Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: devel

Re: Clamav-win32 Memory Scan



ClamAV devel RSS feed   Index | Next | Previous | View Threaded

jjgionta at ncsu

Mar 8, 2012, 1:45 PM

Post #1 of 1 (776 views)
Re: Clamav-win32 Memory Scan

Hi all,

I tried to get an answer from the clam-av mailing list but I haven't gotten
any help so I was hoping the development list might help.

From the clamav-win documentation, clamav-win supports memory scanning by
adding the "--memory" option to the command line.

However, after looking at the source code and tracing a running instance in
Visual Studio, it seems that the clamav-win is not scanning memory but
scanning files associated with processes in memory.

Essentially the memory scan algorithm is as follows: 1) get process list,
2) read each processes associated modules (files), 3)extract the module's
location in a file format, 4) scan the file by calling "_open" which read
only permissions

Is this correct? and if so, this seems like it is not scanning memory, but
files on disk. Can someone confirm this?


Please submit your patches to our Bugzilla: http://bugs.clamav.net

ClamAV devel RSS feed   Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.