Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: devel

Re: Clamav-win32 Memory Scan

 

 

ClamAV devel RSS feed   Index | Next | Previous | View Threaded


jjgionta at ncsu

Apr 9, 2012, 6:31 AM

Post #1 of 3 (814 views)
Permalink
Re: Clamav-win32 Memory Scan

Bump... Can anyone confirm that clamav-win does not scan memory resident
files but files associated with resident processes from disk?

Thanks,

Jason

On Thu, Mar 8, 2012 at 4:45 PM, Jason Gionta <jjgionta [at] ncsu> wrote:

> Hi all,
>
> I tried to get an answer from the clam-av mailing list but I haven't
> gotten any help so I was hoping the development list might help.
>
> From the clamav-win documentation, clamav-win supports memory scanning by
> adding the "--memory" option to the command line.
>
> However, after looking at the source code and tracing a running instance
> in Visual Studio, it seems that the clamav-win is not scanning memory but
> scanning files associated with processes in memory.
>
> Essentially the memory scan algorithm is as follows: 1) get process list,
> 2) read each processes associated modules (files), 3)extract the module's
> location in a file format, 4) scan the file by calling "_open" which read
> only permissions
>
> Is this correct? and if so, this seems like it is not scanning memory, but
> files on disk. Can someone confirm this?
>
> Thanks,
>
> Jason
>
>


--
Jason Gionta
Cyber Defense Lab
North Carolina State University
jjgionta [at] ncsu
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net


sherpya at netfarm

Apr 9, 2012, 10:03 AM

Post #2 of 3 (764 views)
Permalink
Re: Clamav-win32 Memory Scan [In reply to]

On 09/04/2012 15:31, Jason Gionta wrote:
> Bump... Can anyone confirm that clamav-win does not scan memory resident
> files but files associated with resident processes from disk?
>
> Thanks,

ClamWin (not clamav-win32 the official port) scans on disk processes
loaded in memory (as you think), and if an executable "looks" (by using
some heuristics) packed it gets dumped from memory and then scanned,
tough not very useful because of missing signatures of such kind
It's not really scanning memory, but it can easy spot loaded malware
without scanning the whole system

Regards

--
Gianluigi Tiesi <sherpya [at] netfarm>
EDP Project Leader
Netfarm S.r.l. - http://www.netfarm.it/
Free Software: http://oss.netfarm.it/

Q: Because it reverses the logical flow of conversation.
A: Why is putting a reply at the top of the message frowned upon?
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net


jjgionta at ncsu

Apr 9, 2012, 10:25 AM

Post #3 of 3 (765 views)
Permalink
Re: Clamav-win32 Memory Scan [In reply to]

Thanks for the follow up. I had the wrong impression. I'll have to take
another look.

You also raised another concern of mine. Is it correct that clamav does
not contain signatures for memory resident only malware?

Thanks again,

Jason



On Mon, Apr 9, 2012 at 1:03 PM, Gianluigi Tiesi <sherpya [at] netfarm> wrote:

> On 09/04/2012 15:31, Jason Gionta wrote:
>
>> Bump... Can anyone confirm that clamav-win does not scan memory resident
>> files but files associated with resident processes from disk?
>>
>> Thanks,
>>
>
> ClamWin (not clamav-win32 the official port) scans on disk processes
> loaded in memory (as you think), and if an executable "looks" (by using
> some heuristics) packed it gets dumped from memory and then scanned, tough
> not very useful because of missing signatures of such kind
> It's not really scanning memory, but it can easy spot loaded malware
> without scanning the whole system
>
> Regards
>
> --
> Gianluigi Tiesi <sherpya [at] netfarm>
> EDP Project Leader
> Netfarm S.r.l. - http://www.netfarm.it/
> Free Software: http://oss.netfarm.it/
>
> Q: Because it reverses the logical flow of conversation.
> A: Why is putting a reply at the top of the message frowned upon?
>



--
Jason Gionta
Cyber Defense Lab
North Carolina State University
jjgionta [at] ncsu
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

ClamAV devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.