_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
I am experimenting with a python script which uses
http://xael.org/norman/python/pyclamd/ to scan blocks of data.
Here is my scenario, I read one block, ( 4096 bytes in my case ) from a
socket. I call pyclamd.scan_stream( block ), which I assume is in turn
calling either INSTREAM, or STREAM, ( I don't know since the docs for
pyclamd don't specify which actual calmd call occurs when calling
scan_stream. ) I then check the return code from calmd if it returns
None (NULL) I know that the block is safe and I pass it along, otherwise
I throw an exception and close the connection. My question is this since
I'm breaking the stream up into blocks and scanning each block
separately am I running the risk of a virus sneeking by the edge of the
blocks and not matching a pattern. For example take the block 'Hello
Vir' and the block 'us World' assume that the sub string 'Virus' is the
actual virus, since neither 'Vir' ( the last 3 bytes of the first block
) nor 'us'( the first two bytes of the second block ) are 'Virus' it
would seem that clamd would miss "Virus" and not return a match, letting
the virus essentially sneak through the sides as it were. Is this true?
If so, is there a work around? Or do I need to save the complete stream
to disk then call clamd.scan_file("/tmp/tfile.bin") before
re-transmitting the file?
- [clamav-users] Calling Clamd INSTREAM on blocks of... John-Charles D. Sokolow
- Re: [clamav-users] Calling Clamd INSTREAM on ... Török Edwin
