But if I do that, some side effects could happen like:
- I'll need free space to store the file.
- The infected packets may get in while I store the next packets to scan.
- I have to download the whole file before send it to the end-user.
I'm trying to develop some sort of firewall+anti-virus using an embedded
Linux with solid-state board, so space would be a problem.
I saw one solution like that from Sonicwall's guys, but I don't know how
they do that. I've hearded that Fortinet has it's own network-based
anti-virus solution too (as an appliance).
I was wondering how this guys handle the "zip" problem, since their
hardware just have 128 of RAM and 16 of ROM. :-(
Any ideas?
Cheers,
Eric Scopinho
[EMAIL PROTECTED] wrote:
Eric Scopinho wrote:
The problem is that I'm using libclamav directly (not clamd), and I
dont't have the entire zip file. While the file is sent over the
network, passing through my firewall, I'm catching the packets,
storing each one and scanning using cl_scandesc from libclamav. Catch
it?
Since you're scanning it packet-by-packet, you're going to miss some viruses
regardless of .zip-ness. In particular, if a virus definition matches a byte
sequence that is split across packets, the virus will get through.
Since you can't decompress the .zip file, you won't catch viruses that are only
recognized in their uncompressed form. Fortunately, there are some virus
patterns to match the .zip'd versions of the files. Unfortunately, viruses
that randomize their password are probably unpatternable in their compressed
form.
You might be able to do something to the effect of:
1) Recognize the initial packet of the zip file
2) Accumulate all future packets of that stream
3) Put all the packets together to get the complete zip file
4) Decompress the zip file
5) Scan the decompressed contents
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
