ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
ACCESSING THE SOURCE
stormzy


Joined: 09 Mar 2015
Posts: 0
Reply with quote
Hi xqrzd,
I know it‘s been quite sometime since you shared your tool, I and a few friends I met at the ClamSentinel forum have a small open source project almost similar to yours and would greatly appreaciate if we could access the source of your app.
I think you might even be intrested to look into our project, it can be accesed at
digital-dragons.net/wordpress
Thanks in advance.
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 0
Location: **UNKNOWN**
Reply with quote
Hello stormzy. Glad to see you made it to the ClamWin forums. I do not think xqrzd is active on the forums anymore, but I could be wrong. There was a user back in, I believe, summer of last year who contacted Alch to work on a real-time protection. You might want to contact Alch and ask if you can work on it. You can contact Alch via this link: http://www.clamwin.com/component/option,com_contact/task,view/contact_id,1/Itemid,64/

Be sure, whatever you come up with, you submit the coding back to Alch so he can use it for ClamWin, too. Anything written in C++ should be no problem.

Good luck with your work and I will keep in contact.
View user's profileSend private message
RE:THANKS
stormzy


Joined: 09 Mar 2015
Posts: 0
Reply with quote
Hi ROCKNROLLKID Very Happy ,
I've been quite busy but thanks for following up, I'll try contacting Alch, then we will see where we will get with this.
I'll keep you posted if anything comes up.
Thanks anyway.
View user's profileSend private message
xqrzd


Joined: 18 Feb 2013
Posts: 0
Reply with quote
Hi,
It seems interesting. I've been working on my own project for a while (Hazard Shield), and it seems these projects are very similar, so we could combine efforts. You can take a look at the source code here https://github.com/xqrzd/HazardShield

A bit about Hazard Shield,
The latest release is from 2010. During this time I was busy with school and basically stopped working on it. Only recently (the past several months) have I started working on it again. Currently I'm rewriting the entire application, so it's only ~10% done on github.

In addition to real-time protection, it would be awesome if we could create a fully working antivirus scanner as well (eg. heuristics, rootking scanning, memory scanning, registry, browser extensions, etc.). Also, for real-time protection, it would be cool if we had behavior detection (eg. ransomeware detection) as well as exploit prevention (like EMET/MBAE) as browser/plugin exploits are extremely prevelent right now, and most AVs provide no protection against these.

If the project gets big enough we could apply for an early launch anti-malware (ELAM) driver (which is required for Windows 8.1 protected processes as well). Currently I've used ObRegisterCallbacks for self-protection, but it's a pain to use properly, whitelisting Windows activity and what-not.

Anyway, I'd be happy to help with this project, if it can replace Hazard Shield that's great. My only requirement is that it must be 100% open source. I'd also like to stay away from unsafe methods like hooking if possible.

I read the clam sentinel discussion, if you're still looking for registry monitoring, take a look at CmRegisterCallbackEx. It's the standard way to do registry filtering.

On a side note, what are your thoughts about C? I'm not fond of C++, so if the core library could be written in C that would be great. Except for the GUI, that would have to be C++ because of Qt.
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 0
Location: **UNKNOWN**
Reply with quote
Ah, so you are the one who wrote Hazard Shield. I had it on my system at one point. You did a really good job at it.

For real-time protection, I think we should tackle one or 2 and a time and then work on it from there. If time/coding is limited, I figured a on-access scanner that scans files when added or modified, a web filter, which ClamAV already has so maybe you can just snatch it from them, and some basic heuristics that can detect both PE malware and non-PE malware. Then we can add more stuff to it later on. A behavioral blocker I would just hold back. If you add some good heuristics like Sentinel has, you may not need to bother with a behavioral blocker. A native 64-bit engine would be good, too, to tackle on 64-bit malware. I know ClamAV is already 64-bit on Linux systems, but I think ClamWin is only 32-bit. Besides, Windows 10 is around the corner and it will only be 64-bit systems.

Anything written in C++ (or python), Alch would be happy to take and add it to ClamWin. If you write in C, ClamAV could make some use of it. This way, neither of them has to worry about porting.
View user's profileSend private message
xqrzd


Joined: 18 Feb 2013
Posts: 0
Reply with quote
Yeah, we should definitely tackle only a couple things at a time. The file system filter should be quick, I already have one working, it just needs a few tweaks (support for caching on ReFS, transaction operations, and FltCreateSectionForDataScan for Windows 8+).

I'm not sure about the web filter, that needs some research. I think we would want to use the Windows Filtering Platform, but something else might work.

64-bit ClamAV isn't an issue, it compiles and runs great with VS 2013 after this change, http://lists.clamav.net/pipermail/clamav-devel/2015-January/000135.html
64-bit ClamAV isn't required, it just makes the driver/service communication easier, since the structures alignment will match. It's probably required for FltCreateSectionForDataScan though. 64-bit ClamAV would probably run faster, as it would have access to more registers.
View user's profileSend private message
xqrzd


Joined: 18 Feb 2013
Posts: 0
Reply with quote
I forgot, wouldn't it be better to expand/upgrade ClamWin rather than creating a new application? It seems ClamWin's goals are similar to this, rather than creating 2 applications that do basically the same thing?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 8
Location: USA
Reply with quote
FWIW, I vote for upgrading ClamWin; however, I think it should be less dependent upon Clam AV in a new version. Clam AV has never had much consideration for operation on an Windows system. The Clam AV signatures for some time now have been too little, too late, but some signatures are needed. I would do a real-time monitor, Clam Sentinel-type heuristics, web filter or auto-updated hosts file, and behavior blocker/registry monitor in that order. Take it a step at a time. My contribution would probably be in the design of the heuristics, as I helped with those in Clam Sentinel, based 5 years as a Clam AV sigmaker (Guitar) open source representative.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 0
Location: **UNKNOWN**
Reply with quote
@xqrzd: Our goal is to create a working AV then hand over what is working to ClamWin (or at least that is what I am hoping). Both ways could work, but I really hope he does not decide to take the goods and run.

@GuitarBob: I think instead we should expand ClamAV, as well, just like we are doing with ClamWin. After all, it is the only way ClamAV would get better. If everyone just decided to stop using it, it will only get worse. If we develop a good enough heuristic, I am sure ClamAV would also accept it, as well. Maybe you could invest a little for Linux systems along with it.

Let's think positive about this. This could be the turning point for ClamAV/ClamWin. I have every confidence that this is exactly what the Clam family has been looking for for so long.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 8
Location: USA
Reply with quote
Perhaps you are right, RRK. It is unfortunate that Clam relies primarily upon signatures with no supplementation of protection with heuristics, but a lot of work has been done on both Clam AV and ClamWin. Clam AV has pretty good unarchiving ability, and it can parse several file types. This is as good as some commercial AVs, so lots of this code can/should be utilized. I certainly look forward to future improvements.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 0
Location: **UNKNOWN**
Reply with quote
Just some suggestions for you guys:

It would be nice if you could expand the mail scanner plugin to other mail clients besides Outlook, like Thunderbird, Pidgin, maybe skype, etc.

I think it's time to drop all old operating systems from everything under Windows XP. Maybe you can support XP for a little bit then drop that one over time or whatever.

I think you should also limit the scans to make them much faster. I don't see a reason to scan any files that are over 10mb (maybe excluding archives). Lots of AVs are doing this to speed scans up. Also, limiting extensions will also help. This should actually be done before any real-time protection is implanted, otherwise, it will take a long time before it will detect a infection.

Maybe an addition to a web filter, you can also create a web extension to scan downloads. I know there is already an addon for Firefox called Fireclam that uses clamscan.exe and ClamAV database, but it is sort of under developed, if you know what I mean.

If I think of anymore, I will post them here.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 8
Location: USA
Reply with quote
@xqrzd: I'm curious to know what happened after I put you in touch with the Clam Sentinel developer last year.

Regards,
View user's profileSend private message
xqrzd


Joined: 18 Feb 2013
Posts: 0
Reply with quote
I don't think I've ever worked on/with Clam Sentinel. I started working on a ClamWin minifilter, but then I got busy with school/work.
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 0
Location: **UNKNOWN**
Reply with quote
Were you also the one who contacted Alch last year? Do you know what has happened with the real-time protection that was in development last year?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 8
Location: USA
Reply with quote
Sorry, I meant ClamWin instead of Clam Sentinel. Alch told me that someone named Andrew was doing some work on it, but I've not heard anything since.

Regards,
View user's profileSend private message
On-access protection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 2 of 4  

  
  
 Reply to topic