antivirus module needed

[bcarrier]

We should have a module that integrates an anit-virus solution. Files that are found to have viruses should have a TSK_MALWARE_DETECTED attribute added in the blackboard.

[peterclemenko]

Importing ClamAV databases and comparing MD5 values might work. ClamAV checks against MD5 for known malware, and stores an MD5 for each entry in it's signature databases. Using ClamAV databases as lists of known malware, combined with cross referencing in a manner similar to the known file filter might be a feasible solution.

[adam-m]

ClamAV library / java bindings is also a possibility. Not as fast since we'd need to rescan the file and ClamAv will probably recalculate the hash, but might return more info / detect other malware than pure hash db solution.

[peterclemenko]

Also, OpenIOC and Yara support might be useful as well.

[icepaule]

In the absence of a real "send to AV for scanning", I used the mentioned trick by aoighost. Not very agile as you have to do the updates manually every time, but still some way of getting it done.
Check https://www.mpauli.de/create-clamav-hash-set-for-autopsy.html for me simple way.

[dyussekeyev]

@bcarrier Please look at my ClamPsy file ingest module that uses ClamAV antivirus to scan disk. If the community is interested, then I will continue development of this module.
P.S. This module does not use TSK_MALWARE_DETECTED to flag malware, but it will be added in the future.