How would you programmatically test a file for viruses ?

Question

I want to programmatically test a file for viruses.

I'm aware of this thread, which didn't get a satisfactory answer in my opinion, but I'm not looking for an API here. Any kind of workaround to make it possible to test a file would be fine.

Of course, an API would probably be the best solution (I'm using .net on a Windows platform), but maybe it's possible to drop the file in the folder, and to then check whether I can still open it or if it's been quarantined by the antivirus software.

Has someone run into the same sort of situation?

Answer 1

Platform?

Most Windows anti-virus provide shell integration (right click on a file in explorer to scan that file), which will either mean running an executable, DDE or COM. All of which provide an entry point to another program to call the same mechanism.

Answer 2

Check out ClamAV.

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways.

Answer 3

It really depends on which AV program you're going to use. Read the documentation for whatever solution you choose and you'll probably find a command-line interface or some other API you can call. There's no "generic" way of doing this (across AVs).

Answer 4

Windows? No problem. Check out ClamWin. It is based on ClamAV.

Answer 5

Maybe you could use this web service, assuming the file is less than 1MB:

http://www.kaspersky.com/scanforvirus

If you discover a suspicious file on your machine, or suspect that a program you downloaded from the Internet might be malicious, you can check the files here.

Indicate the file to be checked; it will automatically be uploaded from your computer to a dedicated server, where it will be scanned using Kaspersky Anti-Virus. Multiple independent tests and publications acknowledge the solution to have exceptional detection rates. Updates every three hours ensure that even the very newest viruses can be detected.

Only one file of up to 1 MB can be checked at any one time. If the file is too large, a window with an error message will be displayed. Type the name of the file in the window at the top of this page, or find the file using 'Browse'. Then click on 'Submit'.

Answer 6

Assuming you wish to integrate with whatever antivirus is already present on the system rather than bundling your own, you should check out the way Firefox 3 does this.

Bugs 103487 and 408153 - Inform anti-virus software when Firefox downloads an executable (using the Windows "IOfficeAntiVirus" and "IAttachmentExecute" APIs).

(of course if you wish to bundle your own, check out ClamAV/ClamWin, but then you must deal with updates, etc, and you should probably first check there is not a fully updated solution on the target system for politeness)

Answer 7

You can use a Debugger or a Disassembler