Automated malware analysis, realistic/necessary for bulk downloads?

Hello, thank you qubes team and community for everything.

I am new to qubes (and linux for that matter). I have a security / malware question:

I download untrusted, 4tb of media (.mov .mp4 .mp3 .jpeg etc.) from disposables, torrents, etc. I would like to calm my paranoia and test for malware so I can use / share media on lesser secured devices such as window pc’s, home server and smartphones.

My choices seem to be
A) convert all media using transcoder (inefficient).
B) run something like cuckoosandbox and analyse like a pro (complex config for a newb).
C) run clamsav for hash/signature analysis and accept risk of any unidentified (sophisticated) malware.

Does anyone have an automated malware analysis qube setup?

quasi related: So... anyone made a Qubes Aquarium yet? - #2 by

Is option C (ClamAV) good enough and am I being too paranoid?

Virustotal would solve this imo if there was a bigger size limit and not a 50k fee for API.

Thanks in advance.


Good Morning,

after reading your post, one question came to my mind: Even you could check the downloaded file with clamav (or any/every AV/Malware Scanner), convert it with a transcoder and let the file play within a sandbox, could you be sure that there is really no malicious code that just starts attacking after some time or is already trainend to detect sandboxes or could also be copied within a transcoding of the file?

Hash/Signature analysis is only as good as the patterns are. New stuff is maybe not detected when you scan the file.

So what would I do? Accept that there is a risk and keep these files separated from the important stuff. So if I would upload this on my Android, I would categorize this device as untrusted.

1 Like

This sounds like the compartimentalization option. Very Qubes OS! :+1:

Now you may consider the overall risk low enough after any of the steps you describe @paranomster, which are ways to mitigate some of the possible undesirable scenarios.

That judgment is more of a personal one and a question of threat model / opinion than a question about Qubes OS, though.

1 Like

Hey again,

today my mind was wandering around and somehow I had to think about how to do a malware scan on Qubes. So your question came up again and maybe this is a solution for you:

You know ClamAV is a AV but it’s somehow… lets say there is not that much money behind so, it lacks of patterns often while do real time scanning. At least it was like that some years ago as I used it.

But whats about you run a Windows-HVM with some innovative-edgy-AV like Symantec (or poor mans Kaspersky Anti-Virus-Removal Tool if still existing) or something? You can scan the file there and distribute it afterwards in your home environment. You could also download the file on some disp-vm, upload it on a fileshare within your network and then do the scan remotely on Windows. Maybe you’ll not have the best performance, but I have no idea how a 4TB-File is performing anyway when run an AV-Scan… I don’t do Windows anymore because anything is better without it.

If someone is really paranoid he could also upload the files to a sandboxed environment like terminal-server or something. VDI came up in my mind too, but maybe this should not be done at home. :yum:

Hope that helps