> > An implementation of a similar idea across several VMs is: > > > > VM1: any TemplateVM with clamav installed. > > > > > > VM2: AppVM based on above, which is network-connected so it can download new > virus definitions. /var/lib/clamav contains the virus definitions so make it > a bind-dir. > > > > > > VM3: DisposableVM based on the above, which is offline, that does the actual > scanning. To scan a VM, use qvm-block to attach a VM's private volume to the > disposable VM.[1] > > > > The actual updating and scanning can be streamlined using shell scripts run > from dom0. > > > I think the nice properties of this setup are: > * distro-packaged, open source antivirus> * antivirus lives outside the VM > you are scanning > * since the antivirus processes a lot of untrusted input, scans are done from > a disposable VM3, so if it is compromised in the course of a scan, only that > session is compromised> * since the antivirus may process a lot of sensitive > information, VM3 is also offline, making it harder for compromised antivirus > to exfiltrate anything. > [1]To make a DisposableVM have different NetVM than its template, you can use > for VM3 the static DisposableVM created by `qvm-create --class DisposableVM > --template VM2 ...`, it can have the specific NetVM setting of None, > different from their template. >
Other nice properties: * by mounting a snapshot of the private volume, you have the option to scan while the target VM is running * by mounting a snapshot, you can ensure no modification of the target volume, which some people might like from a forensics point of view. > > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LO-L6ng--3-1%40tutanota.com. For more options, visit https://groups.google.com/d/optout.
