On-access protection |
GuitarBob
|
Well, you have made a good start, and perhaps it can be improved as you/someone gets the time. I hope not too much needs to be done to enable operation on multiple Windows versions, but legacy support is probably not as important as it once was, and perhaps ClamWin mini-driver operation could only be included for certain versions of Windows.
Lots of malware masquerades as protected Windows files and the non-PE file malware is increasing as Windows security gets tightened up, although PE malware is still more numerous at maybe 80-90% of the total. Regards, |
||||||||||||
|
xqrzd
|
Thanks for your comments
It can easily run on Windows XP+, I just need to recompile it. It ignores Windows files by using SfcIsFileProtected(). Windows itself maintains this list; it should always be correct, unless the system is already compromised. Do you think it would be better to scan files as they are created / written or as they are read from? |
||||||||||||
|
GuitarBob
|
Some of the AVs do both a scan on-read and on-write, but I think on-write is probably the better choice of the two if code/time/etc. are limited. A file is usually infected on-write.
What keeps me up nights are the malware injections into existing processes, which initially doesn't get written anywhere, and the drive-by downloads of brand new malware/exploits for which there are not yet any signatures. However, it is getting harder for run-of-the-mill malware writers to bypass DEP/ASLR, etc., and we are slowly getting a handle on exploit patching, so the bar is getting higher for malware writers. Regards, |
||||||||||||
|
xqrzd
|
Do you know if ClamAV includes signatures for malware in memory? I could write a VAD parser, which could catch code injection. Hooking WriteProcessMemory / CreateRemoteThread could help stop code injection, but that is beyond me.
I will start working on scanning files as they are written. Do you know where the ClamWin source is? I would like the definition of CWScanFile_W, but I can't find it anywhere. Also, I updated my original post, it will now run on Windows XP. |
||||||||||||
|
GuitarBob
|
I don't know for sure whether or not Clam AV scans memory, but I doubt it--it was designed primarily for email servers, and there is not much need for memory scans on them. That is the problem--to a large extent, they never got beyond that use. The Sourcefire guys are better now that they have responsibility for Clam, and I look forward to some more practical development if they hang in there with it.
Here is a link to ClamWin source information: http://www.clamwin.com/content/view/178/27/ from the FAQ. I've reference this thread to the ClamWin developers. I think that whatever you can do will hel--either now or later. Regards, |
||||||||||||
|
GuitarBob
|
Has there been any more progress on this project?
Regards, |
||||||||||||
|
xqrzd
|
I stopped working on it because I thought people weren't interested. I can continue, I'm about halfway done with the scan on write. I should be able to post a new version in a few days. I can also start on a VAD parser, but it seems ClamAV's automated 'signatures' are just PE section hashes, which are wasted on a memory scanner.
|
||||||||||||
|
GuitarBob
|
Well, I hope you take it as far as you can. ClamWin needs to have on-access capability, and you will provide a start. Even the Clam Sentinel resident front end to ClamWin isn't on-access. It scans files as they are added, modified, or copied and only controls them in suspended mode for its heuristic scan, so fast-acting malware can still execute.
Clam AV uses an PE section hash for its automated signatures because it's easy to do a lot of them that way, and they now comprise the bulk of their signatures. They don't seem to use the code section, so they get some false positives on the other sections due to import tables and other data. I was under the impression that ClamWin transfers the processes in memory to disk files and then scans them, but maybe I'm wrong; however I think that's the only way they can do them, since Clam AV never had to worry about memory scans in its Linux code. ClamWin does have the option to remove infected files from memory. I visited your web site--you guys look busy. Regards, |
||||||||||||
|
xqrzd
|
I'm mostly busy with school, so I don't have a lot of spare time. For write scanning, I have files scanned as they are closed if they were opened for write access (since ClamAV is designed to scan whole files and not just parts). This eliminates a lot of unnecessary scanning. Do you think it's better to have an inclusion list for extensions (eg .doc, .pdf, .jar...), or exclusion list (.dat, .txt, .pf...)?
|
||||||||||||
|
xqrzd
|
I've posted a new version that can scan files on write, however since libclamav cannot access the files, I can only scan them afterwards. cl_scanmap_callback() fixes this, however it has some bugs, so until ClamAV fixes this function, file writes cannot be blocked in real time.
|
||||||||||||
|
GuitarBob
|
I just noticed your question re: an inclusion/exclusion list. It's probably better to have an inclusion list rather than an exclusion list. The primary extensions to include would be Windows executables, as this is how most of the damage is done. In my experience, malware uses a list of 20-30 extensions about 95% of the time. I currently have ClamWin look at exe, dll, js, htm, html, swf, tmp, eml, scr, zip, inf, bat, bin, class, pdf, lnk, pif, doc, docx, job, sys, rtf, xls, xlsx, ocx, and rar. This is sort of in the order in which I see them used. You should probably add cpl, com.
The list of extensions that malware could use is almost limitless, but in my experience, 20 to 30 extensions covers most cases. Clam Sentinel looks at 130+ extensions which is pretty complete. Regards, |
||||||||||||
|
Jadukiewicz
|
Hello, xqrzd
I am interested your driver on-acces to ClamWin. I can not send a PM, so please send me a PM or write here. Regards. |
||||||||||||
|
xqrzd
|
Sure, what are you interested in? I haven't worked on it in a while, it still needs a lot of work.
|
||||||||||||
|
Jadukiewicz
|
I am interested improve driver on-access.
I want make antivirus at the beginning, with the engine clamwin/clamav in realtime. Please speak to me on mail and we agree details adrianjadukiewicz @ gmail .com If you write to me, my email will deleted from this thread |
||||||||||||
|
On-access protection |
|
||
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.