What are people using to scan for malicious files before transferring it out of a download qube?
I assume that a standard qubes usage pattern is that whem people are working in a qube, and need a file from the internet, that they use a qube made just to download files (possibly/probably a disposable qube for just that file), download it there, then transfer it to the qube they are working in.
I’m also assuming that most people who use qubes would want at least a attempt at scanning the file for maliciousness be made before the transfer.
I tried using clamfs, and due to the difficulties of using clamfs in qubes, it’s becoming apparent to me that people are not doing it this way. So what are people using?
[Note: After writing this I found that
clamonacc essentially does the same job as clamfs but is now part of clamav-daemon (meaning it’s part of the distributions and you don’t need to trust yet another source on the internet)]
Some possibilities I can think of:
- People are using ClamAV, but doing it manually on each download.
- People are creating a disposable squid “ssl bump” qube, using the squid ssl bump qube as the network qube for the download qube, then doing the scanning in the ssl bump qube before the malicious code gets to the download qube
- People are using a scanner from a differnt author
- People are not scanning downloads and just transfering files without any checks, then scanning all the qubes later
- People are not scanning downloads and just transfering files without any checks, and doing nothing about it.
- Most people never need to transfer files out of a download qube, and basically just use qubes for security research
However because of various reasons, none of these seem very likely.
So what are people doing?