You are not logged in.

#1 2024-06-17 02:45:54

fluxany
Member
Registered: 2024-06-17
Posts: 4

ClamAV kernel driver

There is now on-access file scanning in ClamAV for Linux. I'm curious if ClamAV ever had at one point a kernel driver for Arch to scan memory.

https://docs.clamav.net/manual/Usage/Sc … s-scanning

fa

Offline

#2 2024-06-17 10:53:51

mpan
Member
Registered: 2012-08-01
Posts: 1,326
Website

Re: ClamAV kernel driver

This is not a new feature. ClamAV aded on-access scanning 11 years ago and it is a stable, documented feature for a few years. It’s literally written at the anchor you linked.

Scanning memory sounds to me like a gimmick straight from the marketing department. Designed against targets, who think security is a product one buys and also fall for the “better therefore needed” trick.

What are you trying to achieve, exactly? What is the specific threat model you experience?

But, technically speaking, yes: ClamAV scans memory. At least the portions, which may contain matches for signatures antivirus programs use. The reason is simple: it has no choice due to how file access and memory management works under Linux. To be used, file contents must be loaded into memory. If they were loaded because some program uses them, ClamAV scanning these files will inevitably use the same memory pages as the program is using.

Last edited by mpan (2024-06-17 11:02:23)


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#3 2024-06-17 10:55:50

fluxany
Member
Registered: 2024-06-17
Posts: 4

Re: ClamAV kernel driver

Comparing features from Sophos and Microsoft Defender with Linux.

Offline

#4 2024-06-17 11:10:58

fluxany
Member
Registered: 2024-06-17
Posts: 4

Re: ClamAV kernel driver

mpan wrote:

The reason is simple: it has no choice due to how file access and memory management works under Linux. To be used, file contents must be loaded into memory. If they were loaded because some program uses them, ClamAV scanning these files will inevitably use the same memory pages as the program is using.

Accessing process memory is trivial from the kernel. I was thinking that ptrace needs additions to reach feature parity with Windows. On Windows there are endless things that modify the kernel via DKOM and Microsoft resorted to implementing PatchGuard. This feature frequently gets disabled by things like Blue Pill and more recent examples. I think having Sophos and McAfee with the same features on Linux would be good, particularly as the Linux desktop market share increases. https://store.steampowered.com/hwsurvey … form=linux.

I'm also surprised that LSM's haven't been made completely loadable at runtime due to symbols being removed. This probably will never get changed.

See https://github.com/fluxany/gslab-titan/ … er/gslab.c

Offline

#5 2024-06-17 11:39:30

mpan
Member
Registered: 2012-08-01
Posts: 1,326
Website

Re: ClamAV kernel driver

The way you seem to be doing this right now is no better than forming an opinion based on their logo color. At least this is the impression I got from what you wrote so far. That may be a wrong impression, but I can only work with what I see in this thread.

If you are willing to publish such a comparison or make any decisions based on it, please take that into account:

  • It seems you don’t have the threat model defined. Without that comparing features is not possible. It’s like one would compare a hammer with a screwdriver by the number of features listed on the packaging. Without deciding if one wants to drive screws or nails.

  • In here you inquired about one feature: on-access scanning. That single question revealed you formed an invalid picture of the situation. Despite the third sentence you linked explicitly says how things are. A bit more attention?

  • Nothing is better simply because it has more of features listed. Be critical. Making a comparison is not the same as parroting marketing branch’s advertisement materials. I believe you don’t want to sound like a YouTuber doing “item review” by unboxing it and reading what is written on the box. smile

ClamAV is a tool for detecting malware signatures in data streams passed to it. Period. Not a nebulous “security as a product” offer.

Last edited by mpan (2024-06-17 11:42:43)


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#6 2024-06-18 12:05:16

fluxany
Member
Registered: 2024-06-17
Posts: 4

Re: ClamAV kernel driver

mpan wrote:

The way you seem to be doing this right now is no better than forming an opinion based on their logo color. At least this is the impression I got from what you wrote so far.


https://github.com/VirusTotal/yara

Yara does the same thing a little bit easier than ClamAV, if your focused entirely on signatures. When ClamAV offered data isolation features it became security as a product. This puts it onto the same field as Sophos.

From ClamAV's configuration documentation, emphasis is on blocking at kernel level which is the same thing as Sophos.
https://docs.clamav.net/manual/OnAccess.html

ClamAV wrote:

Use Case 0x2

    The user needs to protect a single directory non-recursively and ensure all access attempts on malicious files are blocked.

    ScanOnAccess yes ## versions <= 0.101.x
    OnAccessIncludePath /home/user/Downloads
    OnAccessExcludeUname clamav ## versions >= 0.102
    OnAccessPrevention yes
    OnAccessDisableDDD yes

The configuration above will result in non-recursive real-time protection of the /home/user/Downloads directory by ClamAV's On-Access Scanner. Any access attempts that ClamAV detects on malicious files within the top level of the directory hierarchy will be blocked by fanotify at the kernel level.

Offline

Board footer

Powered by FluxBB