 |
 | Necessity of scanning .avi files... |  |
|
Seans Potato Business
|
|
I notice that a lot of suggestions re: speeding up the scanning process revolve around the disabling of scanning .avi files etc. My question is, is it possible for viral code to lurk in these (perhaps mis-extensioned) files? Are other virus scanners only so fast because they skip these files by default?
|
|||||||||||
|
|||||||||||||
 |
| Re: Necessity of scanning .avi files... | |
|
b0ne
|
|
There is always a potential for viral code to be appended to any file. However, for the code to be executable on its own, it must reside in the standard executable format. (exe, dll, sys) That being observed, the speed problem mostly originates from the way some of clamav's signatures work. Most virus signatures are offset from a certain point of reference and it doesn't pose much of a performance problem because it is only checking one spot in the file, if that spot doesn't exist, it doesn't bother to check it. Name : Filetype : Offset : Signature
File type 0 stipulates all files, so in every file it checks file byte location 17577 for byte value 66. If it finds 66 it will try to match the rest of signature. This is a pretty quick way to match the signature. However, there are other signatures that are not so quick... Trojan.AdClick.e=7009d15e01...
These signatures check the whole file for the signature regardless of position. This means scan times go up significantly when you have more large files present on disk. (video, audio, etc) |
|||||||||||||
|
|||||||||||||||
|
| |
|
sherpya
|
|
we are working on a feature based on filetype skipping, it will skip media files, avi files are riff files, so they will be scanned only if they are anim cursor,
we are mainly testing this new feature for 0.90 release |
|||||||||||
|
|||||||||||||
|
| |
|
TOOGAM
|
|
The phrase used above, "on its own", is significant. I've heard of a JPG virus from the days before Win95. (Not sure if it really existed or if it was a rumor.) There actually as a type of virus that could affect graphics files with newer versions of Windows, and Microsoft patched it. I know that Xbox software-based modification/hacking exploits saved games, which are data files. Viruses can rest in data, and then be executed when a program does something insecure, such as trusting a variable in the data file that says how long a piece of data should be, and then actually having data which is longer than expected and including a virus that, due to the buffer overrun, overwrites code in memory and then gets executed. For that reason, I'm sure the skipping of files based on filetype will be an option, as skipping such files should be mostly safe but if someone wants to scan all files, then that could be useful.
That is, after all, why scanners will often check archives like Zip files that, even though they are just data files, could contain harmful content. As long as the virus just sits put then it is harmless, but there sometimes might be the potential that the virus won't be left alone by uninfected but careless code that is executed. |
|||||||||||
|
|||||||||||||
|
| |
|
sherpya
|
|
the options is default in 0.90 but still unckecable from advanced tab
|
|||||||||||
|
|||||||||||||
|
 | Necessity of scanning .avi files... | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.