>
> An implementation of a similar idea across several VMs is:
>
>
>
> VM1: any TemplateVM with clamav installed.
>
>
>
>
>
> VM2: AppVM based on above, which is network-connected so it can download new 
> virus definitions. /var/lib/clamav contains the virus definitions so make it 
> a bind-dir.
>
>
>
>
>
> VM3: DisposableVM based on the above, which is offline, that does the actual 
> scanning. To scan a VM, use qvm-block to attach a VM's private volume to the 
> disposable VM.[1]
>
>
>
> The actual updating and scanning can be streamlined using shell scripts run 
> from dom0.
>
>
> I think the nice properties of this setup are:
> * distro-packaged, open source antivirus> * antivirus lives outside the VM 
> you are scanning
> * since the antivirus processes a lot of untrusted input, scans are done from 
> a disposable VM3, so if it is compromised in the course of a scan, only that 
> session is compromised> * since the antivirus may process a lot of sensitive 
> information, VM3 is also offline, making it harder for compromised antivirus 
> to exfiltrate anything.
> [1]To make a DisposableVM have different NetVM than its template, you can use 
> for VM3 the static DisposableVM created by `qvm-create --class DisposableVM 
> --template VM2 ...`, it can have the specific NetVM setting of None, 
> different from their template.
>   




Other nice properties:
* by mounting a snapshot of the private volume, you have the option to scan 
while the target VM is running

* by mounting a snapshot, you can ensure no modification of the target volume, 
which some people might like from a forensics point of view.


>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LO-L6ng--3-1%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to