Jonas Zaddach Robert Yuen Jonas Zaddach Robert Yuen

Sandboxing ClamAV

ClamAV is a popular open-source antivirus scanner with a daily updated signature set from Cisco's Talos team. It is very easy to integrate the ClamAV library into your application for customized scanning - but this adds a piece of code that parses malicious data from unknown sources, a huge increase in attack surface.

We set out to explore if we could do better - by moving the scanner into a separate, sandboxed process. Our goal was:

  • To make the sandboxing completely transparent, maintaining the current library interface

  • Sandbox on all major platforms, that is Windows, Linux, MacOS, and FreeBSD

  • Restrict the sandboxed process further regarding FS access, network access, ...

  • Develop in Rust, a much safer programming language than C

In this presentation we'll tell you how we achieved all of this - giving you the pain points in the migration, the performance impact and an attack-surface assessment pre- and post-sandboxing. We hope that our experience will serve as a blueprint for migrating your own library handling potentially malicious data to a sandbox with very little effort and minimal performance impact.

Read More