# The Armadito antivirus project
We will present Armadito, an open source and multi-platform antivirus. Itsoriginal modular architecture allows third-party developers to add their ownmalware detection modules, written in C and in the future in Python or Go.Current modules are signature-based (ClamAV), rules-based (YARA) orheuristics. It provides also real-time detection on GNU/Linux and MS-Windows.
Armadito provides graphical user interfaces to notify of malware detection,launch scan, view statistics and journal. A central administration console,integrated as a GLPi plug-in, allows a system administrator to manage all theinstalled antivirus, view alerts, launch remote scans, deploy configuration orbases.
Project has several opened issues that are not addressed yet: high memoryfootprint, sandboxing for scan modules, automatic generation of signaturebases from automatic malware collecting. Contributions from the free softwarecommunity would be highly appreciated.
Armadito project is on github: (https://github.com/armadito)
# The Armadito antivirus project
## What is it?
Armadito is an open source antivirus, that runs on GNU/Linux and MS-Windows.Its modular architecture allows easy integration of new detection algorithms.
Armadito provides standard antivirus features: on-demand scan, quarantine,alerts, journal and real-time (or "on-access") protection. This protection isimplemented on GNU/Linux using fanotify and on MS-Windows with its own driver.
## Modular architecture
Armadito scans files using scan _modules_ , which are plugins written in C andusing a common API (load, configure, scan, unload).
Current modules are:
* ClamAV using libclamav * YARA * heuristic for PE and ELF binaries * heuristic for PDF documents
A future extension is to allow writing modules in Python and Go languages.
## User interfaces
Armadito provides 2 user interfaces:
* a lightweight graphical user interface, showing only notifications plus "systray" icon, developed using native toolkits * a full interface, developed using web technologies (AngularJS), that runs in a browser and uses the antivirus REST API
## Antivirus administration
The installed antivirus can be managed from a central console, that allowsthrough a web interface to view alerts, launch remote scans, deploy new basesor configuration. This console is integrated as a GLPi plugin.
## Next steps
Future developments of the project are:
* update MS-Windows code and release a MS-Windows version with installers * make extensive testing * improve documentation * re-implement the heuristic module for PE/ELF binaries analysis * provide an API to allow scan modules to be implemented in Python and GO * improve code quality using sonarqube * contribute to IRMA with Armadito plugin * make Armadito antivirus be available inside virustotal.com and AVCaesar
## Issues
The project has several opened issues which are not obvious to address:
* memory footprint is too high, approximately 450M when using the ClamAV module, when compared to standard antivirus which have a momory footprint in the order of 100M * scan modules should run inside a sandbox because they parse complex formats and unpackers, and a bug in the parser or a deliberately malformed file can crash the module and therefore compromise the entire antivirus * providing up-to-date and good "signature" bases is yet to be done; it requires a strong architecture for malware collecting and automatic signature (likely YARA rules) generation
The current team is small and contributions from the free software communitywould be highly appreciated.
## Links
Code: [github.com/armadito](https://github.com/armadito)
Documentation: [armadito-av.readthedocs.io](http://armadito-av.readthedocs.io/en/latest/)
Talk: [gitter.im/armadito/armadito-av](https://gitter.im/armadito/armadito-av)
Ubuntu PPA:[launchpad.net/~armadito](https://launchpad.net/~armadito/+archive/ubuntu/armadito-av) |
