I am playing with the idea of trying to make a Scanner File System Filter driver work with Clamwin:

https://code.msdn.microsoft.com/windowshardware/Scanner-File-System-426c8cbe

The goal is to keep the system safe from infected USB drives, and to moniter/scan file opens/reads/writes from/to files removable media.

Is there anything wrong with this idea? Is it even possible to get Clamwin to scan a write buffer(if yes, how)? Is this already done before?

Appreciate your help and suggestions.

I have referenced your post to both the ClamWin and Clam Sentinel developers. A mini-filter driver is badly needed by both programs. Someone should be contacting you soon.

Thank you for using ClamWin, and thank you for bringing this topic up.

Regards,

Unfortunately, because of the way how libclamav operates and signatures are written, there is no way to scan a block of memory in ClamAV and that is probably the main reason why we don't have a resident scanner yet.

Andrea Russo of Italy does use ClamWin to scan in "real-time" with his free, open source program, Clam Sentinel. It scans fairly fast, but it does no hooking to disable a file from acting during the scan, so some fast-acting viruses can still do some damage. To compensate for this, he also uses his own heuristic scanning engine that works much faster before the ClamWin scan kicks in. Clam Sentinel is written mostly in Delphi. The Clam Sentinel web site is at https://sourceforge.net/projects/clamsentinel/ on the web. Source code is freely available.

The heuristic scanner used by Clam Sentinel does not parse the file. It looks at PE file characteristics and other data, which might simplify things for you a bit. Actual parsing is left to the ClamWin (Clam AV) engine.

Regards,

Look at Didier Stevens' work on Ariad, an already-developed mini--filter driver available for all. Once you find your file characteristics, perhaps you could use Ariad and put the malicious file in quarantine. See https://blog.didierstevens.com/programs/ariad/ on the web.

Regards,