Mailing List Archive

Hi,

1) how about using normal security features provided by linux os?
(apparmor, selinux, chroot ..)

2) use containers, virtualization and similar techniques?

Eero

On Tue 22. Mar 2022 at 23.14, Yang, Jiayi via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi ClamAV community,
>
>
>
> Hope this email finds you well. I’m writing to inquire about the proper
> usage of ClamAV and whether it’s suggested to run ClamAV within a sandbox
> to avoid infecting other files/applications in the host if a malware is
> detected. I have two main questions:
>
>
>
> 1. When scanning a given file, will ClamAV only do static
> analysis(based on signature database) or it will execute the file and
> analyze its behavior? If the file is a malware and we use ClamAV to scan
> the file, will it possibly infect the scanner or infect other
> files/applications on the host?
> 2. Is there any built-in sandbox mechanism in ClamAV so that when it
> scans a file, the file can be scanned in an isolated environment?
>
>
>
> Thank you so much! Looking forward to hearing from you.
>
>
>
> Best,
>
> Jiayi
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Hi there,

On Tue, 22 Mar 2022, Yang, Jiayi via clamav-users wrote:

> ... I’m writing to inquire about the proper usage of ClamAV and
> whether it’s suggested to run ClamAV within a sandbox to avoid
> infecting other files/applications in the host if a malware is
> detected.

Vulnerabilities have been found - and fixed - in ClamAV in the past.
A sandbox or similar will probably reduce the attackable 'surface'.
I don't know what fraction of ClamAV users use sandboxing, I never
have done but I use a separate machine for the scanner and pass the
data to be scanned to it, over a network.

> 1. When scanning a given file, will ClamAV only do static analysis
> (based on signature database) or it will execute the file and
> analyze its behavior?

ClamAV will not attempt to execute the file. You can scan any file,
including non-executable files. There are some heuristics, so it's
not necessarily just using the signature database. If the file is
something like an archive ClamAV may extract the contents, which can
be a security concern. It's possible for example to create a small
archive which extracts to a huge file. ClamAV has some configuration
options to mitigate this kind of risk.

> If the file is a malware and we use ClamAV to scan the file, will it
> possibly infect the scanner or infect other files/applications on
> the host?

It's unlikely but the possibility cannot be ignored if you're serious
about security. Before attacking other parts of the system, malware
would most likely have to exploit a vulnerabililty in ClamAV. Use of
the word 'infect' tends to imply some sort of magic. None of this is
magic, it's just a computer doing what it's told but probably not what
was intended by its user. I'd tend to use the word 'compromise' which
means what I said in my previous sentence.

> 2. Is there any built-in sandbox mechanism in ClamAV so that when
> it scans a file, the file can be scanned in an isolated environment?

No. As has been mentioned there are several approaches to protecting
systems against this kind of thing. The ClamAV scanner might not run
on the computer which is being scanned. (I think that's question 3. :)

Your next question should be about detection rates.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Ged,

Thank you very much for the detailed reply! Could I ask more about what will happen if ClamAV is compromised? I'm guessing it will give wrong detection result for the malware and also for other files to be scanned, or the scanner will crash then cannot work any more. Is there also a probability that when it's compromised, it could also infect other files when scanning them? I totally believe it's unlikely to happen. Just trying to consider every possibility from the security side and decide if it's better to do the scanning for different files in separate environments.

Thanks a lot! Looking forward to hearing from you.

Best,
Jiayi

?On 3/22/22, 8:03 PM, "clamav-users on behalf of G.W. Haywood via clamav-users" <clamav-users-bounces@lists.clamav.net on behalf of clamav-users@lists.clamav.net> wrote:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



Hi there,

On Tue, 22 Mar 2022, Yang, Jiayi via clamav-users wrote:

> ... I’m writing to inquire about the proper usage of ClamAV and
> whether it’s suggested to run ClamAV within a sandbox to avoid
> infecting other files/applications in the host if a malware is
> detected.

Vulnerabilities have been found - and fixed - in ClamAV in the past.
A sandbox or similar will probably reduce the attackable 'surface'.
I don't know what fraction of ClamAV users use sandboxing, I never
have done but I use a separate machine for the scanner and pass the
data to be scanned to it, over a network.

> 1. When scanning a given file, will ClamAV only do static analysis
> (based on signature database) or it will execute the file and
> analyze its behavior?

ClamAV will not attempt to execute the file. You can scan any file,
including non-executable files. There are some heuristics, so it's
not necessarily just using the signature database. If the file is
something like an archive ClamAV may extract the contents, which can
be a security concern. It's possible for example to create a small
archive which extracts to a huge file. ClamAV has some configuration
options to mitigate this kind of risk.

> If the file is a malware and we use ClamAV to scan the file, will it
> possibly infect the scanner or infect other files/applications on
> the host?

It's unlikely but the possibility cannot be ignored if you're serious
about security. Before attacking other parts of the system, malware
would most likely have to exploit a vulnerabililty in ClamAV. Use of
the word 'infect' tends to imply some sort of magic. None of this is
magic, it's just a computer doing what it's told but probably not what
was intended by its user. I'd tend to use the word 'compromise' which
means what I said in my previous sentence.

> 2. Is there any built-in sandbox mechanism in ClamAV so that when
> it scans a file, the file can be scanned in an isolated environment?

No. As has been mentioned there are several approaches to protecting
systems against this kind of thing. The ClamAV scanner might not run
on the computer which is being scanned. (I think that's question 3. :)

Your next question should be about detection rates.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Wed, 30 Mar 2022, Yang, Jiayi via clamav-users wrote:

> ... what will happen if ClamAV is compromised? I'm guessing ...

It doesn't help to guess. If *anything* is compromised then you
should probably treat the entire computer to be under the control of
criminals and act accordingly. At the very least disconnect it from
the network so that it does not pose a threat to other systems.

> ... it will give wrong detection result for the malware and also for
> other files to be scanned, or the scanner will crash then cannot
> work any more.

Nothing is certain. If it is compromised then the malicious actor may
'fix' ClamAV (and the rest of the things that he has damaged) to make
them look like they are working properly when they are not. I have
seen modified system command binaries like 'ps' and 'ls' which appear
to produce process or directory listings but which in fact hide some
processes and directories or files from the lists which they produce.
To an unobservant system administrator everything appears normal, but
someone who looks carefully would see that the system was being used
for malicious purposes.

It's very likely a crash which enables the compromise. If the Bad
Actor knows what he's doing, after gaining access he might modify the
scanner to make it appear to be operating normally, but despite the
appearance fail to detect the Bad Actor's intrusion. The timestamps
on binaries are easily faked. It's not easy to fake a hash, so you
can use something like 'tripwire' to spot unexpected modifications.

> Is there also a probability that when it's compromised, it could
> also infect other files when scanning them?

If ClamAV (or anything else on your system) is compromised it does not
matter whether or not ClamAV is scanning files. The game is over, and
you lost. It's likely time to wipe discs, look for backups, reinstall.

> I totally believe it's unlikely to happen.

There's a big difference between 'unlikely' and 'impossible'.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

If the purpose of doing all of this is to detect if malware is present, I would do it outside of the sandbox. The point of a sandbox is to let malware execute and NOT stop it.

> On Mar 30, 2022, at 11:48 AM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi there,
>
> On Wed, 30 Mar 2022, Yang, Jiayi via clamav-users wrote:
>
>> ... what will happen if ClamAV is compromised? I'm guessing ...
>
> It doesn't help to guess. If *anything* is compromised then you
> should probably treat the entire computer to be under the control of
> criminals and act accordingly. At the very least disconnect it from
> the network so that it does not pose a threat to other systems.
>
>> ... it will give wrong detection result for the malware and also for
>> other files to be scanned, or the scanner will crash then cannot
>> work any more.
>
> Nothing is certain. If it is compromised then the malicious actor may
> 'fix' ClamAV (and the rest of the things that he has damaged) to make
> them look like they are working properly when they are not. I have
> seen modified system command binaries like 'ps' and 'ls' which appear
> to produce process or directory listings but which in fact hide some
> processes and directories or files from the lists which they produce.
> To an unobservant system administrator everything appears normal, but
> someone who looks carefully would see that the system was being used
> for malicious purposes.
>
> It's very likely a crash which enables the compromise. If the Bad
> Actor knows what he's doing, after gaining access he might modify the
> scanner to make it appear to be operating normally, but despite the
> appearance fail to detect the Bad Actor's intrusion. The timestamps
> on binaries are easily faked. It's not easy to fake a hash, so you
> can use something like 'tripwire' to spot unexpected modifications.
>
>> Is there also a probability that when it's compromised, it could
>> also infect other files when scanning them?
>
> If ClamAV (or anything else on your system) is compromised it does not
> matter whether or not ClamAV is scanning files. The game is over, and
> you lost. It's likely time to wipe discs, look for backups, reinstall.
>
>> I totally believe it's unlikely to happen.
>
> There's a big difference between 'unlikely' and 'impossible'.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml