Mar Matthias Darin wrote:I have done some research on this already... If you store the file in a disk buffer (say max 100K at a shot using tmpfs for speed), then scan the buffer, it does indeed work.How short can this buffer go? Does this file needs to be seekable?
Ideally, I would say 16K would be as small as you want to go. If the buffer is to small, the transfer speed will suffer.
Where your problem is going to occur, as with havp, is in notifing the user that their file was trashed unless the P2P software incorporates the antivirus scanning inline with the downloading. In such a manner, the P2P can notify the user that the transfer was abort and why.One way would be to overwrite the matched signatures with zero, that would defang the file. Another way would be to use this in conjunction with desktop virus scanner where the gateway antivirus would provide "defence in depth", There is no fit all approach here.
These would work. However; one must take into account that many end-users would not have an understanding of this technique when their computer locks up from a bad jump table in the EXE header. My personal opinion is that the antivirus at this level needs to be integrated into the application or have hooks that allow easy integration.
pgpVDFNWYdZof.pgp
Description: PGP signature
_______________________________________________ http://lurker.clamav.net/list/clamav-users.html
