Geek Answers Handbook

Scan files in memory, ideally with ClamAV

We are introducing a corporate application with great attention to security, which includes downloading files. These files must be checked for viruses, but also must be encrypted.

The current process is that files are downloaded and then transferred by stream - through encrypter - to the temporary storage area on disk. Then the virus scanner is called up and the files are decrypted on the fly, transferred through ClamAV through the socket, and then the virus status is returned from the socket.

The problem is that ClamAV seems to write to the temporary area on disk before scanning, which means unencrypted potentially sensitive data in the file system.

Does anyone know how to fix this? Perhaps by setting ClamAV to scan only in memory (my Google search returned no results) or maybe some alternative suggestions?

+7
source share
3 answers

I assume you are using clamd since you are talking to it through a socket, not clamscan, the cli tool.

In this case, you can configure it using the TemporaryDirectory directive in your clamd.conf file to point to an encrypted file system for temporary storage using something like dm-crypt (https://help.ubuntu.com/community/EncryptedFilesystemHowto ) - I hope this helps.

Link from person 5 clamd.conf:

TemporaryDirectory STRING Optional path to the global temporary directory. Default: system specific (usually /tmp or /var/tmp).
+6
source

There is a good example:

Java API for virus detection using ClamAV Antivirus

http://nsinfra.blogspot.ca/2011/06/java-api-to-detect-virus-using-clamav.html

This post describes a file scanning approach to detect trojans, viruses, malware, and other malicious threats using the Java APIs.

The following points were covered: About ClamAV antivirus. Instructions for installing ClamAV antivirus on a Linux machine. Approaching a scan file using the Java ClamAV API for virus detection.

+4
source

The simplest thing I can imagine is to use the ram disk.

Perhaps you should check to see if ClamAV has a more sophisticated API for such a task.

+1
source

More articles:


All Articles