Skip to content

ScanClamav

This scanner runs against a given file and returns a ClamAV scan that has a determination if the file is infected or not based on the ClamAV signature database.

Scanner Type: Collection

Detection Use Cases

Detection Use Cases

  • Scan Determination
    • This scanner provides a inital determination on a file if it is infected or not based on the the ClamAV signature database.

Known Limitations

Known Limitations

  • ClamAV Signature Database
    • This scanner relies on the ClamAV signature database which is not necesarily all-encompassing. Though the scanner may return a determination, users should be advise that this is not exaustive.

To Do

To Do

  • The ClamAV signature database is currently pulled every scan as a POC. This could be converted to a signature pull on a cadence, such as every 24 hours.

References

References

Contributors

Contributors

Source code in strelka/src/python/strelka/scanners/scan_clamav.py 
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
class ScanClamav(strelka.Scanner):
    """
    This scanner runs against a given file and returns a ClamAV scan that has a determination if the file is infected
    or not based on the ClamAV signature database.

    Scanner Type: Collection

    Attributes:
        None

    ## Detection Use Cases
    !!! info "Detection Use Cases"
        - **Scan Determination**
            - This scanner provides a inital determination on a file if it is infected or not based on the
              the ClamAV signature database.

    ## Known Limitations
    !!! warning "Known Limitations"
        - **ClamAV Signature Database**
            - This scanner relies on the ClamAV signature database which is not necesarily all-encompassing. Though
              the scanner may return a determination, users should be advise that this is not exaustive.

    ## To Do
    !!! question "To Do"
        - The ClamAV signature database is currently pulled every scan as a POC. This could be converted to a
          signature pull on a cadence, such as every 24 hours.

    ## References
    !!! quote "References"
    - [ClamAV Documentation Source](https://docs.clamav.net/Introduction.html)
    - [BlogPost on ClamAV Scanner](https://simovits.com/strelka-let-us-build-a-scanner/)

    ## Contributors
    !!! example "Contributors"
        - [Sara Kalupa](https://github.com/skalupa)

    """

    def scan(self, data, file, options, expire_at):
        try:
            # Check if ClamAV package is installed
            if not shutil.which("clamscan"):
                self.flags.append("clamav_not_installed_error")
                return
        except Exception as e:
            self.flags.append(str(e))
            return

        try:
            with tempfile.NamedTemporaryFile(dir="/tmp/", mode="wb") as tmp_data:
                tmp_data.write(data)
                tmp_data.flush()
                tmp_data.seek(0)

                # Run freshclam to gret the newest database signatures
                stdout, stderr = subprocess.Popen(
                    ["freshclam"],
                    stdout=subprocess.PIPE,
                    stderr=subprocess.PIPE,
                ).communicate(timeout=self.scanner_timeout)

                temp_log = tempfile.NamedTemporaryFile(dir="/tmp/", mode="wb")
                loglocation = "--log=" + temp_log.name

                # Run the actual ClamAV scan and report to local temp log file
                process = subprocess.Popen(
                    ["clamscan", "--disable-cache", loglocation, tmp_data.name],
                    stdout=subprocess.PIPE,
                    stderr=subprocess.PIPE,
                )
                stdout, stderr = process.communicate()

                with open(temp_log.name, "r") as file:
                    for line in file:
                        if ":" in line:
                            # Attempt to split out scan information
                            splitline = line.split(":")
                            self.event[splitline[0]] = splitline[1].strip()
                        else:
                            continue

        except strelka.ScannerTimeout:
            raise
        except Exception:
            self.flags.append("clamAV_Scan_process_error")
            raise
        finally:
            # Ensure that tempfile gets closed out if there are any issues
            tmp_data.close()

Features

The features of this scanner are detailed below. These features represent the capabilities and the type of analysis the scanner can perform. This may include support for Indicators of Compromise (IOC), the ability to emit files for further analysis, and the presence of extended documentation for complex analysis techniques.

Feature
Support
IOC Support
Emit Files
Extended Docs
Malware Scanner
Image Thumbnails

Tastes

Strelka's file distribution system assigns scanners to files based on 'flavors' and 'tastes'. Flavors describe the type of file, typically determined by MIME types from libmagic, matches from YARA rules, or characteristics of parent files. Tastes are the criteria used within Strelka to determine which scanners are applied to which files, with positive and negative tastes defining files to be included or excluded respectively.

Source Filetype
Include / Exclude
*

Scanner Fields

This section provides a list of fields that are extracted from the files processed by this scanner. These fields include the data elements that the scanner extracts from each file, representing the analytical results produced by the scanner. If the test file is missing or cannot be parsed, this section will not contain any data.

Field Name
Field Type
Data read
str
Data scanned
str
End Date
str
Engine version
str
Infected files
str
Known viruses
str
Scanned directories
str
Scanned files
str
Start Date
str
Time
str
elapsed
str
flags
list

Sample Event

Below is a sample event generated by this scanner, demonstrating the kind of output that can be expected when it processes a file. This sample is derived from a mock scan event configured in the scanner's test file. If no test file is available, this section will not display a sample event.

    test_scan_event = {
        "Data read": "0.51 MB (ratio 1.06",
        "Data scanned": "0.54 MB",
        "End Date": 0.001,
        "Engine version": "0.103.12",
        "Infected files": "0",
        "Known viruses": "8706344",
        "Scanned directories": "0",
        "Scanned files": "1",
        "Start Date": 0.001,
        "Time": 0.001,
        "elapsed": 0.001,
        "flags": [],
    }