Re: [Clamav-devel] CalmAV In-Memory Scan

2017-04-05 Thread Michael Engstler 
Hi,
Thanks for the quick response.
Your suggestion sounds interesting, but from what I've seen if you give
clamd a file path, it would copy the file to the temporary directory and
perform its tests on the copied file.
This means that even if i memory map my file, the test would still be done
against the copy file.

Any suggestions how to prevent clamd from copying the file to a temp dir?

Thanks again,
Michael.

On 5 Apr 2017 23:09, "Eugene Crosser"  wrote:

On 04/05/2017 09:27 PM, Michael Engstler wrote:
> Hi,
> I noticed that when using the INSTREAM command and sending it a memory
> buffer of a file, clamd takes the memory buffer and saves it to
> the TemporaryDirectory (as defined in the config file).
>
> This is an unnecessary overhead as it requires disk IO in order to scan
the
> file which is already loaded in-memory.
> Is there any way to command clamd to scan the buffer completely in-memory
> without writing anything to the disk?

That's a feature that I requested many years ago because I had a non-copying
MIME parser that worked on mmap()ed files, and I wanted to virus-scan some
parts
of the message. It was not possible, and I think it's not possible now.

I suggest you to mmap() your memory region to a temp. file, ideally on
tmpfs,
and pass this file to clamav. That ought to minimize the overhead.

Eugene


___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Re: [Clamav-devel] CalmAV In-Memory Scan

2017-04-05 Thread Eugene Crosser 
On 04/05/2017 09:27 PM, Michael Engstler wrote:
> Hi,
> I noticed that when using the INSTREAM command and sending it a memory
> buffer of a file, clamd takes the memory buffer and saves it to
> the TemporaryDirectory (as defined in the config file).
> 
> This is an unnecessary overhead as it requires disk IO in order to scan the
> file which is already loaded in-memory.
> Is there any way to command clamd to scan the buffer completely in-memory
> without writing anything to the disk?

That's a feature that I requested many years ago because I had a non-copying
MIME parser that worked on mmap()ed files, and I wanted to virus-scan some parts
of the message. It was not possible, and I think it's not possible now.

I suggest you to mmap() your memory region to a temp. file, ideally on tmpfs,
and pass this file to clamav. That ought to minimize the overhead.

Eugene



signature.asc
Description: OpenPGP digital signature
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Re: [Clamav-devel] CalmAV In-Memory Scan

2017-04-05 Thread Brandon Perry 

> On Apr 5, 2017, at 2:27 PM, Michael Engstler  wrote:
> 
> Hi,
> I noticed that when using the INSTREAM command and sending it a memory
> buffer of a file, clamd takes the memory buffer and saves it to
> the TemporaryDirectory (as defined in the config file).
> 
> This is an unnecessary overhead as it requires disk IO in order to scan the
> file which is already loaded in-memory.
> Is there any way to command clamd to scan the buffer completely in-memory
> without writing anything to the disk?

My understanding is that ClamAV requires a rewindable file stream in order to 
perform scans.

> 
> Thanks,
> Michael.
> ___
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> 
> http://www.clamav.net/contact.html#ml



signature.asc
Description: Message signed with OpenPGP
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

[Clamav-devel] CalmAV In-Memory Scan

2017-04-05 Thread Michael Engstler 
Hi,
I noticed that when using the INSTREAM command and sending it a memory
buffer of a file, clamd takes the memory buffer and saves it to
the TemporaryDirectory (as defined in the config file).

This is an unnecessary overhead as it requires disk IO in order to scan the
file which is already loaded in-memory.
Is there any way to command clamd to scan the buffer completely in-memory
without writing anything to the disk?

Thanks,
Michael.
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Re: [Clamav-devel] [clamav-users] how to avoid false positive in clamAV

2017-04-05 Thread Mark Allan 
To whitelist specific files this way, you need to add the m5sum to a file with 
the .fp extension.  So, in your example, it should be sigtool --md5  
my_file_name.exe >> local.fp

If you want to ignore the signature altogether, you add the signature name to a 
file with the extension ign2.

For what it's worth, this is on page 23 of the "signatures.pdf" document that 
ships with the ClamAV source code.

Best regards
Mark 

> On 5 Apr 2017, at 9:49 am, Gaurav Kumar Garg  wrote:
> 
> Hi ClamAV user, developer,
> 
> I am new to clamAV. I like its design.
> 
> While scanning i saw few false positive virus. I search on internet and found 
> out that i can avoid these false positive by writing md5 sum to local.ign 
> file and putting this file in /var/lib/clamav/*  directory. then restarting 
> clamd daemon.
> 
> 
> Its partially working, means it working when i scan false positive file with 
> clamscan -d and its not working with clamdscan.
> 
> 
> Steps for creating local.ign file:
> 
> 
> $ sigtool --md5  my_file_name.exe >> local.ign
> 
> 
> after that i put this file in /var/lib/clamav/* directory and restarted clamd 
> daemon.
> 
> 
> when i execute $ clamscan -d /var/lib/clamav/local.ign my_file_name.exe then 
> its not reporting false positive, its working perfectly.
> 
> 
> But when i scan this file using clamdscan then its still reporting false 
> positive.
> 
> 
> Could anyone help me regarding this false positive avoidance.
> 
> 
> I can not submit my false positive file because of some business ethics and 
> compliance.
> 
> 
> Thank you in advance,
> 
> 
> Regards,
> 
> Gaurav
> 
> 
> ___
> clamav-users mailing list
> clamav-us...@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

[Clamav-devel] how to avoid false positive in clamAV

2017-04-05 Thread Gaurav Kumar Garg 

Hi ClamAV user, developer,

I am new to clamAV. I like its design.

While scanning i saw few false positive virus. I search on internet and 
found out that i can avoid these false positive by writing md5 sum to 
local.ign file and putting this file in /var/lib/clamav/*  directory. 
then restarting clamd daemon.



Its partially working, means it working when i scan false positive file 
with clamscan -d and its not working with clamdscan.



Steps for creating local.ign file:


$ sigtool --md5  my_file_name.exe >> local.ign


after that i put this file in /var/lib/clamav/* directory and restarted 
clamd daemon.



when i execute $ clamscan -d /var/lib/clamav/local.ign my_file_name.exe 
then its not reporting false positive, its working perfectly.



But when i scan this file using clamdscan then its still reporting false 
positive.



Could anyone help me regarding this false positive avoidance.


I can not submit my false positive file because of some business ethics 
and compliance.



Thank you in advance,


Regards,

Gaurav


___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml