures should
work fine for detecting the malware they contain signatures for, but if you
are looking for ClamAV to detect malware compiled for ARM, it will detect
them if there are signatures written for that malware. The definitions are
host system agnostic, which is why many people use them on Linux/BSD
systems to detect Windows malware.

Michael M. Minor


On Mon, Mar 1, 2021 at 11:50 AM Michael Kang via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
>
>
> We are working on Nvidia’s Jetson Xavier NX product, of which the CPU is
> “6-core NVIDIA Carmel 64-bit ARMv8.2 @ 1400MHz* (6MB L2 + 4MB L3)”.
>
> The operating system is Linux Ubuntu 18.04 for ARM. Below is a link to the
> platform:
>
>
> https://developer.nvidia.com/blog/jetson-xavier-nx-the-worlds-smallest-ai-supercomputer/
>
>
>
> I understand ClamAV could be cross-compiled to run on ARM platform.
>
>
>
> My questions is more related to the virus database/signature files.
>
>
>
> I am assuming the existing virus database is for x86 architectures (Intel
> or AMD CPUs).
>
>
>
> Since ARM binaries are different from x86 binaries, can I assume different
> database/signature files would be needed for ARM platforms?
>
>
>
> Thanks,
>
> Michael Kang
>
>
>
>
> *Disclaimer*
>
> This e-mail is intended only for the person to whom it is addressed (the
> "addressee") and may contain confidential and/or privileged material. This
> email and the information contained within are the property of WOLF
> Advanced Technology. Any review, retransmission, dissemination or other use
> that a person other than the addressee makes of this communication is
> prohibited and any reliance or decisions made based on it, are the
> responsibility of such person. We accept no responsibility for any loss or
> damages suffered as a result of decisions made or actions taken based on
> this communication or otherwise. Please note that any views or opinions
> presented in this e-mail are solely those of the author and do not
> necessarily represent those of WOLF Advanced Technology. The addressee
> should check this e-mail and any attachments for the presence of malware.
> WOLF Advanced Technology accepts no liability for any damage caused by any
> malware transmitted by this e-mail. If you received this in error, please
> contact the sender and destroy all copies of this e-mail.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

On 3/1/21 9:45 AM, Michael Kang via clamav-users wrote:
> Hi there,

Hi,

> I understand ClamAV could be cross-compiled to run on ARM platform.

I would also expect that it could be compiled natively on said ARM
platform. ;-)

> My questions is more related to the virus database/signature files.
>
> I am assuming the existing virus database is for x86 architectures
> (Intel or AMD CPUs).
>
> Since ARM binaries are different from x86 binaries, can I assume
> different database/signature files would be needed for ARM platforms?

I don't know.

But I have two thoughts.

1) Do you still want to scan for the same viruses for other platforms?
If so, I'd think you would want the same definitions. You would also
want additional definitions for the local platform.

2) Are the virus definitions subject to big-endian vs little-endian
byte ordering? Or are they agnostic?

I don't know. But I hope to learn by watching and reading this thread.



--
Grant. . . .
unix || die

Hi there,

On Mon, 1 Mar 2021, Michael Kang via clamav-users wrote:

> We are working on Nvidia's Jetson Xavier NX product, of which the CPU is "6-core NVIDIA Carmel 64-bit ARMv8.2 @ 1400MHz* (6MB L2 + 4MB L3)".
> The operating system is Linux Ubuntu 18.04 for ARM. Below is a link to the platform:
> https://developer.nvidia.com/blog/jetson-xavier-nx-the-worlds-smallest-ai-supercomputer/
>
> I understand ClamAV could be cross-compiled to run on ARM platform.

If it's a "supercomputer", can you not run a compiler on the machine?
There should be no need to cross-compile.

> My questions is more related to the virus database/signature files.
>
> I am assuming ...

Assume makes and Ass out of u and me. :)

> ... can I assume different database/signature files would be needed
> for ARM platforms?

The signature database is made up of several different signature types,
see the documentation for _example_ at

https://www.clamav.net/documents/clam-antivirus-user-manual
https://www.clamav.net/documents/extended-signature-format
https://www.clamav.net/documents/file-type-magic
https://www.clamav.net/documents/clamav-file-types
https://www.clamav.net/documents/using-yara-rules-in-clamav

It does not matter on what architecture the ClamAV scanners run. On
every architecture on which they run they apply the signature database
to the data in exactly the same way, and produce the same results. It
may of course be quicker to run on some architectures than on others.

Some signatures look for binary data of the kind which makes sense on
one architecture and not if you're using another. Many signatures are
however written to match things like English words and phrases or bits
of interpreted code (e.g. Javascript, Word macros) so the architecture
is irrelevant to the scan - but of course it might not be irrelevant
from other points of view.

I don't know if there are any signatures specific to your architecture
in the ClamAV database, but if there are I'd be surprised if the count
was a significant fraction of the total.

We only use Linux. We only scan mail. We're using the standard
ClamAV database and a bunch of third-party databases too, so we're
scanning for many things which are only threats to machines which are
running Windows. But it's just as well to scan outgoing mail too and
recipients of our mail might run Windows. It doesn't use excessive
CPU to do a scan, so I don't worry about it.

If, when you have some experience of scanning performance, you think
it isn't acceptable to scan for things which aren't direct threats to
your equipment, and it would be better to skip scanning for things
which aren't a direct threat to your installation, then you could look
at creating your own databases. It's a huge task, and I should think
it unlikely that you would find it rewarding.

The less popular architectures are affected by fewer threats, for
obvious reasons.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Grant,

Thanks very much for sharing your thoughts. I appreciate it.

Michael

-----Original Message-----
From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of Grant Taylor via clamav-users
Sent: March 1, 2021 12:21 PM
To: clamav-users@lists.clamav.net
Cc: Grant Taylor <gtaylor@tnetconsulting.net>
Subject: Re: [clamav-users] Use ClamAV on ARM Platform (Nvidia

On 3/1/21 9:45 AM, Michael Kang via clamav-users wrote:
> Hi there,

Hi,

> I understand ClamAV could be cross-compiled to run on ARM platform.

I would also expect that it could be compiled natively on said ARM platform. ;-)

> My questions is more related to the virus database/signature files.
>
> I am assuming the existing virus database is for x86 architectures
> (Intel or AMD CPUs).
>
> Since ARM binaries are different from x86 binaries, can I assume
> different database/signature files would be needed for ARM platforms?

I don't know.

But I have two thoughts.

1) Do you still want to scan for the same viruses for other platforms?
If so, I'd think you would want the same definitions. You would also want additional definitions for the local platform.

2) Are the virus definitions subject to big-endian vs little-endian byte ordering? Or are they agnostic?

I don't know. But I hope to learn by watching and reading this thread.



--
Grant. . . .
unix || die

Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware.