jjgionta at ncsu
Apr 9, 2012, 6:31 AM
Post #1 of 3
Bump... Can anyone confirm that clamav-win does not scan memory resident
Re: Clamav-win32 Memory Scan
files but files associated with resident processes from disk?
On Thu, Mar 8, 2012 at 4:45 PM, Jason Gionta <jjgionta [at] ncsu> wrote:
> Hi all,
> I tried to get an answer from the clam-av mailing list but I haven't
> gotten any help so I was hoping the development list might help.
> From the clamav-win documentation, clamav-win supports memory scanning by
> adding the "--memory" option to the command line.
> However, after looking at the source code and tracing a running instance
> in Visual Studio, it seems that the clamav-win is not scanning memory but
> scanning files associated with processes in memory.
> Essentially the memory scan algorithm is as follows: 1) get process list,
> 2) read each processes associated modules (files), 3)extract the module's
> location in a file format, 4) scan the file by calling "_open" which read
> only permissions
> Is this correct? and if so, this seems like it is not scanning memory, but
> files on disk. Can someone confirm this?
Cyber Defense Lab
North Carolina State University
jjgionta [at] ncsu
Please submit your patches to our Bugzilla: http://bugs.clamav.net