The Armadito antivirus project
We will present Armadito, an open source and multi-platform
antivirus. Its original modular architecture allows third-party
developers to add their own malware detection modules, written in C
and in the future in Python or Go. Current modules are signature-based
(ClamAV), rules-based (YARA) or heuristics. It provides also real-time
detection on GNU/Linux and MS-Windows.
Armadito provides graphical user interfaces to notify of malware
detection, launch scan, view statistics and journal. A central
administration console, integrated as a GLPi plug-in, allows a system
administrator to manage all the installed antivirus, view alerts,
launch remote scans, deploy configuration or bases.
Project has several opened issues that are not addressed yet: high
memory footprint, sandboxing for scan modules, automatic generation of
signature bases from automatic malware collecting. Contributions from
the free software community would be highly appreciated.
Armadito project is on github: (https://github.com/armadito)
The Armadito antivirus project
What is it?
Armadito is an open source antivirus, that runs on GNU/Linux and
MS-Windows. Its modular architecture allows easy integration of new
detection algorithms.
Armadito provides standard antivirus features: on-demand scan,
quarantine, alerts, journal and real-time (or "on-access")
protection. This protection is implemented on GNU/Linux using fanotify
and on MS-Windows with its own driver.
Modular architecture
Armadito scans files using scan modules, which are plugins written
in C and using a common API (load, configure, scan, unload).
Current modules are:
- ClamAV using libclamav
- YARA
- heuristic for PE and ELF binaries
- heuristic for PDF documents
A future extension is to allow writing modules in Python and Go languages.
User interfaces
Armadito provides 2 user interfaces:
- a lightweight graphical user interface, showing only notifications plus "systray" icon, developed using native toolkits
- a full interface, developed using web technologies (AngularJS), that runs in a browser and uses the antivirus REST API
Antivirus administration
The installed antivirus can be managed from a central console, that
allows through a web interface to view alerts, launch remote scans,
deploy new bases or configuration. This console is integrated as a
GLPi plugin.
Next steps
Future developments of the project are:
- update MS-Windows code and release a MS-Windows version with installers
- make extensive testing
- improve documentation
- re-implement the heuristic module for PE/ELF binaries analysis
- provide an API to allow scan modules to be implemented in Python and GO
- improve code quality using sonarqube
- contribute to IRMA with Armadito plugin
- make Armadito antivirus be available inside virustotal.com and AVCaesar
Issues
The project has several opened issues which are not obvious to address:
- memory footprint is too high, approximately 450M when using the ClamAV module, when compared to standard antivirus which have a momory footprint in the order of 100M
- scan modules should run inside a sandbox because they parse complex formats and unpackers, and a bug in the parser or a deliberately malformed file can crash the module and therefore compromise the entire antivirus
- providing up-to-date and good "signature" bases is yet to be done; it requires a strong architecture for malware collecting and automatic signature (likely YARA rules) generation
The current team is small and contributions from the free software
community would be highly appreciated.
Links
Code: github.com/armadito
Documentation: armadito-av.readthedocs.io
Talk: gitter.im/armadito/armadito-av
Ubuntu PPA: launchpad.net/~armadito