Comments (11)
Hi @BiJason ,
Dagda uses TiredofitClamav docker image which contains Clamav AV. If you use Clamav without any docker image for scanning the TheZoo project, do you get any malware detection?
If you get any malware, perhaps it would be interesting review the docker image with Clamav. Else, the problem could be in the Clamav itself.
Regards.
from dagda.
Hey @eliasgranderubio , thanks for the response!
I ran a ClamAV with the following steps on an infected docker image.
Steps to create infected docker image:
- Use a secure virtual machine with strict access rules, in my case I used an Amazon AWS EC2 instance.
- Create a Dockerfile with the line: git clone https://github.com/ytisf/theZoo (be careful, this repo contains malware). Here's the Dockerfile that I used:
FROM python:2.7-alpine
RUN apk add --no-cache sqlite-libs=3.28.0-r0
RUN apk update
RUN apk add git
RUN apk add py-pip
RUN addgroup -S sasquatch
RUN adduser -S sasquatch -G sasquatch
RUN git clone https://github.com/ytisf/theZoo
WORKDIR /theZoo
RUN apk add bash
RUN apk add python-dev
RUN pip install wheel
RUN apk add gcc musl-dev
RUN apk add linux-headers
RUN pip install --user pyminizip
RUN yes | apk add sudo
EXPOSE 5000
USER sasquatch
- Built the Dockerfile into a container.
- Ran the container.
- Ran docker exec -u 0 -it "CONTAINER_NAME" /bin/sh
- Within the container, ran python theZoo.py
- Followed steps within the program, and called the corresponding commands to install malware onto the image. (use #malwareID followed by get #malwareID)
- Ran docker commit on the container to build final infected image.
Steps to run ClamAV scan:
- "sudo apt-get install clamav" on the vm with infected image.
- "clamscan -r /var/lib/docker
output:
Known viruses: 6218676
Engine version: 0.100.3
Scanned directories: 15041
Scanned files: 110008
Infected files: 323
Data scanned: 3004.39 MB
Data read: 10153.11 MB (ratio 0.30:1)
Time: 1302.386 sec (21 m 42 s)
from dagda.
If you run the same analysis with the next method used by Dagda, do you get the same report?
In your case, the parameters would be:
- temp_dir = /var/lib/docker
- docker_driver is the docker_driver.py included in this project
from dagda.
What steps are required to run that method?
from dagda.
If you use the docker_driver.py script as docker driver for that method, run it should be easy (the imports have been omitted):
d = DockerDriver()
output = get_malware_included_in_docker_image(d, “/var/lib/docker”)
print(output)
from dagda.
Yes, it's still returning an empty list with the python script.
from dagda.
The last chance. If you run the docker run
whithout my Python script with the same parameters as this script, do you get the empty list?
from dagda.
Any update about the last proposed test @BiJason ?
from dagda.
Yes, still no findings.
from dagda.
Then, could you build a docker image with ClamAV which it be capable of malware detection for your described use case?
A PR would be appreciated :-)
from dagda.
Closed due to inactivity.
from dagda.
Related Issues (20)
- docker-compose instructions unclear and db error HOT 1
- docker-compose.yaml unfriendly to macos version of docker?
- dagda crashing when sent check job?
- Is it possible to run dagda as a container? HOT 1
- Unexpected exception of type RecursionError occurred: ('maximum recursion depth exceeded',)
- Unable to use python3 dagda.py vuln --init HOT 4
- Scanning image with included NPM project does not show NPM vulnerabilities HOT 1
- The problem of using docker-compose to build and deploy dagda is suspected to be a bug
- How to add custom falco rules HOT 1
- Vuln --init_status has been initializing and is never finishd
- docker image scan with dagda in standalone server mode. HOT 1
- Vuln --init fails HOT 2
- check result remains Analyzing HOT 1
- Dagda issue HOT 1
- Error while starting dagda (TypeError: an integer is required - got type bytes) HOT 3
- Scan containers running in K8s? HOT 1
- Many false-positives HOT 1
- Falcosecurity/ falco output file not found. HOT 4
- Publicly Accessible CVE Database
- docker compose build doesn't work: markupsafe dependency missing
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dagda.