How to scan a process in the memory for virus, but don't scan other processes?
The binary code of the process in the memory is different from that in the file, and I don't want scan all the processes in the memory.


Thanks.

There is no user control/selection over memory scanning in ClamWin other than to tell whether or not you want to scan memory. I understand that the processes in memory are converted to files and then scanned. Do you know the name of the process that you want to scan?

There is a tool from PC tools - Threat Expert Memory Scanner that might help you. It is just a memory scanner for polymorphic threats, but it does not remove or quarantine. You can't do much with it, but you can upload anything it finds to Threat Expert for a scan. You can download it at https://www.pctools.com/memory-scanner/ on the web.

Perhaps one of the ClamWin developers can suggest something else.

Regards,

Thank you very much.

I am a student, and want to do an experiment with ClamWin. When known malware is packed, Anti-Virus programs may can't detect them. So I try to develop a small code to identify the end of unpacking, and integrates the code with ClamWin to detected the packed known malware. If ClamWin can scan specific process in the memory, it will have a better efficiency. Could you give me some help.

Regards.

Perhaps Sherpya can help you more on this, but I think you are limited to what you can do with ClamWin's memory scan.

You might look at the Memoryze tool from Mandiant. Here's some information at https://www.mandiant.com/software.htm

Also, here's some information on what you are trying to do at https://vrt-sourcefire.blogspot.com/search?updated-min=2009-01-01T00%3A00%3A00-05%3A00&updated-max=2010-01-01T00%3A00%3A00-05%3A00&max-results=20 on the web. Look at the link to PEID and then the tool they are using.

The Threat Expert Memory tool that I referred you to does a memory scan for runtime packers but the user has no contro over it.

Regards,

Thank you very much.