Hello world!!
The goal of this tutorial it’s to know how to check infected files with Java and ClamAv.
About ClamAv
ClamAv it’s a free, open source and cross-platform antivirus software tool-kit that allow to detect many types of malicious software.
A very nice feature of ClamAv its the possibility of scan a stream for know if the stream its infected or not. So is not necessary to make mechanics procedures for saving the file and after check the file with an antivirus.
So in this tutorial we will show how you need to configure ClamAv like a daemon for listen the stream and how you can call ClamAv with Java for check your files programmaly. Es: in a upload form, ecc.
Configuration of ClamAv
Like we say above, ClamAv it’s cross-platform so its compatible, with Windows, Linux, MacOsx, ecc. All the version has a main file for the configuration: “clamd.conf”
Changing this files we can configure ClamAv listening like a server for the communication .
You have many properties in the clamd.conf file, but we want to change the follow properties:
# TCP port address.
# Default: no
TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: no
TCPAddr 127.0.0.1
With this configurarion, ClamAv will start listening in the localhost address and in the port 3310.
Java programming solution
Now we start the nice trip :)
For comunicate with Java and ClamAv, there is a simple but efficient Open Source Api created by Phil Varner(Thanks a lot!!!). The name of the Api is Clamavj clamavj-0.1.jar. This library depends for the org.apache.commons.logging library org.apache.commons.logging.jar.
In the ClamAv Api there are basicaly two classes: ClamScan and ScanResult.
ClamScan is the client for the communication with the ClamAv Server. ScanResult its the entity for encapsulate the response.
The ClamScan client has the method “scan” that allows to check if the stream is infected or not.
You have two method for scan:
ScanResult scan(InputStream in)
ScanResult scan(byte[] in)
For example if we want simply to check if a file is infected we need to pass the InputStream of the file in the parameter of the method.
The state of the result are { PASSED, FAILED }
You have many other functionalities in the ClamScan Client(timeOut, ping, ecc), but in this tutorial will not be discussed.
Java Example
In the follow an example:
public static void main(String[] args) {
ClamScan clamScan = new ClamScan("127.0.0.1", 3310, 20);
try {
ScanResult result = clamScan.scan(new FileInputStream("C:\\test.jpg"));
System.out.println(result.getStatus())
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
Just if The result it’s PASSED the file it’s not infected otherwise if the result it’s FAILED the file it’s infected.
Test the program
Maybe now you are asking: Ok, but how can i check the function properly without infecting my computer with a virus?
No Problem. We can create a mock infected file with the notepad. The European Institute of Computer Anti-virus Research give us an string to make an infected file.
So with the notepad we insert:
X5O!P%@AP[4\PZX54(P^)7CC)7}TODELETE$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*e
Note:Remove the substring TODELETE.
And we save the file for example test.jpg.
If we check the file with our program , the response is FAILED and the ClamAv console response is:
instream(127.0.0.1@11849): Eicar-Test-Signature FOUND
the programs can detect the infected files so it’s working!!!
References:
http://www.chicchedicala.it/2010/02/23/testare-il-funzionamento-del-software-antivirus/