Sandboxing ClamAV
ClamAV is a popular open-source antivirus scanner with a daily updated signature set from Cisco's Talos team. It is very easy to integrate the ClamAV library into your application for customized scanning - but this adds a piece of code that parses malicious data from unknown sources, a huge increase in attack surface.
We set out to explore if we could do better - by moving the scanner into a separate, sandboxed process. Our goal was:
To make the sandboxing completely transparent, maintaining the current library interface
Sandbox on all major platforms, that is Windows, Linux, MacOS, and FreeBSD
Restrict the sandboxed process further regarding FS access, network access, ...
Develop in Rust, a much safer programming language than C
In this presentation we'll tell you how we achieved all of this - giving you the pain points in the migration, the performance impact and an attack-surface assessment pre- and post-sandboxing. We hope that our experience will serve as a blueprint for migrating your own library handling potentially malicious data to a sandbox with very little effort and minimal performance impact.
About the Presenter: Jonas Zaddach
Jonas Zaddach is security researcher and product research team lead in Cisco. In his PhD thesis, he automated finding vulnerabilities in embedded devices. Then he went on to Cisco Talos, where he has carried on his passion for automating malware analysis. Now, he is enhancing Cisco’s Secure Endpoint’s defenses against malware and targeted attacks.