Hi there, On Thu, 14 Nov 2019, ALMOKBEL, RAWAN wrote:
Good Day!
Well it's been raining here for weeks, but good day to you too! :)
Does clamav scan embedded virus and malicious inside files ?
If you mean archive files the question has already been answered well, but I would add that it is almost true to say that ClamAV _only_ scans inside files. It is only 'almost' true because you can, for example, ask clamd to listen to a socket, and feed data directly to it via the socket. But most of the time it will be a file which you pipe to the socket. In that case, clamd itself will know nothing about the file, except perhaps its length - or at least the amount of data it scanned before it found something which for example matches a signature. All it knows is what came along from the socket - this does not include, for example, the name of the file, and the data is normally sent in 'chunks' so clamd generally only knows the length of the 'chunks'. Processing mail using a milter is a very common use of ClamAV, and indeed ClamAV packages its own milter, 'clamav-milter', for that purpose. A milter sends data to clamd via a socket, for scanning in the same way that clamdscan does. Neither scans the data itself, but simply passes the data to clamd. (Again, 'simply' is almost true.) I wonder if you meant to ask if ClamAV can scan memory. Unlike some commercial anti-virus packages, ClamAV cannot do that directly; but you can if you wish write code to read memory and pipe the data to a clamd process for scanning. With existing signature databases I do not know how effective that might be, because I do not know how many (if any) signatures have been written with the intention of finding things in memory rather than in files, or which might be expected to match memory content even if not written with that intention. Most executable files are modified when they are loaded into memory, and it is common for the data in other files to be modified as it is loaded, even if not for execution. For e.g. the 'heuristics' type signatures I'd say all bets are off. If you have particular requirements to scan memory, in principle it would not be difficult to produce the signatures. But it would be a substantial undertaking to scan memory in a multi-user, multi-tasking operating system (which may be using paging, sharing, virtual memory, swap and DMA) using clamd in a way which makes any real sense. I'd be pleased to be proven wrong, and if I'm wrong I'm sure Sourcefire would be pleased too. :) -- 73, Ged. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
