Warning
uav is an early development project.
A lightweight antivirus for Linux systems with rootless sandbox capabilities.
The idea is to create a simple and reliable malware detection program suitable for normal users and to give some advanced tool to do some malware analysis to experienced users.
uav is a single executable and has mainly 3 modes:
- protection mode: always on -> inspect every program
- sandbox mode: support rootless isolated execution for malware analysis or sanity check of untrusted programs
- scan mode: scan a file providing a report with information like signature
More information in doc/.
eBPF Integration:
- LSM (Linux Security Module) hooks for mandatory access control
- Hooks on file operations, process creation, network access
- Per-cgroup policy attachment
Runtime:
- Linux kernel 5.7+ (for eBPF LSM support)
- Cgroups v2 (
CONFIG_CGROUP_BPF=y) - OverlayFS support
- Capabilities:
CAP_SYS_ADMIN,CAP_NET_ADMIN,CAP_SYS_CHROOT
Build:
- libbpf (for eBPF program loading)
- OpenSSL libcrypto (for hash computation)
- libzip (for archive extraction)
- libpcap (sandbox traffic capture)
- libyara-x-capi (parse yara rules and scan files)
makeThis produces the uav binary.
Scan a file with a set of yara rules:
./uav scan --yara-rules <path-to-yara> <suspicious-file>The --yara-rules arg can point to a single .yar files or to a directory. If a directory is
specified, only .yar file will be processed.
To run a program in a sandbox:
sudo ./uav sandbox -r <path-to-rootfs> <suspicious-file>If the rootfs ends with .zip, uav will attempt to extract it. If suspicious-file is not
specified an interactive shell will be executed instead.
To start the monitor:
Warning
Although one could run the monitor as sudo, it is advisible to run as root.
./uav monitorNote
Some tests (the one regarding the sandbox) need to be executed with root privileges (i.e sudo).
User can run test with:
make testIf they have Valgrind, the test can be run with:
make valgrind