Re: [Clamav-devel] Basics of ClamAV: developing for Win8 and dist thru app store
James, Some comments inline: On Mon, Feb 17, 2014 at 9:13 PM, Northern Technical northtech...@gmail.comwrote: Hello, From what I can see so far, ClamAV provides a shared library which does the scanning and provides tools, e.g. unpacking archives for scanning, updating the malware databases. So perhaps providing a ClamAV app is not much more than a UI which calls the library to scan and update. Pretty much. clamscan and clamd link to libclamav. clamdscan uses clamd through tcp or unix socket. Other apps can use the clamd protocols as well, or link to libclamav and use its api. Then there are also several utilities such as freshclam and sigtool, Is that an oversimplification? I'm a little lost since I'm still learning how AV programs work generally. I've got the idea with virus signatures which AV programs look for, and they probably go through the entire FS looking inside files for those signatures. I don't know about how heuristics work, and what might be done for specific platforms, e.g. scanning the Windows registry for entries like login notify and other areas malware might hook into. Same for browser malware, e.g. scanning JS or whatever is done there. I'm thinking about a free ClamAV Suite for Windows 8/8.1 which can be fetched from the Windows App Store. If it's simple like providing a good UI and using the shared library, would it make sense to fork the ClamAV sources and, since it's originally written for UNIX-like platforms, provide a Windows-specific AV engine? I know Windows can support POSIX programs, but would a Windows AV engine using native Windows calls, threading, etc., be a good idea if there's the time and patience to develop it? Sounds good. There is windows support currently, see clamav/win32 and also http://sourceforge.net/projects/clamav/files/clamav/win32/. There are some other third party windows projects, and also our Immunet. Is there any documentation which gives me a good overall picture of how it works, linking to the shared library, launching scans, updating, what it does (if anything; would a user of the library do it?) with malware that it finds? On Windows, would a user of the ClamAV library do anything such as keep a list of hashes of known Windows system DLLs and check those, if that's a good idea? What about scanning the boot area? clamav/docs. Also google around to find some presentations and papers on clamav topics. Thanks for any guidance or tips. James ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] Basics of ClamAV: developing for Win8 and dist thru app store
I would also like to mention that i have written C# bindings for both libclamav and clamd over tcp if that helps IRT windows. https://github.com/brandonprry/clam-sharp Sent from a computer On Feb 18, 2014, at 2:20 PM, Steven Morgan smor...@sourcefire.com wrote: James, Some comments inline: On Mon, Feb 17, 2014 at 9:13 PM, Northern Technical northtech...@gmail.comwrote: Hello, From what I can see so far, ClamAV provides a shared library which does the scanning and provides tools, e.g. unpacking archives for scanning, updating the malware databases. So perhaps providing a ClamAV app is not much more than a UI which calls the library to scan and update. Pretty much. clamscan and clamd link to libclamav. clamdscan uses clamd through tcp or unix socket. Other apps can use the clamd protocols as well, or link to libclamav and use its api. Then there are also several utilities such as freshclam and sigtool, Is that an oversimplification? I'm a little lost since I'm still learning how AV programs work generally. I've got the idea with virus signatures which AV programs look for, and they probably go through the entire FS looking inside files for those signatures. I don't know about how heuristics work, and what might be done for specific platforms, e.g. scanning the Windows registry for entries like login notify and other areas malware might hook into. Same for browser malware, e.g. scanning JS or whatever is done there. I'm thinking about a free ClamAV Suite for Windows 8/8.1 which can be fetched from the Windows App Store. If it's simple like providing a good UI and using the shared library, would it make sense to fork the ClamAV sources and, since it's originally written for UNIX-like platforms, provide a Windows-specific AV engine? I know Windows can support POSIX programs, but would a Windows AV engine using native Windows calls, threading, etc., be a good idea if there's the time and patience to develop it? Sounds good. There is windows support currently, see clamav/win32 and also http://sourceforge.net/projects/clamav/files/clamav/win32/. There are some other third party windows projects, and also our Immunet. Is there any documentation which gives me a good overall picture of how it works, linking to the shared library, launching scans, updating, what it does (if anything; would a user of the library do it?) with malware that it finds? On Windows, would a user of the ClamAV library do anything such as keep a list of hashes of known Windows system DLLs and check those, if that's a good idea? What about scanning the boot area? clamav/docs. Also google around to find some presentations and papers on clamav topics. Thanks for any guidance or tips. James ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
[Clamav-devel] Basics of ClamAV: developing for Win8 and dist thru app store
Hello, From what I can see so far, ClamAV provides a shared library which does the scanning and provides tools, e.g. unpacking archives for scanning, updating the malware databases. So perhaps providing a ClamAV app is not much more than a UI which calls the library to scan and update. Is that an oversimplification? I'm a little lost since I'm still learning how AV programs work generally. I've got the idea with virus signatures which AV programs look for, and they probably go through the entire FS looking inside files for those signatures. I don't know about how heuristics work, and what might be done for specific platforms, e.g. scanning the Windows registry for entries like login notify and other areas malware might hook into. Same for browser malware, e.g. scanning JS or whatever is done there. I'm thinking about a free ClamAV Suite for Windows 8/8.1 which can be fetched from the Windows App Store. If it's simple like providing a good UI and using the shared library, would it make sense to fork the ClamAV sources and, since it's originally written for UNIX-like platforms, provide a Windows-specific AV engine? I know Windows can support POSIX programs, but would a Windows AV engine using native Windows calls, threading, etc., be a good idea if there's the time and patience to develop it? Is there any documentation which gives me a good overall picture of how it works, linking to the shared library, launching scans, updating, what it does (if anything; would a user of the library do it?) with malware that it finds? On Windows, would a user of the ClamAV library do anything such as keep a list of hashes of known Windows system DLLs and check those, if that's a good idea? What about scanning the boot area? Thanks for any guidance or tips. James ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net