Re: [clamav-users] [ext] Scanning memory mapped files

Thu, 05 Dec 2024 11:11:38 -0800 


On Thu, 5 Dec 2024, neel  roy via clamav-users wrote:


Hello Ralf,

I hope I can ask follow up question. You wrote:

> I doesn't (from the clamonacc man page):

> The clamonacc daemon registers for file access notifications from the
> Linux kernel and in response, submits scans to the clamd scanning
> daemon for a verdict. On-Access requires a kernel version >= 3.8,
> because it leverages a kernel api called --> fanotify -- to block
> processes from attempting to access malicious files.

I have verified that a file opened using memory mapped io when closed
through close() will result in fanotify notification. But I wanted to
know whether following is possible:

- we are running clamonacc
- file is opened using memory mapped io.

At this point, can it get infected? If yes, and if this file executable,
 can it get executed _along with it's infected code_ **without being
 closed**?


The file would be infected once the attacking process has 'flush'ed
the changes. I am not sure that the new version of the file can be

opened or exec'ed before the attacker closes it, but the answer *may* 
depend upon the filesystem in use, what privileges are active, and what

bugs there are in the filesytem.
I cannot be confident that the answer is "no" - even if it is "no" today,
a filesystem driver update could change the answer.

With clamonacc, the victim process opening the modified file *should* not
get access until clamav has declared it safe. I do not have the expertise
to confirm that this is true.
If the victim already has the file open then, it should not be possible
for the attacker to open that instance of the file - both versions should
exist until they are closed (think of .nfsd files on NFS filesystems).
Thus clamonacc should still protect you from the modified version.

However, I see enough bugs in the new features in filesystems
that I fear there is a possibility for an attack to get through
by exploiting a filesystem bug.

--
Andrew C. Aitchison                      Kendal, UK
                   and...@aitchison.me.uk
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat






















					Reply via email to