micahsnyder
commented
1 year ago 7-zip already supports the extraction of files directly from a VHD. However, to scan them with clamav, currently, the contents need to be extracted first to a temporary location (requiring a lot of additional diskspace in the process) and then scanned.
Many, if not most, of ClamAV's archive extraction modules also extract temporary files before scanning them. Ideally ClamAV could keep stuff in memory-only if it is smaller than some size limit. But unfortunately that functionality doesn't exist yet. So using 7z to extract to a temp directory and then scanning those files isn't going to be much different than how ClamAV handles ISO9660 (CDROM images) or ZIP archives, for example.
I do like the idea of building in support for VMDK or VHD images but hard to say when if could work on it. Right now we're working on UDF support, improvements to ISO9660 support, OneNote support, LHA/LZH support. We have a couple others coming down the pipeline as well based on internal requests.
So really no idea when, if ever, our dev team would start this.
Describe the bug
There are a lot of virtualized environments out there. A good feature to have would be to be able to directly scan a VMDK / VHD / VHDX / QCOW file for virusses. This way, a scan can take place from the host machine (or NFS / SMB mounted datastore) and viruses can be detected without the need to install an agent on each individual VM. This would allow for scanning for viruses in a "clean" recovery environment, for example, a replication target, a backup image, or an assumed "clean" image of a VM, without the need to extract the contents first.
With the ease of mounting a VHD on Windows, it is also not unthinkable that the following happens:
How to reproduce the problem
7-zip already supports the extraction of files directly from a VHD. However, to scan them with clamav, currently, the contents need to be extracted first to a temporary location (requiring a lot of additional diskspace in the process) and then scanned.
I attempted to use 7z x -so - | clamscan -v - but it does not detect the payload on the virtual disk. It also only "scans" a single file (stdin), so there is no way to tell which file contained the virus.