Hello Ralf,
Thanks. I hope I can ask follow up questions. You wrote:
> I doesn't (from the clamonacc man page):
> The clamonacc daemon registers for file access notifications from the
> Linux kernel and in response, submits scans to the clamd scanning
> daemon for a verdict. On-Access requires a kernel version >= 3.8,
> because it leverages a kernel api called --> fanotify <-- to block
> processes from attempting to access malicious files.
I have verified that a if file opened using memory mapped IO API calls is
_closed_ fanotify will send notification. However could you or someone else
tell me if following is possible?
- We are using clamonacc
- a file opened using memory mapped io API calls
Can this file get infected while it stays open? If yes, and if this is
executable can it be executed along with it's infected code, while it's
open?
Thanks in advance,
-Neel.
From: Ralf Hildebrandt via clamav-users <clamav-users@lists.clamav.net>
Sent: Thu, 05 Dec 2024 16:05:32
To: clamav-users@lists.clamav.net
Cc: Ralf Hildebrandt <ralf.hildebra...@charite.de>
Subject: Re: [clamav-users] [ext] Scanning memory mapped files
> I am not using clamonacc. I run my own program that uses fanotify, just
like clamonacc does, and gets list of files that are modifedadded.
> I send that list to clamscan or clamdscan.
A bit like incrond (which uses inotify() )
> The problem is limitation of fanotify which is that "The fanotify API
does not report file accesses and modifications that may occur because of
mmap(2), msync(2), and munmap(2)."
Same goes for inotify() -- just checked.
So whenever a process alters a file using mmap()/munmap() or msync(),
your program (or rather inotify/fanotify) doesn't detect any change,
and thus the file wont be in the list passed to clamscan or clamdscan.
> Now my assumption is mmap, msync, munmap deals with memory mapped files.
So questions I have are:
> "does clamav scan memory mapped files?"
Yes: After all, a file is just a file. In the end, it's all on disk.
> Further details: If run clamscan or clamdscan on "/"; it would
scan all files so it does not matter.
> But how does clamonacc overcomes this limitation since it uses fanotify?
I doesn't (from the clamonacc man page):
The clamonacc daemon registers for file access notifications from the
Linux kernel and in response, submits scans to the clamd scanning
daemon for a verdict. On-Access requires a kernel version >= 3.8,
because it leverages a kernel api called --> fanotify <-- to block
processes from attempting to access malicious files.
> If it does, is there a way to ask clamav to scan just memory mapped files?
I'm not sure if this can easily be detected.
I guess one could monitor mmap() calls via dtrace, but I'm just guessing!
--
Ralf Hildebrandt
Charitæcopy; - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
