Re: [Clamav-devel] CalmAV In-Memory Scan
Hi, Thanks for the quick response. Your suggestion sounds interesting, but from what I've seen if you give clamd a file path, it would copy the file to the temporary directory and perform its tests on the copied file. This means that even if i memory map my file, the test would still be done against the copy file. Any suggestions how to prevent clamd from copying the file to a temp dir? Thanks again, Michael. On 5 Apr 2017 23:09, "Eugene Crosser"wrote: On 04/05/2017 09:27 PM, Michael Engstler wrote: > Hi, > I noticed that when using the INSTREAM command and sending it a memory > buffer of a file, clamd takes the memory buffer and saves it to > the TemporaryDirectory (as defined in the config file). > > This is an unnecessary overhead as it requires disk IO in order to scan the > file which is already loaded in-memory. > Is there any way to command clamd to scan the buffer completely in-memory > without writing anything to the disk? That's a feature that I requested many years ago because I had a non-copying MIME parser that worked on mmap()ed files, and I wanted to virus-scan some parts of the message. It was not possible, and I think it's not possible now. I suggest you to mmap() your memory region to a temp. file, ideally on tmpfs, and pass this file to clamav. That ought to minimize the overhead. Eugene ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml
Re: [Clamav-devel] CalmAV In-Memory Scan
On 04/05/2017 09:27 PM, Michael Engstler wrote: > Hi, > I noticed that when using the INSTREAM command and sending it a memory > buffer of a file, clamd takes the memory buffer and saves it to > the TemporaryDirectory (as defined in the config file). > > This is an unnecessary overhead as it requires disk IO in order to scan the > file which is already loaded in-memory. > Is there any way to command clamd to scan the buffer completely in-memory > without writing anything to the disk? That's a feature that I requested many years ago because I had a non-copying MIME parser that worked on mmap()ed files, and I wanted to virus-scan some parts of the message. It was not possible, and I think it's not possible now. I suggest you to mmap() your memory region to a temp. file, ideally on tmpfs, and pass this file to clamav. That ought to minimize the overhead. Eugene signature.asc Description: OpenPGP digital signature ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml
Re: [Clamav-devel] CalmAV In-Memory Scan
> On Apr 5, 2017, at 2:27 PM, Michael Engstlerwrote: > > Hi, > I noticed that when using the INSTREAM command and sending it a memory > buffer of a file, clamd takes the memory buffer and saves it to > the TemporaryDirectory (as defined in the config file). > > This is an unnecessary overhead as it requires disk IO in order to scan the > file which is already loaded in-memory. > Is there any way to command clamd to scan the buffer completely in-memory > without writing anything to the disk? My understanding is that ClamAV requires a rewindable file stream in order to perform scans. > > Thanks, > Michael. > ___ > http://lurker.clamav.net/list/clamav-devel.html > Please submit your patches to our Bugzilla: http://bugs.clamav.net > > http://www.clamav.net/contact.html#ml signature.asc Description: Message signed with OpenPGP ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml
[Clamav-devel] CalmAV In-Memory Scan
Hi, I noticed that when using the INSTREAM command and sending it a memory buffer of a file, clamd takes the memory buffer and saves it to the TemporaryDirectory (as defined in the config file). This is an unnecessary overhead as it requires disk IO in order to scan the file which is already loaded in-memory. Is there any way to command clamd to scan the buffer completely in-memory without writing anything to the disk? Thanks, Michael. ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml
Re: [Clamav-devel] [clamav-users] how to avoid false positive in clamAV
To whitelist specific files this way, you need to add the m5sum to a file with the .fp extension. So, in your example, it should be sigtool --md5 my_file_name.exe >> local.fp If you want to ignore the signature altogether, you add the signature name to a file with the extension ign2. For what it's worth, this is on page 23 of the "signatures.pdf" document that ships with the ClamAV source code. Best regards Mark > On 5 Apr 2017, at 9:49 am, Gaurav Kumar Gargwrote: > > Hi ClamAV user, developer, > > I am new to clamAV. I like its design. > > While scanning i saw few false positive virus. I search on internet and found > out that i can avoid these false positive by writing md5 sum to local.ign > file and putting this file in /var/lib/clamav/* directory. then restarting > clamd daemon. > > > Its partially working, means it working when i scan false positive file with > clamscan -d and its not working with clamdscan. > > > Steps for creating local.ign file: > > > $ sigtool --md5 my_file_name.exe >> local.ign > > > after that i put this file in /var/lib/clamav/* directory and restarted clamd > daemon. > > > when i execute $ clamscan -d /var/lib/clamav/local.ign my_file_name.exe then > its not reporting false positive, its working perfectly. > > > But when i scan this file using clamdscan then its still reporting false > positive. > > > Could anyone help me regarding this false positive avoidance. > > > I can not submit my false positive file because of some business ethics and > compliance. > > > Thank you in advance, > > > Regards, > > Gaurav > > > ___ > clamav-users mailing list > clamav-us...@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml
[Clamav-devel] how to avoid false positive in clamAV
Hi ClamAV user, developer, I am new to clamAV. I like its design. While scanning i saw few false positive virus. I search on internet and found out that i can avoid these false positive by writing md5 sum to local.ign file and putting this file in /var/lib/clamav/* directory. then restarting clamd daemon. Its partially working, means it working when i scan false positive file with clamscan -d and its not working with clamdscan. Steps for creating local.ign file: $ sigtool --md5 my_file_name.exe >> local.ign after that i put this file in /var/lib/clamav/* directory and restarted clamd daemon. when i execute $ clamscan -d /var/lib/clamav/local.ign my_file_name.exe then its not reporting false positive, its working perfectly. But when i scan this file using clamdscan then its still reporting false positive. Could anyone help me regarding this false positive avoidance. I can not submit my false positive file because of some business ethics and compliance. Thank you in advance, Regards, Gaurav ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml