What are people using to scan for malicious files before transferring the file out of a download qube?

What are people using to scan for malicious files before transferring it out of a download qube?

I assume that a standard qubes usage pattern is that whem people are working in a qube, and need a file from the internet, that they use a qube made just to download files (possibly/probably a disposable qube for just that file), download it there, then transfer it to the qube they are working in.

I’m also assuming that most people who use qubes would want at least a attempt at scanning the file for maliciousness be made before the transfer.

I tried using clamfs, and due to the difficulties of using clamfs in qubes, it’s becoming apparent to me that people are not doing it this way. So what are people using?

[Note: After writing this I found that clamonacc essentially does the same job as clamfs but is now part of clamav-daemon (meaning it’s part of the distributions and you don’t need to trust yet another source on the internet)]

Some possibilities I can think of:

  • People are using ClamAV, but doing it manually on each download.
  • People are creating a disposable squid “ssl bump” qube, using the squid ssl bump qube as the network qube for the download qube, then doing the scanning in the ssl bump qube before the malicious code gets to the download qube
  • People are using a scanner from a differnt author
  • People are not scanning downloads and just transfering files without any checks, then scanning all the qubes later
  • People are not scanning downloads and just transfering files without any checks, and doing nothing about it.
  • Most people never need to transfer files out of a download qube, and basically just use qubes for security research

However because of various reasons, none of these seem very likely.

So what are people doing?

1 Like

Hey that’s me!

You can also set up a storage AppVM to always open PDFs, etc… in a disposable VM, so it doesn’t matter if the file is malicious or not.

1 Like

For PDFs you can always convert them to a Qubes’ Trusted PDF (bitmap form). There are other tools which can check PDFs for javascript, and it wouldn’t be too difficult to write a script to open said PDF in a DispVM, check it for javascript, and report back what it found. If you had a program to check other files for something you could just replace it for the PDF checkers in this script. Let me know if you want me to post the essentials of the script.

1 Like

You can use online virus scan engines like virustotal to check for malware in your file(s).
I guess you probably can use a windows dvm too, to check your files.
Another tool i know despites clamav is rkhunter.
Quick google search also gives me: chkrootkit, LMD (linux malware detect).
I also know there are linux versions of: avira, kaspersky, nod32. But those are paid versions iirc.

be aware that virustotal most time collect and/or save file in the cloud and do many thing with it (i use it for checking for publicly available file, not for private sent file)

it use clamav engine when available

not all of them are paid but i don’t use it since

Very interesting…
What are these not familure…clamfs,rkhunter & chkrootkit ??

How do i do this…
For PDFs you can always convert them to a Qubes’ Trusted PDF (bitmap form).

I usually either do “screen shots” for pdf’s,docs,text files,pictures…etc or “screen record” for videos.
Or i have been think or making a downloads template just for these thing. But again i would like some scanning tools to install for protection in this “download” template to remove,kill the little nasty bugs that may come with the downloads

clamfs is a file system that automatically scan your file using clamav
rkhunter & chkrootkit is just av that find rootkit

but you opened it

I realize that I’m the one that said clamfs, but after writing this I found that clamonacc essentially does the same job as clamfs but is now part of clamav-daemon . This means it’s part of the distributions and you don’t need to trust yet another source on the internet. (this has been added to the original post)

Please confirm: Your proposing transferring from your webbrowser qube (which is probably a dvm) to a windows disposable VM where you have a antivirus installed, check it there, then transfer it to your actual destination?

You don’t say what difficulties you found with clamfs - I use it in some
qubes, so may be able to help you.
In some cases, I scan with ClamAV.
In some cases, I transfer without doing anything.
In some cases, I use Qubes tools to sanitise PDFs, images or documents before transfer.

If you use a minimal, offline, storage qube, and open files in offline
disposables, then you have reduced risk to malware that is triggered
on qvm-copy, or on reading/writing to disk.
In most cases, I don’t care if I am curating a malware zoo.

One of the clamfs issues was how to prevent qubes from auto-bind-mounting /home in the disposable, so that clamfs could automount it
(one option would be to specifially unmount /home after startup with rc.local, but then it’s not obvious how to edit the rc.local of a disposable)

Another issue was that when applied to /tmp, suddenly firefox would break in that the extensions did not seem to be loaded, and opening a new tab would cause a crash.

Just saying - virustotal.com belongs to google, so the known privacy issues hold, specifically the file being analyzed for further tracking and fingerprinting.

1 Like

@ppc always in a disposeable qubes i do almost everything i don’t trust…then take screen shots after i open said (pdf,doc,text)…as for videos i have a domain setup with OBS studio and keep videos their… I would like the option to scan,clean such said files with software but i am not fimilure with yet which all of you guys are talking about

i never head that before (it not belongs to google)
edit:

VirusTotal and virustotal.com is owned by Chronicle Security Ireland Limited (“ CISL ”), an Irish Limited Company with registered number 507502. CISL is owned by Chronicle LLC, a Delaware limited liability company incorporated in the United States (“ Chronicle ”). Chronicle is an indirect subsidiary of Alphabet, Inc. This notice applies to VirusTotal’s services including the use of VirusTotal’s website (also known as the “ Site ”), API, VT Enterprise, VT Hunting, VT Graph, and anywhere else the Services and results from the Services may appear.

edit: Alphabet, Inc. also called google

1 Like

@ppc yes, more precisely Alphabet Inc., which is the parent company of Google.

virustotal.com:

By submitting data below, you are agreeing to our Terms of Service and Privacy Policy, and to the sharing of your Sample submission with the security community. Please do not submit any personal information; VirusTotal is not responsible for the contents of your submission. Learn more.

Having this warning on the startpage and knowing the impact of uploading something to third parties (e.g. personal files) by people using qubes os, I omitted a further warning/clarification.

I just use a disposable VM for most things, if I have to transfer files I use a cloud service if it isnt private and encrypt the data so when I open it and check the key I know nothing has interfered with it, but I am new to qubes so maybe there is a much better way

this is one of the most stupid way to transfer file to different qubes

right click and select “Copy to VM” or “Move to VM”

thats what I was doing before I used to qubes… im still fiddling with it lol
but all good, currently im just transferring files etc over into qubes that way from my old system

qubes os is about making compartmentalization easier

your cloud provider might already know your data now, that not a good way to prove it not read by someone that not you