mghogale / linux-antivirus Goto Github PK

Antivirus for Linux

Introduction
We have developed a "simple" antivirus scanner that supports updates over the Internet. The antivirus detects malware based on signatures of malicious programs. Each signature is a series of sequential bytes from the assembly instructions of an executable. In addition to the virus database, we also support a whitelist of programs that are definitely not malware. This whitelist is populated with the standard programs and files of a Linux distribution to ensure that the antivirus will never "break" the system. Whitelist is based on the SHA-1 hashes of standard linux utilities.
If a file's hash is on that list, then we don't scan it further. Both of these lists (database of viruses/whitelist of legitimate programs) are updatable. A user of the operating system can run a command such as, antivirus-update which will then fetch the latest databases and store them securely on the machine. The antivirus can be run in two scanning modes, on-demand and on-access.

In on-demand scanning, the user can run a program to scan a file, or a directory containing files, e.g. antivirus-scan /home/jack/Downloads. If a file is found to be infected we remove all permissions (e.g. chmod 000 virus), append a ".virus" string to the file's name and alert the user.
In on-access scanning, when the user tries to execute, or open a file without having checked it with on-demand scanning, if the file is a virus, then the file is not opened and the permissions are removed and the file is renamed. In order to protect the user, the file is scanned before it is opened. In addition, a message is sent to the user-space and it is shown to the user, e.g. a graphical pop-up, that explains that the operation failed because a virus was detected.

Requirements:
This module only works with the 32-bit linux operating system with kernel version 4.0 onwards. We have tested our module on 
Linux 14.04.05 32bit (TrustyTahr).

How to compile and run
	- execute make command inside the linux-antivirus folder
	- run script install_module.sh to install antivirus.ko module 
	- the script will download the blacklist and whitelist files when we load the module for the first time
	- execute command antivirus-scan on a file or folder that you need to scan on demand
	- every file that you access is scanned for virus before opening/ executing it
	- If you want to invoke ondemand scanning, just execute commnad 'antivirus-scan path-to-scan'. 
	  This will scan all files in given path and show the list of files that were containing virus.
	- run script antivirus-update to update the blacklist and whitelist
	- the module needs to be reinstalled for the new pattern to be taken into consideration while scanning
	
Files Added
	- linux-antivirus/Makefile - code to build antivirus.ko module and also compile user program popup.c
	- linux-antivirus/install.sh - to install antivirus.ko module
	- linux-antivirus/uninstall.sh - to uninstall antivirus.ko module
	- linux-antivirus/popup.c - code to facilitate display of graphical popup
	- /usr/local/bin/antivirus-update - script to fetch the latest blacklist and whitelist from remote location
	- /tmp/antivirus.properties - properties used by the antivirus-update script
	- linux-antivirus/kdriver.c - code to change the syscall table to pick the new open and exec syscalls that contain hooks for scanning the file
	              before invoking the original open/exec syscalls on loading the module. Also, reads the whitelist into a linked-list
	- linux-antivirus/kern_helper.c - code that computes the sha1 of the file, checks for the sha1 in the whitelist, scans the file for the patterns in 
	                                  blacklist, renames the file if a virus is found and removes the permission
	- linux-antivirus/user.c - code to perform on-demand scanning. It gives a summary of the scanning
	- usr/local/bin/antivirus-scan - executable to perform on-demand scanning

Implementation Details

1. Establishing the hook for open and exec syscalls:
   - Determined the kernel version from the file /proc/version.
   - Grabbed the syscall table address from the file /boot/System.map-kernelversion
   - Saved the address of the default open and exec syscalls, that need to be restored on module unload
   - Mark the memory area as writable by setting the 8th bit of the control register. Once done unset the bit to mark it as readable only
   - Hooked the new open and exec syscalls by overridding the address of the default open and exec syscalls in the syscall table
   - The new open and exec syscalls scan the file for the virus as per the blacklist file and then invoke the default syscall implementation
	 if the file doesn't contain virus or if the sha1 of the file matches the whitelisted ones.
	 
2. Check if the file is whitelisted:
   - Read the file to be scanned in chunks of PAGE_SIZE, and computed the sha1 using the crypto_hash_init, crypto_hash_update and crypto_hash_final functions
   - Compared the computed sha1 with the list of sha1 read from the whitelist on loading the module
   - If the sha1 doesn't match the entries in the whitelist, then the file is scanned for virus patterns
   - If the file's sha1 is found in the whitelist, then it is not scanned for viruses and the default syatem call implementation is invoked
   
3. Check for virus patterns in the file:
   - Read the file in chunks of PAGE_SIZE
   - Check if the block contains the patterns in the blacklist file. If found, rename the file with .virus extension and remove the permissions
   - If the block doesn't match with the patterns, then scan the next PAGE_SIZE block for virus patterns till end of file.

4. Support antivirus update over the Internet:
   - Execute the script to update the antivirus.
   - The antivirus-update script can be run from any location.
   - It updates both the backlist and the whitelist by fetching it from the remote host.
   - It downloads the virus.db file and whitelist.db file from the remote host and saves it in the root folder.
   - The permissions of the updated blacklist and whitelist files are modified so that it is accessible for modification ony to the root user and for others read-only    
     permission will be given.
   
5. On demand scanning:
   - Scans any directory or file which the user requests to be scanned.
   - nftw (file tree walk) walks through the directory tree that is located under the directory, and calls a function once for each entry in the tree.
     By default, directories are handled before the files and subdirectories they contain (preorder traversal).   
   - We invoke open syscall for each file in the path to check for virus.
   - The open syscall handles the comparison logic and acts accordingly.
   
6. Graphical popup for on access scanning:
  - After the kernel detects any virus in a file, it copies the old file name which was referred and marked as a virus to a dummy file located at /root.
  - The user process keeps checking the file for change in its size for every 1 sec. After we have called stat on the file first time the inode will be in-memory. 
    So afterwards we will get memory resident inode so this polling is not I/O heavy. Inotify/network-signal would not have worked as we are working deep in kernel 
    and all the notification mechanisms are bypassed here.
  - If content found, it will be used to display the message to the user with the help of notify, in the form of a bubble to the right side of screen.