conferences | speakers | series

The Armadito antivirus project

home

The Armadito antivirus project
FOSDEM 2017

The Armadito antivirus project

We will present Armadito, an open source and multi-platform antivirus. Its original modular architecture allows third-party developers to add their own malware detection modules, written in C and in the future in Python or Go. Current modules are signature-based (ClamAV), rules-based (YARA) or heuristics. It provides also real-time detection on GNU/Linux and MS-Windows.

Armadito provides graphical user interfaces to notify of malware detection, launch scan, view statistics and journal. A central administration console, integrated as a GLPi plug-in, allows a system administrator to manage all the installed antivirus, view alerts, launch remote scans, deploy configuration or bases.

Project has several opened issues that are not addressed yet: high memory footprint, sandboxing for scan modules, automatic generation of signature bases from automatic malware collecting. Contributions from the free software community would be highly appreciated.

Armadito project is on github: (https://github.com/armadito)

The Armadito antivirus project

What is it?

Armadito is an open source antivirus, that runs on GNU/Linux and MS-Windows. Its modular architecture allows easy integration of new detection algorithms.

Armadito provides standard antivirus features: on-demand scan, quarantine, alerts, journal and real-time (or "on-access") protection. This protection is implemented on GNU/Linux using fanotify and on MS-Windows with its own driver.

Modular architecture

Armadito scans files using scan modules, which are plugins written in C and using a common API (load, configure, scan, unload).

Current modules are:

  • ClamAV using libclamav
  • YARA
  • heuristic for PE and ELF binaries
  • heuristic for PDF documents

A future extension is to allow writing modules in Python and Go languages.

User interfaces

Armadito provides 2 user interfaces:

  • a lightweight graphical user interface, showing only notifications plus "systray" icon, developed using native toolkits
  • a full interface, developed using web technologies (AngularJS), that runs in a browser and uses the antivirus REST API

Antivirus administration

The installed antivirus can be managed from a central console, that allows through a web interface to view alerts, launch remote scans, deploy new bases or configuration. This console is integrated as a GLPi plugin.

Next steps

Future developments of the project are:

  • update MS-Windows code and release a MS-Windows version with installers
  • make extensive testing
  • improve documentation
  • re-implement the heuristic module for PE/ELF binaries analysis
  • provide an API to allow scan modules to be implemented in Python and GO
  • improve code quality using sonarqube
  • contribute to IRMA with Armadito plugin
  • make Armadito antivirus be available inside virustotal.com and AVCaesar

Issues

The project has several opened issues which are not obvious to address:

  • memory footprint is too high, approximately 450M when using the ClamAV module, when compared to standard antivirus which have a momory footprint in the order of 100M
  • scan modules should run inside a sandbox because they parse complex formats and unpackers, and a bug in the parser or a deliberately malformed file can crash the module and therefore compromise the entire antivirus
  • providing up-to-date and good "signature" bases is yet to be done; it requires a strong architecture for malware collecting and automatic signature (likely YARA rules) generation

The current team is small and contributions from the free software community would be highly appreciated.

Links

Code: github.com/armadito

Documentation: armadito-av.readthedocs.io

Talk: gitter.im/armadito/armadito-av

Ubuntu PPA: launchpad.net/~armadito

Speakers: François Déchelle