Bump... Can anyone confirm that clamav-win does not scan memory resident files but files associated with resident processes from disk?
Thanks, Jason On Thu, Mar 8, 2012 at 4:45 PM, Jason Gionta <jjgio...@ncsu.edu> wrote: > Hi all, > > I tried to get an answer from the clam-av mailing list but I haven't > gotten any help so I was hoping the development list might help. > > From the clamav-win documentation, clamav-win supports memory scanning by > adding the "--memory" option to the command line. > > However, after looking at the source code and tracing a running instance > in Visual Studio, it seems that the clamav-win is not scanning memory but > scanning files associated with processes in memory. > > Essentially the memory scan algorithm is as follows: 1) get process list, > 2) read each processes associated modules (files), 3)extract the module's > location in a file format, 4) scan the file by calling "_open" which read > only permissions > > Is this correct? and if so, this seems like it is not scanning memory, but > files on disk. Can someone confirm this? > > Thanks, > > Jason > > -- Jason Gionta Cyber Defense Lab North Carolina State University jjgio...@ncsu.edu _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
