Closed mcattle closed 1 year ago
@mcattle Since this library depends on the IAttachmentExecute
COM interface, this library can not scan non-file system objects such as a memory stream, unfortunately. 😥
(the IAttachmentExecute
COM interface does not expose features to scan non-file system objects.)
Currently, there might exist a more convenient scanning malware API
than the IAttachmentExecute
COM interface, but I don't know the information for that.
Could this be of use? https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal?WT.mc_id=DT-MVP-5003978#windows-components-that-integrate-with-amsi https://www.meziantou.net/using-windows-antimalware-scan-interface-in-dotnet.htm "It supports a calling structure allowing for file and memory or stream scanning, content source URL/IP reputation checks, and other techniques."
Could this be of use?
It works wonderfully! Now to find a .NET Linux equivalent for when the service is running inside a Linux Docker container, but that's outside the scope of this discussion. 😊
@1Jesper1 Thank you for getting in touch with me!
Yeah, actually, I know the AMSI
. But the design of AMSI
is far different from the IAttachmentExecute
COM interface, so I could not replace the dependency of the internal implementation of this library from the IAttachmentExecute
COM interface to AMSI
.
And we can already find so many NuGet packages to use AMSI on nuget.org ( https://www.nuget.org/packages?q=amsi ).
So there is no need to work I should do even if someone wants to use AMSI
on .NET apps. The most reason of I'm keeping this library is just to keep lower compatibility.
Anyway, thank you for your advice! 👍
This may be a big ask, but can this library potentially scan a memory stream before anything is written to disk?