i just got a real wake-up call here... i'm finding that allot of AV products, although touting full 64 bit compatibility, are not able to scan some 64 bit executables.

i would guess that 64 bit malware is pretty sparse at the moment, but at some point in the future it will become the standard

the command line versions of Emsisoft, Ikarus, AntiVir and Sophos all choke on at least some 64 bit executables (exe/dll) - why 'some' and not all, i do not know.

clamscan tells me it's processing these files, but is it really? or is it just not reporting that they cannot be scanned? clamscan is, after all, a 32 bit binary.

Not to worry! The Clam AV engine is a file signature scanner--nothing fancy there in the way of emulation/sandboxing. It relies upon various hashes/string information from the Windows PE file (and sometimes Linux). As far as I know, the 64 bit files have not been significantly changed (they have to be backwardly compatable), so ClamWin should be able to scan any file in looking for a signature. The only 64 bit viruses I have seen so far are rootkits (bad stuff!), and I think only the really adept malware programmers will be doing anything with 64 bits for a while.

Regards,

thanks for the reply GuitarBob - i appreciate it!

i wouldn't mind if a CW dev could confirm this however - i built myself a wrapper (https://12bytes.org/software/digital-disease-terminator Digital Disease Terminator) which can use several scanners and have made it public, so i'd like to be doubly sure about this for documentation purposes

Sure, I will pass this thread on to Alch/Sherpya. You can check this out for yourself, however. Get a MD5 file hash on a 64-bit program (I tested it on the Win 7 Internet Explorer: iexplore.exe in the Win 7 Program directory--not the X32 Program directory), put the hash in a Clam signature format (hash:filesize:DummyVirusName) in a Notepad file and save it as Sigfile.hdb in the ClamWin database directory. Then scan the original file in the Win 7 Program directory with ClamWin--have it set to Report Only--not Quarantine/Remove. ClamWin should detect the file as infected, but with a false positive warning since it is a signed Microsoft file. After you are sure it works, delete the Sigfile.hdb from the ClamWin database directory.

Clam also uses other types of signatures, but if the hdb file hash signature works, the other signature types should work also.

Additionally, with Clam now furnishing a Windows port to Immunet, which is looking to be the Windows AV for the future, Clam now has more concern than it used to have with use of its code on present/future Windows computers, which certainly includes the 64 bit versions.

Below is the sig I developed for the Win 7 iexplore.exe executable.

f1424c1b9b1813bf825e45df3790bc8a:754480:DummyVirusName

Regards,

clamav currently scans also 64bit windows executable regardless the fact the executable is 32bit

thanks guys - i appreciate it

not all scanners use the same principle i guess

The Clam AV engine used by ClamWin does not do any significant emulation/sandboxing, so it is not dependent upon the actual execution of a file, which includes the 64 bit stuff.

Regards,