Sandboxing ClamAV

ClamAV is a popular open-source antivirus scanner with a daily updated signature set from Cisco's Talos team. It is very easy to integrate the ClamAV library into your application for customized scanning - but this adds a piece of code that parses malicious data from unknown sources, a huge increase in attack surface.

We set out to explore if we could do better - by moving the scanner into a separate, sandboxed process. Our goal was:

  • To make the sandboxing completely transparent, maintaining the current library interface

  • Sandbox on all major platforms, that is Windows, Linux, MacOS, and FreeBSD

  • Restrict the sandboxed process further regarding FS access, network access, ...

  • Develop in Rust, a much safer programming language than C

In this presentation we'll tell you how we achieved all of this - giving you the pain points in the migration, the performance impact and an attack-surface assessment pre- and post-sandboxing. We hope that our experience will serve as a blueprint for migrating your own library handling potentially malicious data to a sandbox with very little effort and minimal performance impact.

 

About the Presenter: Jonas Zaddach

Jonas Zaddach is security researcher and product research team lead in Cisco. In his PhD thesis, he automated finding vulnerabilities in embedded devices. Then he went on to Cisco Talos, where he has carried on his passion for automating malware analysis. Now, he is enhancing Cisco’s Secure Endpoint’s defenses against malware and targeted attacks.

Previous
Previous

[KEYNOTE]: Commercial Warfare

Next
Next

Evolution of Stealth Packet Filter Rootkits