How to do it?
A $1 mini-prize is available for the right answer (PayPal or AlertPay)

8 Years
Discussion Span
Last Post by cwarn23

First off, it depends on quite a few things... But this is how I do it and requires some prerequisites.

1. Should work on Windows/Linux/Mac
2. Install ClamAV
3. Make sure FreshClam is working and running
4. Read up on your version of ClamAV's command line arguments and how to call it from within PHP
5. In your PHP script, first make sure the file was successfully uploaded to the TMP directory (wherever that is on your system).
6. In your PHP script, run ClamAV on the uploaded file and have ClamAV delete it if it's a nasty file. Probably using proc_open, system, etc.
7. Check that the uploaded file still exists
8. If it doesn't, ClamAV found a virus and deleted it and you can output some nasty message to the virus uploader (if you wanted to).

This way, you don't have to worry about getting a response back from your antivirus program in order to tell if it was a virus or not. Whether or not the file was deleted or not will tell you if it was a virus.

Hope that helps!



Now that I think about it, the aforemtioned solution should work with any antivirus that allows you to call it from within PHP on explicit files and gives you the option to delete the file if the file is found to be malicious. Mint, I'll remember that myself :D

Hope that helps, again,



To detect if a file has a virus, you need to check its memory dump/stack. You can find all about the virus memory stack with a Yahoo Search (the search term "virus memory stack" and click the link that tells yahoo the word stack is not stick) And at the bottom of the search page (in the link I've provided above) you will find a pdf file that can explain some of the memory dump/stack codes that may be harmful. So an example of a W32 file (I think it means 32-bit) is as follows:

81 E5 59 E6 5A ED and ebp, 0ED5AE659h
81 D4 0A A1 DA F9 adc esp, 0F9DAA10Ah
81 F1 D8 AF FF 07 xor ecx, 007FFAFD8h
81 CE A2 46 3E CB or esi, 0CB3E46A2h

or W64

48 81 CE 0E EB 43 23 or rsi, 2343EB0Eh
48 81 F0 3D DD 81 52 xor rax, 5281DD3Dh
48 81 D4 F4 BE 9A 43 adc rsp, 439ABEF4h
48 81 CB 36 F7 90 42 or rbx, 4290F736h

So from that data you extract from the files potential memory stack/dump you need to check for any harmful codes and if there are any, they can be rated and when the rating reaches a certain level, it is then classified as a virus. So that is what my theory is although it may be hard to make.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.