 Our next speaker will also speak about vaguely security and stuff After password, this is anti-virus. This is François Deschels, and it will talk about Armadito. Let's applaud him Armadito is an anti-virus project, which is quite young because we are on GitHub since May last year and thanks to Anne Who gave me the idea of making a one-year celebration, one-year celebration will be next May probably in Paris So what it is? It's Project developing an anti-virus, which is completely open source. It's backed by Techlib, which is a French editor Located in Paris and focusing only on open source Briefly about the licenses. It's mix of LGPL, GPL and Microsoft public license Which is an open source recognized License, this because of a Windows driver, which is used for real-time protection Some original feature which I'll talk about a little bit later is that it's a modular anti-virus It aims to be multi-platform yet Linux and Windows it offers standard anti-virus functionalities that is On-demand scan of files and directory Putting detected files in a quarantine area raising alerts having a journal of event of course and Offers real-time protection, which means that it can intercept any file open in specified directory and scan file before they're open and block opening of detected files On Linux, it's implemented using FA notify and on Windows It's implemented using our own driver, which is based on file system filter modular Why because in fact analysis is not completely integrated and locked into the Core of the anti-virus. It's done with modules which are plug-in Which can be dynamically loaded written in C yet and that they use a small API which mainly for function load configure scan a file and Unload We support yet for modules One uses lib clamav and clamav signature You all probably know the clamav anti-virus, which is kind of historical anti-virus on Linux We also support Yara Yara is both a scan engine and a format for extended signature. It's a project that is backed by a virus total and which is very active and which is probably offers more extension with respect to clamav, but we also have two In our own modules one is a heuristic module for classifying PE and health binaries and another one is in heuristic module for classification of PDF which PDF documents being a well-known Infection support and the future is Will offer a possibility to write scan more analysis modules in the Python and probably also the go language We support two user interfaces a first very lightweight one, which runs only in the notification area the c-stray and Which shows only notifications that is mainly when file was blocked by the real-time protection or when the data was updated and And a full interface which is in fact web-based. It's developed using angular gs at interfaces with a small HTTP server which is embedded into the anti-virus and communicates with the rest API By the way the user interface you have a small screenshot at the left of the other slide And what is quite new with respect to open source anti-virus is that we offer a Central console for management that is when you are in an organization or an enterprise It's very helpful to have a central point where you can know What all the anti-virus deployed on your windows or Linux machines are doing if they have done Detection if there is some database update problem things like that So we have an interface which is based on glpi glpi is a Software which is supported by techlib and it's an asset management system, which is often used for instance in Education where you have to manage a large part of values and heterogeneous machines And it's based on so on fusion inventory, which is an inventory agent deployed on all the machines of your Computing environment it allows to upload to the central server the Inventory of the machine and we have a management interface for the anti-virus Which is integrated into this architecture. So that for instance when you have an if you go to the tab Where you have a list of all the recent detections of all the computers and when you click on a detection You know automatically all the inventory information for instance a person to contact where is the computer located? is the system up to date and so on and so and What we are going to do next well as soon as possible Recently we are going to make a Linux release very soon. We have a PPA on a launchpad and We'll we don't have right now Windows installer and it's a plan for the next month We need of course more testing documentation But other stuff we would like to re-implement the current heuristic module for binary scan and probably Integrate it in a better way with Yara rules And as I said to provide API to allow people to integrate modules scan modules written in Python on go Why this because when you analyze Quite complex file format or when you unpack or when you run whatever analysis on the file If the file is deliberately ill formed or if there is a vulnerability in the scan module If it's a C or C++ based scan module it can also Obviously drive to memory Corruption and maybe exploit and if you exploit the scan module then you exploit the antivirus the antivirus runs with a high Sorry it's a drone as a as a route and with administration Rights, so you can either get rid of the antivirus or exploit the machine So having more secure language like Python on go would allow to have more security when hosting Scan modules and this this is related to something else. I'm going to talk very soon about Other issues of course code quality. We try to run coverage tests and Very recently past sonar cube analysis Irma Irma is It's developed by a French company. It's a very subtle open source equivalent that it is it's web interface to scan files using Many antivirus and have the results presented more or less the same way as virus total So we'll provide an Irma plugin that allows to scan files with armadito But we also would like to enter a very subtle and AV Caesar, which is another version No, very subtle like website For several reasons first of all well to be well known and second to have access to the samples provided by the rest of them But there are still some interesting issues If we compare with other proprietary antivirus We have a huge memory full print problem Usually an antivirus proprietary antivirus you have a kind of 100 megabytes memory full footprint We run approximately up to 450 megabytes, which is obviously too high and this is highly related to the climb of module and we don't know how Precisely to fix that Now we have some idea, but the problem is quite complex Then the question of sandboxing as I explained earlier when you run a scan on a file If the scan code has a vulnerability you may use that to exploit The antivirus and to compromise the antivirus and of course the complete machine So one solution is to implement the scan algorithm using more secure languages But the other solution is to run the scan inside a sandbox that is if by Accident the scan crashes or has a memory corruption then you just throw away the sandbox consider that the file is dangerous and you're Guaranteed that it won't compromise the whole machine. Of course. This is quite difficult to implement in a portable way Basically on Linux it will be second plus BPF On Windows we will probably take a lot of inspiration from the browser sandbox, but it's a kind of complicated job to interface to implement and Another issue is how to have good Signature signature with codes because in fact Yara rules for instance are more complicated than signature They can be some kind of complex logical expression including operators and Extensible modules, but the problem is is how to produce these rules and we don't have obviously hundreds of little hands analyzing in real time Thousand or hundreds of thousand of Files coming from the internet. We don't have the resources to pay them and So how to do that Well There are two solutions for the long-term solution is Have an automated process of Analyzing Collected malware coming from whatever mean honeypots spam and so on or community on for instance through the Irma site and Automatically produce rules for recognizing these malware But it's a point where for instance a community could help by providing world Scale collection collection of malwares Right now the steam team is quite small well the whole team is there So if you're interested in Security antivirus and collecting malware for your own purpose no no no no no please Well, you're welcome to join us the project is a Young and it has a lot of interesting features to develop Where to find us? We're on github. We have some documentation on read the docs and You can talk to us on Jitter but also on free node. There is a channel called armadito. Okay We have a PPA and we have Now a forum which was installed last week. It's a forum dot armadito dot org Thanks for the talk Do we have a quick question someone? We have just a time for a very quick question. Yeah, hello everybody And I want to add something about the centralized management system In fact, we told you what we can manage our antivirus But in fact, we can manage Casper key antivirus and this is an open source solution for managing multiple antivirus On the same infrastructure. So we centralized alert from different antivirus in a Open source solution and you can add your antivirus To a system. Thanks for the precision. Let's upload the speaker