Hi there, On Wed, 30 Mar 2022, Yang, Jiayi via clamav-users wrote:
... what will happen if ClamAV is compromised? I'm guessing ...
It doesn't help to guess. If *anything* is compromised then you should probably treat the entire computer to be under the control of criminals and act accordingly. At the very least disconnect it from the network so that it does not pose a threat to other systems.
... it will give wrong detection result for the malware and also for other files to be scanned, or the scanner will crash then cannot work any more.
Nothing is certain. If it is compromised then the malicious actor may 'fix' ClamAV (and the rest of the things that he has damaged) to make them look like they are working properly when they are not. I have seen modified system command binaries like 'ps' and 'ls' which appear to produce process or directory listings but which in fact hide some processes and directories or files from the lists which they produce. To an unobservant system administrator everything appears normal, but someone who looks carefully would see that the system was being used for malicious purposes. It's very likely a crash which enables the compromise. If the Bad Actor knows what he's doing, after gaining access he might modify the scanner to make it appear to be operating normally, but despite the appearance fail to detect the Bad Actor's intrusion. The timestamps on binaries are easily faked. It's not easy to fake a hash, so you can use something like 'tripwire' to spot unexpected modifications.
Is there also a probability that when it's compromised, it could also infect other files when scanning them?
If ClamAV (or anything else on your system) is compromised it does not matter whether or not ClamAV is scanning files. The game is over, and you lost. It's likely time to wipe discs, look for backups, reinstall.
I totally believe it's unlikely to happen.
There's a big difference between 'unlikely' and 'impossible'. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
