Mailing List Archive

Re: Clamav-win32 Memory Scan
Hi all,

I tried to get an answer from the clam-av mailing list but I haven't gotten
any help so I was hoping the development list might help.

From the clamav-win documentation, clamav-win supports memory scanning by
adding the "--memory" option to the command line.

However, after looking at the source code and tracing a running instance in
Visual Studio, it seems that the clamav-win is not scanning memory but
scanning files associated with processes in memory.

Essentially the memory scan algorithm is as follows: 1) get process list,
2) read each processes associated modules (files), 3)extract the module's
location in a file format, 4) scan the file by calling "_open" which read
only permissions

Is this correct? and if so, this seems like it is not scanning memory, but
files on disk. Can someone confirm this?


Please submit your patches to our Bugzilla: