Hi there, On Sat, 28 Nov 2020, Will Watters via clamav-users wrote:
Please advise if ClamAV performs monitoring of traffic, including encrypted traffic?
Not unless you tell it to. I use it to scan mail traffic. To do that I wrote a milter. The milter interfaces with the Mail Transfer Agent (the MTA, Sendmail). It accepts traffic from the MTA as it comes in on the wire and forms an opinion based on many factors about the mail. One of these factors is whether or not ClamAV finds something in the mail which matches a signature in one of the ClamAV databases. I use several third-party databases in addition to the 'official' database, mostly because I have a very low tolerance for spam and junk mail. There are similar ways of scanning other traffic, but they're tricky and the performance might not be what you'd hope for. To be able to scan encrypted traffic you probably need to be able to decrypt it on the fly. Depending on the encryption arrangements, that might be anywhere between trivial and impossible. Mail traffic is very often encrypted, but only when it passes between delivery 'hops'. When a milter uses ClamAV to scan the traffic, the MTA has decrypted incoming traffic before it hands it to the milter, outgoing traffic is scanned before it's encrypted, so ClamAV scans only unencrypted traffic. What sort of traffic would you want to scan? -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
