When ClamWin performs a memory scan, does it actually scan the segments of RAM or does it cache the data to a temp file(s) on disk and then scan the file(s)?

Regards,

You could probably find out if you used Filemon? It would be a waste of disk IO if it did write to disk first. I wasn't aware of an option to scan memory but there is an option to unload infected programs from memory so it must scan memory one of two ways.

Memory scan gets a exe and dll filename and scans the actual file.

Could similar code be used to scan a http/Javascript/whatever stream coming into the browser from the Web--to spot exploits, when a real-time scanner becomes available?

Regards,

GuitarBob, I think that you're heading into the territory of 'exploits' now rather than AV. I don't think that it's the AVs job to catch these things although some do. Anyways I use a HIPS with CW just to supplement the fact that there are exploits that AV don't catch.

You could be right, but I see that Clam has a few signatures for exploits and "bad" HTML. At one time AVs didn't bother with ad/spyware, but most of them have expanded their definition of "malware" to include the more malevolent kind now. We're probably going to see more malware move away from overt files--perhaps even browser-based rootkits. A browser scanning service would give ClamWin some very good functionality that is separate from Clam AV.

Regards,

there are already signature for html files, but I don't known what they are targeting