Hi there, On Tue, 22 Mar 2022, Yang, Jiayi via clamav-users wrote:
... I’m writing to inquire about the proper usage of ClamAV and whether it’s suggested to run ClamAV within a sandbox to avoid infecting other files/applications in the host if a malware is detected.
Vulnerabilities have been found - and fixed - in ClamAV in the past. A sandbox or similar will probably reduce the attackable 'surface'. I don't know what fraction of ClamAV users use sandboxing, I never have done but I use a separate machine for the scanner and pass the data to be scanned to it, over a network.
1. When scanning a given file, will ClamAV only do static analysis (based on signature database) or it will execute the file and analyze its behavior?
ClamAV will not attempt to execute the file. You can scan any file, including non-executable files. There are some heuristics, so it's not necessarily just using the signature database. If the file is something like an archive ClamAV may extract the contents, which can be a security concern. It's possible for example to create a small archive which extracts to a huge file. ClamAV has some configuration options to mitigate this kind of risk.
If the file is a malware and we use ClamAV to scan the file, will it possibly infect the scanner or infect other files/applications on the host?
It's unlikely but the possibility cannot be ignored if you're serious about security. Before attacking other parts of the system, malware would most likely have to exploit a vulnerabililty in ClamAV. Use of the word 'infect' tends to imply some sort of magic. None of this is magic, it's just a computer doing what it's told but probably not what was intended by its user. I'd tend to use the word 'compromise' which means what I said in my previous sentence.
2. Is there any built-in sandbox mechanism in ClamAV so that when it scans a file, the file can be scanned in an isolated environment?
No. As has been mentioned there are several approaches to protecting systems against this kind of thing. The ClamAV scanner might not run on the computer which is being scanned. (I think that's question 3. :) Your next question should be about detection rates. -- 73, Ged. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
