Rob MacGregor wrote:1) You'd need to decode the packet contents on the fly 2) Anything running over 1 packet would never be spottedJust wondering how far a signature can go? Does the scanner needs to go back and forth in a file for scanning or can it scan a stream as it passes by? How far does it needs to go if it has to go backwards? What about zip files? Do they need to be unzipped before scanning ? The idea is to have a small packet queue where last n packets are stored, scanned and then transmitted in a cyclic fashion. ie first n-1 packets will just gets queued, when the nth packet arrives, the queue is scanned, and 1st packet is released and nth packets is appended to the queue. This process is repeated for every packet. Now don't flame me about performance, I just want to know if such an arrangement will catch all virus in that stream or if some virus will get past this. What I just looking if such a thing is ever possible (as opposed to feasible) The aim is to catch malware that comes via a random tcp connection, like some sort of p2p application.
I have done some research on this already... If you store the file in a disk buffer (say max 100K at a shot using tmpfs for speed), then scan the buffer, it does indeed work. HAVP uses this technique quite well. Where your problem is going to occur, as with havp, is in notifing the user that their file was trashed unless the P2P software incorporates the antivirus scanning inline with the downloading. In such a manner, the P2P can notify the user that the transfer was abort and why.
pgpyxSSbUCk3c.pgp
Description: PGP signature
_______________________________________________ http://lurker.clamav.net/list/clamav-users.html
