<I thought I sent following email but my email provider is really bad so
it's not showing up in sent items. So sending again just be sure; sorry for
spam>
Hello Ralf,
I hope I can ask follow up question. You wrote:
> I doesn't (from the clamonacc man page):
> The clamonacc daemon registers for file access notifications from the
> Linux kernel and in response, submits scans to the clamd scanning
> daemon for a verdict. On-Access requires a kernel version >= 3.8,
> because it leverages a kernel api called --> fanotify <-- to block
> processes from attempting to access malicious files.
I have verified that a file opened using memory mapped io when closed through
close() will result in fanotify notification. But I wanted to know whether
following is possible:
- we are running clamonacc
- file is opened using memory mapped io.
At this point, can it get infected? If yes, and if this file executable, can it
get executed _along with it's infected code_ **without being closed**?
Thanks in advance,
-Neel.
From: Ralf Hildebrandt via clamav-users <clamav-users@lists.clamav.net>
Sent: Thu, 05 Dec 2024 16:05:32
To: clamav-users@lists.clamav.net
Cc: Ralf Hildebrandt <ralf.hildebra...@charite.de>
Subject: Re: [clamav-users] [ext] Scanning memory mapped files
> I am not using clamonacc. I run my own program that uses fanotify, just
like clamonacc does, and gets list of files that are modifedadded.
> I send that list to clamscan or clamdscan.
A bit like incrond (which uses inotify() )
> The problem is limitation of fanotify which is that "The fanotify API
does not report file accesses and modifications that may occur because of
mmap(2), msync(2), and munmap(2)."
Same goes for inotify() -- just checked.
So whenever a process alters a file using mmap()/munmap() or msync(),
your program (or rather inotify/fanotify) doesn't detect any change,
and thus the file wont be in the list passed to clamscan or clamdscan.
> Now my assumption is mmap, msync, munmap deals with memory mapped files.
So questions I have are:
> "does clamav scan memory mapped files?"
Yes: After all, a file is just a file. In the end, it's all on disk.
> Further details: If run clamscan or clamdscan on "/"; it would
scan all files so it does not matter.
> But how does clamonacc overcomes this limitation since it uses fanotify?
I doesn't (from the clamonacc man page):
The clamonacc daemon registers for file access notifications from the
Linux kernel and in response, submits scans to the clamd scanning
daemon for a verdict. On-Access requires a kernel version >= 3.8,
because it leverages a kernel api called --> fanotify <-- to block
processes from attempting to access malicious files.
> If it does, is there a way to ask clamav to scan just memory mapped files?
I'm not sure if this can easily be detected.
I guess one could monitor mmap() calls via dtrace, but I'm just guessing!
--
Ralf Hildebrandt
Charitæcopy; - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
