|  | 
|  | scanning 64 bit executables - fail? |  | 
 
	| clam.Man
 
 
 
			| Joined: 29 Nov 2010 |  | Posts: 0 |  |  |    |  | 
	
		|  Posted: Wed Sep 07, 2011 12:55 pm |  |  |  |  
		|  |  |  i just got a real wake-up call here... i'm finding that allot of AV products, although touting full 64 bit compatibility, are not able to scan some 64 bit executables.
 i would guess that 64 bit malware is pretty sparse at the moment, but at some point in the future it will become the standard
 
 the command line versions of Emsisoft, Ikarus, AntiVir and Sophos all choke on at least some 64 bit executables (exe/dll) - why 'some' and not all, i do not know.
 
 clamscan tells me it's processing these files, but is it really? or is it just not reporting that they cannot be scanned? clamscan is, after all, a 32 bit binary.
 |  
	| 
 |  |  | 
 |  |  |  | 
 
	| GuitarBob
 
 
 
			| Joined: 09 Jul 2006 |  | Posts: 9 |  | Location: USA |    |  | 
	
		|  Posted: Wed Sep 07, 2011 4:36 pm |  |  |  |  
		|  |  |  Not to worry!  The Clam AV engine is a file signature scanner--nothing fancy there in the way of emulation/sandboxing.  It relies upon various hashes/string information from the Windows PE file (and sometimes Linux).  As far as I know, the 64 bit files have not been significantly changed (they have to be backwardly compatable), so ClamWin should be able to scan any file in looking for a signature.  The only 64 bit viruses I have seen so far are rootkits (bad stuff!), and I think only the really adept malware programmers will be doing anything with 64 bits for a while.
 Regards,
 |  
	| 
 |  |  | 
 |  |  |  | 
 
	| clam.Man
 
 
 
			| Joined: 29 Nov 2010 |  | Posts: 0 |  |  |    |  | 
	
		|  Posted: Wed Sep 07, 2011 5:11 pm |  |  |  |  
		|  |  |  thanks for the reply GuitarBob - i appreciate it!
 i wouldn't mind if a CW dev could confirm this however - i built myself a wrapper (https://12bytes.org/software/digital-disease-terminator Digital Disease Terminator) which can use several scanners and have made it public, so i'd like to be doubly sure about this for documentation purposes
 |  
	| 
 |  |  | 
 |  |  |  | 
 
	| GuitarBob
 
 
 
			| Joined: 09 Jul 2006 |  | Posts: 9 |  | Location: USA |    |  | 
	
		|  Posted: Wed Sep 07, 2011 11:36 pm |  |  |  |  
		|  |  |  Sure, I will pass this thread on to Alch/Sherpya.  You can check this out for yourself, however.  Get a MD5 file hash on a 64-bit program (I tested it on the Win 7 Internet Explorer: iexplore.exe in the Win 7 Program directory--not the X32 Program directory), put the hash in a Clam signature format (hash:filesize:DummyVirusName) in a Notepad file and save it as Sigfile.hdb in the ClamWin database directory.  Then scan the original file in the Win 7 Program directory with ClamWin--have it set to Report Only--not Quarantine/Remove.  ClamWin should detect the file as infected, but with a false positive warning since it is a signed Microsoft file.  After you are sure it works, delete the Sigfile.hdb from the ClamWin database directory.  
 Clam also uses other types of signatures, but if the hdb file hash signature works, the other signature types should work also.
 
 Additionally, with Clam now furnishing a Windows port to Immunet, which is looking to be the Windows AV for the future, Clam now has more concern than it used to have with use of its code on present/future Windows computers, which certainly includes the 64 bit versions.
 
 Below is the sig I developed for the Win 7 iexplore.exe executable.
 
 f1424c1b9b1813bf825e45df3790bc8a:754480:DummyVirusName
 
 Regards,
 |  
	| 
 |  |  | 
 |  |  |  | 
 
	| sherpya
 
 
 
			| Joined: 22 Mar 2006 |  | Posts: 0 |  | Location: Italy |    |  | 
	
		|  Posted: Thu Sep 08, 2011 7:47 am |  |  |  |  
		|  |  |  clamav currently scans also 64bit windows executable regardless the fact the executable is 32bit |  
	| 
 |  
	| clam.Man
 
 
 
			| Joined: 29 Nov 2010 |  | Posts: 0 |  |  |    |  | 
	
		|  Posted: Fri Sep 09, 2011 3:39 am |  |  |  |  
		|  |  |  thanks guys - i appreciate it
 not all scanners use the same principle i guess
 |  
	| 
 |  
	| GuitarBob
 
 
 
			| Joined: 09 Jul 2006 |  | Posts: 9 |  | Location: USA |    |  | 
	
		|  Posted: Fri Sep 09, 2011 10:48 am |  |  |  |  
		|  |  |  The Clam AV engine used by ClamWin does not do any significant emulation/sandboxing, so it is not dependent upon the actual execution of a file, which includes the 64 bit stuff.
 Regards,
 |  
	| 
 |  
	| 
	
		| You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 | All times are GMT Page 1 of 1
 
 |  |  
	|  |  
	Powered by phpBB   © phpBB Group 
	Design by phpBBStyles.com  | Styles Database . 
	Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
 |  |