I saw in the Wiki that the ClamWin developers are considering getting some help from this summer's Google Summer of Code project to help develop behavorial code emulation in ClamWin. I think this is a worthwhile project and it may help ClamWin move away (to a certain extent) from ClamAV.

There was a master's thesis written about emulation in Windows in 2005. A Web page describing it can be found at http://www.seclab.tuwien.ac.at/projects/ttanalyze/. The page also has a link to the master's thesis, which resulted in a software program called TTAnalyze, which was never released. It morphed into the Anubis project, which now offers free behavorial malware analysis on line at http://analysis.seclab.tuwien.ac.at/index.php.

I suggest that this material be consulted if the ClamWin emulation idea gets the go-ahead.

Regards,

Followup: I didn't see Clam/Clamwin ClamWin listed as getting any help from the 2007 Google Summer of Code. Last year, Clam had an emulation project on their "to do" list, so may be something came/will come of it--let's hope so. Emulation would make a good "next step" in increasing increasing the functionality of Clam/ClamWin. Qemu is a good tool to incorporate/modify. It's already written, and emulation would obviate the need for generic unpacking or any unpacking. It's probably too slow for on-accesss scanning, but it could be very helpful for on-demand scanning of new files.

Regards,

Thanks for the links,
When we wrote up the task we were looking at QEmu and chosen it as a platform for the it.

I hope the links help. You might contact Clam to see if they have any plans for emulation. The Anubis people might be able to provide some assistance, as I believe the predecessor project was Open Source.

Regards,

The project isn't being distributed so technically it isn't open source. They merely used open source Qemu internally. As long as you don't distribute the GPL software outside of your organization, you are not required to release your code.

Sherpya and I have discussed doing an emulator, but the main problem is not emulation technology which qemu/bochs can provide, but the underlying "windows API" that must support the malware code inside of the emulation environment.

The anubis guys have a full windows install running inside of a full qemu virtual machine image. (aka several gigabytes of "windows")

They have "listener programs" that execute inside of the VM to look up what modules are currently running, what their memory spaces are, etc, prior to them executing.

Outside of the VM environment, Qemu stops when it starts executing what it thinks is the entrypoint of an API, then passes the APIs argument data to "logger" functions that reside outside the VM as well. It resumes execution of the VM environment after logging has completed. An extremely complicated way to implement API logging, very slow, but also effective.

No AV's implement emulators using full windows installs, they're too large, and too slow. Most use single process execution environments which inside of the custom implemented win32 API exist special "debug output" for the emulator to intercept and output to the external emulation environment.

Looks like a full Windows emulation is only practical for an antivirus lab then. Is there anything that can be done on the ClamWin side to improve the detection rate--or weill we just gave to wait until ClamAV implements additional packers, heuristics, generic signatures, etc.?

Regards,