Rename Heuristics.Email.ExceedsMax alerts

Rename Heuristics.Email.ExceedsMax alerts to start with
Heuristics.Limits.Exceeded.Email instead, so that all heuristic alerts
for exceeded scan limits have the same prefix.

common/optparser.c

@@ -385,7 +385,7 @@ const struct clam_option __clam_options[] = {
 
     {"HeuristicAlerts", "heuristic-alerts", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "In some cases (eg. complex malware, exploits in graphic files, and others),\nClamAV uses special algorithms to provide accurate detection. This option\ncontrols the algorithmic detection.", "yes"},
 
-    {"HeuristicScanPrecedence", "heuristic-scan-precedence", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Allow heuristic match to take precedence.\nWhen enabled, if a heuristic scan (such as phishingScan) detects\na possible virus/phish it will stop scan immediately. Recommended, saves CPU\nscan-time.\nWhen disabled, virus/phish detected by heuristic scans will be reported only\nat the end of a scan. If an archive contains both a heuristically detected\nvirus/phish, and a real malware, the real malware will be reported.\nKeep this disabled if you intend to handle \"*.Heuristics.*\" viruses\ndifferently from \"real\" malware.\nIf a non-heuristically-detected virus (signature-based) is found first,\nthe scan is interrupted immediately, regardless of this config option.", "yes"},
+    {"HeuristicScanPrecedence", "heuristic-scan-precedence", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Allow heuristic match to take precedence.\nWhen enabled, if a heuristic scan (such as phishingScan) detects\na possible virus/phish it will stop scan immediately. Recommended, saves CPU\nscan-time.\nWhen disabled, virus/phish detected by heuristic scans will be reported only\nat the end of a scan. If an archive contains both a heuristically detected\nvirus/phish, and a real malware, the real malware will be reported.\nKeep this disabled if you intend to handle \"Heuristics.*\" viruses\ndifferently from \"real\" malware.\nIf a non-heuristically-detected virus (signature-based) is found first,\nthe scan is interrupted immediately, regardless of this config option.", "yes"},
 
     {"StructuredDataDetection", "detect-structured", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Enable the Data Loss Prevention module.", "no"},
 

docs/man/clamd.conf.5.in

@@ -398,7 +398,7 @@ Enable email signature-based phishing detection.
 Default: yes
 .TP
 \fBPhishingScanURLs BOOL\fR
-Enable URL signature-based phishing detection (Phishing.Heuristics.Email.*)
+Enable URL signature-based phishing detection (Heuristics.Phishing.Email.*)
 .br
 Default: yes
 .TP
@@ -512,7 +512,7 @@ Alert on OLE2 files containing VBA macros (Heuristics.OLE2.ContainsMacros).
 Default: no
 .TP
 \fBAlertExceedsMax BOOL\fR
-Alert on files that exceed max file size, max scan size, or max recursion limit (Heuristics.Limits.Exceeded).
+When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or MaxRecursion limit will be flagged with the virus name starting with "Heuristics.Limits.Exceeded".
 .br
 Default: no
 .TP

docs/man/clamscan.1.in

@@ -136,13 +136,13 @@ Scan mail files. If you turn off this option, the original files will still be s
 Enable email signature-based phishing detection.
 .TP
 \fB\-\-phishing\-scan\-urls[=yes(*)/no]\fR
-Enable URL signature-based phishing detection (Phishing.Heuristics.Email.*)
+Enable URL signature-based phishing detection (Heuristics.Phishing.Email.*)
 .TP
 \fB\-\-heuristic\-alerts[=yes(*)/no]\fR
 In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be used to control the algorithmic detection.
 .TP
 \fB\-\-heuristic\-scan\-precedence[=yes/no(*)]\fR
-Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected  virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses  differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first,  the scan is interrupted immediately, regardless of this config option.
+Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected  virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "Heuristics.*" viruses  differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first,  the scan is interrupted immediately, regardless of this config option.
 .TP
 \fB\-\-normalize[=yes(*)/no]\fR
 Normalize (compress whitespace, downcase, etc.) html, script, and text files. Use normalize=no for yara compatibility.

etc/clamd.conf.sample

@@ -292,7 +292,7 @@ Example
 # at the end of a scan. If an archive contains both a heuristically detected
 # virus/phish, and a real malware, the real malware will be reported
 #
-# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
+# Keep this disabled if you intend to handle "Heuristics.*" viruses
 # differently from "real" malware.
 # If a non-heuristically-detected virus (signature-based) is found first,
 # the scan is interrupted immediately, regardless of this config option.
@@ -648,7 +648,7 @@ Example
 #PCREMaxFileSize 100M
 
 # When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
-# MaxRecursion limit will be flagged with the virus
+# MaxRecursion limit will be flagged with the virus name starting with
 # "Heuristics.Limits.Exceeded".
 # Default: no
 #AlertExceedsMax yes

libclamav/mbox.c

@@ -752,7 +752,7 @@ hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx, bool *
 
         if ((*lineFoldCnt) >= HEURISTIC_EMAIL_MAX_LINE_FOLDS_PER_HEADER) {
             if (SCAN_HEURISTIC_EXCEEDS_MAX) {
-                cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxLineFoldCnt");
+                cli_append_virus(ctx, "Heuristics.Limits.Exceeded.EmailLineFoldCnt");
                 *heuristicFound = TRUE;
             }
 
@@ -768,7 +768,7 @@ haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx, bool *heuristicFound)
 
     if (totalLen > HEURISTIC_EMAIL_MAX_HEADER_BYTES) {
         if (SCAN_HEURISTIC_EXCEEDS_MAX) {
-            cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxHeaderBytes");
+            cli_append_virus(ctx, "Heuristics.Limits.Exceeded.EmailHeaderBytes");
             *heuristicFound = TRUE;
         }
 
@@ -783,7 +783,7 @@ haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx, bool *heuristicFoun
 
     if (totalHeaderCnt > HEURISTIC_EMAIL_MAX_HEADERS) {
         if (SCAN_HEURISTIC_EXCEEDS_MAX) {
-            cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxEmailHeaders");
+            cli_append_virus(ctx, "Heuristics.Limits.Exceeded.EmailHeaders");
             *heuristicFound = TRUE;
         }
 
@@ -798,7 +798,7 @@ haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx, mbox_status *rc
 
     if (mimePartCnt >= HEURISTIC_EMAIL_MAX_MIME_PARTS_PER_MESSAGE) {
         if (SCAN_HEURISTIC_EXCEEDS_MAX) {
-            cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxMIMEPartsPerMessage");
+            cli_append_virus(ctx, "Heuristics.Limits.Exceeded.EmailMIMEPartsPerMessage");
             *rc = VIRUS;
         }
 
@@ -813,7 +813,7 @@ haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx, bool *heuristicFound)
 
     if (argCnt >= HEURISTIC_EMAIL_MAX_ARGUMENTS_PER_HEADER) {
         if (SCAN_HEURISTIC_EXCEEDS_MAX) {
-            cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxMIMEArguments");
+            cli_append_virus(ctx, "Heuristics.Limits.Exceeded.EmailMIMEArguments");
             *heuristicFound = TRUE;
         }
 

win32/conf_examples/clamd.conf.sample

@@ -621,7 +621,7 @@ TCPAddr localhost
 #PCREMaxFileSize 100M
 
 # When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
-# MaxRecursion limit will be flagged with the virus
+# MaxRecursion limit will be flagged with the virus name starting with
 # "Heuristics.Limits.Exceeded".
 # Default: no
 #AlertExceedsMax yes