search

jsakamoto / AntiVirusScanner

Anti Virus Scanner for .NET (and COM)
Mozilla Public License 2.0
23 stars 8 forks source link

Scan MemoryStream? #5

Closed mcattle closed 1 year ago

mcattle commented 2 years ago

This may be a big ask, but can this library potentially scan a memory stream before anything is written to disk?

jsakamoto commented 2 years ago

@mcattle Since this library depends on the IAttachmentExecute COM interface, this library can not scan non-file system objects such as a memory stream, unfortunately. 😥 (the IAttachmentExecute COM interface does not expose features to scan non-file system objects.)

Currently, there might exist a more convenient scanning malware API than the IAttachmentExecute COM interface, but I don't know the information for that.

1Jesper1 commented 1 year ago

Could this be of use? https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal?WT.mc_id=DT-MVP-5003978#windows-components-that-integrate-with-amsi https://www.meziantou.net/using-windows-antimalware-scan-interface-in-dotnet.htm "It supports a calling structure allowing for file and memory or stream scanning, content source URL/IP reputation checks, and other techniques."

mcattle commented 1 year ago

Could this be of use?

It works wonderfully! Now to find a .NET Linux equivalent for when the service is running inside a Linux Docker container, but that's outside the scope of this discussion. 😊

1Jesper1 commented 1 year ago

@jsakamoto Did you see https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal?WT.mc_id=DT-MVP-5003978#windows-components-that-integrate-with-amsi ?

jsakamoto commented 1 year ago

@1Jesper1 Thank you for getting in touch with me! Yeah, actually, I know the AMSI. But the design of AMSI is far different from the IAttachmentExecute COM interface, so I could not replace the dependency of the internal implementation of this library from the IAttachmentExecute COM interface to AMSI. And we can already find so many NuGet packages to use AMSI on nuget.org ( https://www.nuget.org/packages?q=amsi ). So there is no need to work I should do even if someone wants to use AMSI on .NET apps. The most reason of I'm keeping this library is just to keep lower compatibility.

Anyway, thank you for your advice! 👍