Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: devel

Re: Clamav-win32 Memory Scan

 

 

ClamAV devel RSS feed   Index | Next | Previous | View Threaded


jjgionta at ncsu

Mar 8, 2012, 1:45 PM

Post #1 of 1 (455 views)
Permalink
Re: Clamav-win32 Memory Scan

Hi all,

I tried to get an answer from the clam-av mailing list but I haven't gotten
any help so I was hoping the development list might help.

From the clamav-win documentation, clamav-win supports memory scanning by
adding the "--memory" option to the command line.

However, after looking at the source code and tracing a running instance in
Visual Studio, it seems that the clamav-win is not scanning memory but
scanning files associated with processes in memory.

Essentially the memory scan algorithm is as follows: 1) get process list,
2) read each processes associated modules (files), 3)extract the module's
location in a file format, 4) scan the file by calling "_open" which read
only permissions

Is this correct? and if so, this seems like it is not scanning memory, but
files on disk. Can someone confirm this?

Thanks,

Jason
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

ClamAV devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.