If the purpose of doing all of this is to detect if malware is present, I would do it outside of the sandbox. The point of a sandbox is to let malware execute and NOT stop it.
> On Mar 30, 2022, at 11:48 AM, G.W. Haywood via clamav-users > <clamav-users@lists.clamav.net> wrote: > > Hi there, > > On Wed, 30 Mar 2022, Yang, Jiayi via clamav-users wrote: > >> ... what will happen if ClamAV is compromised? I'm guessing ... > > It doesn't help to guess. If *anything* is compromised then you > should probably treat the entire computer to be under the control of > criminals and act accordingly. At the very least disconnect it from > the network so that it does not pose a threat to other systems. > >> ... it will give wrong detection result for the malware and also for >> other files to be scanned, or the scanner will crash then cannot >> work any more. > > Nothing is certain. If it is compromised then the malicious actor may > 'fix' ClamAV (and the rest of the things that he has damaged) to make > them look like they are working properly when they are not. I have > seen modified system command binaries like 'ps' and 'ls' which appear > to produce process or directory listings but which in fact hide some > processes and directories or files from the lists which they produce. > To an unobservant system administrator everything appears normal, but > someone who looks carefully would see that the system was being used > for malicious purposes. > > It's very likely a crash which enables the compromise. If the Bad > Actor knows what he's doing, after gaining access he might modify the > scanner to make it appear to be operating normally, but despite the > appearance fail to detect the Bad Actor's intrusion. The timestamps > on binaries are easily faked. It's not easy to fake a hash, so you > can use something like 'tripwire' to spot unexpected modifications. > >> Is there also a probability that when it's compromised, it could >> also infect other files when scanning them? > > If ClamAV (or anything else on your system) is compromised it does not > matter whether or not ClamAV is scanning files. The game is over, and > you lost. It's likely time to wipe discs, look for backups, reinstall. > >> I totally believe it's unlikely to happen. > > There's a big difference between 'unlikely' and 'impossible'. > > -- > > 73, > Ged. > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
