-
Notifications
You must be signed in to change notification settings - Fork 1
Features (in depth), workflow, comparison
Nong Hoang Tu edited this page Oct 2, 2024
·
1 revision
- Access the file using ClamAV engine. ClamAV will parse / decompress file and give file descriptor
- Scan file descriptor with Yara engine. If a rule matches, the scan result will be sightly faster than original ClamAV
- If all rules didn't match, keeps scanning with ClamAV signatures (requires user to enable ClamAV signatures).
- Iterate all running processes in procfs (or given list of PID from user)
- Use Yara's YR_MEMORY_BLOCK_ITERATOR to iterate over memory blocks
- Calculate memory blocks belong to a same binary file
- Scan the whole memory blocks that's mapped from a binary file, or scan single memory block (Heap, stack, ...)
There are some rootkit types in Linux:
- User-land rootkit, use LD Preload
- Kernel-land rootkit, use Linux Kernel Module
- Kernel-land rootkit, use eBPF
From 0.5.0, rkscanmal included hook detection from https://github.com/mempodippy/detect_preload/ to detect LD_PRELOAD rootkits.
The kernel-land rootkit requires better mechanism to get fingerprints of modules. I would like to research more in the future.
| ClamAV | Yara | |
|---|---|---|
| Metadata collector | PE, ELF, Mach-O. However, the metadata info is really basic | PE, ELF, Mach-O, Dotnet, Java-class. ELF metadata is much better than ClamAV |
| File parser and decompression | Many file parsers, decompression | No |
| Unpacker | Some basic unpackers | No |
| Memory scan (Linux) | No | Yes |
| Emulator | No | No |
| Easy to write signatures | No | Yes |
| Strong file's metadata to signatures | No | Yes |
| Memory management when load big database | No | No |