Security Notes

From Klamav

Security Notes on using Auto-Scanning in KlamAV

At the time of writing there are two problems with auto-scanning files in the KDE environment:
 
- Dazuko's detection of file-modification is not reliable
- KDE performs a lot of read-only accesses to files
 
This makes auto-scanning in KDE rather slow and most people just turn it off.
 
There are two alternatives available:
 
1. Perform 'On Execute' scanning only. In this mode the auto-scan component will only attempt to
   scan files when they are executed by your system. 
2. Allow KlamAV to determine when a file has been written to or created and scan it when the file
   has been closed.
 
The second option has been available since version 0.15 of KlamAV. It is experimental and may not
be 100% secure. 

For example the following scenario may result in infection under this option:
 
1. process A opens file 'foo' for writing, it is scanned, marked clean, process A is granted
   access.
 
2. process B opens file 'foo' for reading, it is scanned, marked clean, process B is granted
   access.
 
3. process A writes virus code to 'foo'. Â Since dazuko doesn't catch write events, the write goes
   through.
 
4. process B reads virus code from 'foo', and it now infected.
 
5. process A wipes out the virus code from 'foo'.
 
6. process A&B close the file, it is scanned again and marked clean!
 
[suggested by Calin A. Culianu]
 
There may be others, and if you can suggest any please let the author know.
 
Note:
Since the component ClamAV/KlamAV uses to detect real-time access of files is itself experimental,
not all access types are reliably detected on all versions of Linux. For the latest status of this
component (Dazuko) you should refer to http://www.dazuko.org.