open-dsi
/
clamav
mirror of https://github.com/Cisco-Talos/clamav
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Changing numerous scan options' names, primarily those of heuristic signatature alert options. Original options (command line and clamd) will remain as deprecated & undocumented for a couple releases. Added 2 extra scan options to allow users to differentiate between alerting on encrypted archives vs encrypted documents (bb11911).

Browse Source
pull/51/head
Micah Snyder (micasnyd) 7 years ago committed by Micah Snyder
parent 9dcc0f7a74
commit f61e92da8f
17 changed files with 473 additions and 302 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 147
      clamd/server-th.c
  2. 22
      clamscan/clamscan.c
  3. 40
      clamscan/manager.c
  4. 10
      docs/UserManual/libclamav.md
  5. 90
      docs/man/clamd.conf.5.in
  6. 50
      docs/man/clamscan.1.in
  7. 131
      etc/clamd.conf.sample
  8. 4
      libclamav/7z_iface.c
  9. 10
      libclamav/bytecode_api.c
  10. 21
      libclamav/clamav.h
  11. 3
      libclamav/others.h
  12. 2
      libclamav/pdf.c
  13. 4
      libclamav/scanners.c
  14. 2
      libclamav/unzip.c
  15. 38
      shared/optparser.c
  16. 2
      unit_tests/check_common.sh
  17. 199
      win32/conf_examples/clamd.conf.sample

147
clamd/server-th.c
Unescape View File

@ -923,31 +923,83 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi
val = cl_engine_get_num(engine, CL_ENGINE_PCRE_MAX_FILESIZE, NULL);
logg("Limits: PCREMaxFileSize limit set to %llu.\n", val);
if(optget(opts, "ScanArchive")->enabled) {
logg("Archive support enabled.\n");
options.parse |= CL_SCAN_PARSE_ARCHIVE;
if (optget(opts, "ScanArchive")->enabled) {
logg("Archive support enabled.\n");
options.parse |= CL_SCAN_PARSE_ARCHIVE;
} else {
logg("Archive support disabled.\n");
}
/* TODO: Remove deprecated option in a future feature release. */
if (optget(opts, "ArchiveBlockEncrypted")->enabled) {
if (options.parse & CL_SCAN_PARSE_ARCHIVE) {
logg(
"^Using deprecated option \"ArchiveBlockEncrypted\" to alert on "
"encrypted archives _and_ documents. Please update your "
"configuration to use replacement options \"AlertEncrypted\", or "
"\"AlertEncryptedArchive\" and/or \"AlertEncryptedDoc\".\n");
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE;
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;
} else {
logg(
"^Using deprecated option \"ArchiveBlockEncrypted\" to alert on "
"encrypted documents. Please update your configuration to use "
"replacement options \"AlertEncrypted\", or "
"\"AlertEncryptedArchive\" and/or \"AlertEncryptedDoc\".\n");
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;
}
}
if(optget(opts, "ArchiveBlockEncrypted")->enabled) {
logg("Archive: Blocking encrypted archives.\n");
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED;
}
if (optget(opts, "AlertEncrypted")->enabled) {
if (options.parse & CL_SCAN_PARSE_ARCHIVE) {
logg("Alerting of encrypted archives _and_ documents enabled.\n");
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE;
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;
} else {
logg("Alerting of encrypted documents enabled.\n");
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;
}
}
} else {
logg("Archive support disabled.\n");
if (optget(opts, "AlertEncryptedArchive")->enabled) {
if (options.parse & CL_SCAN_PARSE_ARCHIVE) {
logg("Alerting of encrypted archives _and_ documents enabled.\n");
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE;
} else {
logg("^Encrypted archive alerting requested, but archive support "
"is disabled!\n");
}
}
if (optget(opts, "AlertEncryptedDoc")->enabled) {
logg("Alerting of encrypted documents enabled.\n");
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;
}
/* TODO: Remove deprecated option in a future feature release. */
if (optget(opts, "BlockMax")->enabled) {
logg("BlockMax heuristic detection enabled.\n");
logg("^Using deprecated option \"BlockMax\" to enable heuristic alerts "
"when scans exceed set maximums. Please update your configuration "
"to use replacement option \"AlertExceedsMax\".\n");
options.heuristic |= CL_SCAN_HEURISTIC_EXCEEDS_MAX;
} else if (optget(opts, "AlertExceedsMax")->enabled) {
logg("Heuristic alerting enabled for scans that exceed set maximums.\n");
options.heuristic |= CL_SCAN_HEURISTIC_EXCEEDS_MAX;
} else {
logg("BlockMax heuristic detection disabled.\n");
}
if(optget(opts, "AlgorithmicDetection")->enabled) {
logg("Algorithmic detection enabled.\n");
options.general |= CL_SCAN_GENERAL_HEURISTICS;
logg("AlertExceedsMax heuristic detection disabled.\n");
}
/* TODO: Remove deprecated option in a future feature release. */
if (optget(opts, "AlgorithmicDetection")->enabled) {
logg("^Using deprecated option \"AlgorithmicDetection\" to enable "
"heuristic alerts. Please update your configuration to use "
"replacement option \"HeuristicAlerts\".\n");
options.heuristic |= CL_SCAN_GENERAL_HEURISTICS;
} else if (optget(opts, "HeuristicAlerts")->enabled) {
logg("Heuristic alerts enabled.\n");
options.general |= CL_SCAN_GENERAL_HEURISTICS;
} else {
logg("Algorithmic detection disabled.\n");
logg("Heuristic alerts disabled.\n");
}
if(optget(opts, "ScanPE")->enabled) {
@ -964,11 +1016,13 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi
logg("ELF support disabled.\n");
}
if(optget(opts, "ScanPE")->enabled || optget(opts, "ScanELF")->enabled) {
if(optget(opts, "DetectBrokenExecutables")->enabled) {
logg("Detection of broken executables enabled.\n");
options.heuristic |= CL_SCAN_HEURISTIC_BROKEN;
}
/* TODO: Remove deprecated option in a future feature release */
if (optget(opts, "ScanPE")->enabled || optget(opts, "ScanELF")->enabled) {
if ((optget(opts, "DetectBrokenExecutables")->enabled) ||
(optget(opts, "AlertBrokenExecutables")->enabled)) {
logg("Alerting on broken executables enabled.\n");
options.heuristic |= CL_SCAN_HEURISTIC_BROKEN;
}
}
if(optget(opts, "ScanMail")->enabled) {
@ -984,15 +1038,18 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi
logg("Mail files support disabled.\n");
}
if(optget(opts, "ScanOLE2")->enabled) {
logg("OLE2 support enabled.\n");
options.parse |= CL_SCAN_PARSE_OLE2;
if(optget(opts, "OLE2BlockMacros")->enabled) {
logg("OLE2: Blocking all VBA macros.\n");
options.heuristic |= CL_SCAN_HEURISTIC_MACROS;
}
if (optget(opts, "ScanOLE2")->enabled) {
logg("OLE2 support enabled.\n");
options.parse |= CL_SCAN_PARSE_OLE2;
/* TODO: Remove deprecated option in a future feature release */
if ((optget(opts, "OLE2BlockMacros")->enabled) ||
(optget(opts, "AlertOLE2Macros")->enabled)) {
logg("OLE2: Alerting on all VBA macros.\n");
options.heuristic |= CL_SCAN_HEURISTIC_MACROS;
}
} else {
logg("OLE2 support disabled.\n");
logg("OLE2 support disabled.\n");
}
if(optget(opts, "ScanPDF")->enabled) {
@ -1030,22 +1087,26 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi
logg("HWP3 support disabled.\n");
}
if(optget(opts,"PhishingScanURLs")->enabled) {
if(optget(opts,"PhishingAlwaysBlockCloak")->enabled) {
options.heuristic |= CL_SCAN_HEURISTIC_PHISHING_CLOAK;
logg("Phishing: Always checking for cloaked urls\n");
}
if(optget(opts,"PhishingAlwaysBlockSSLMismatch")->enabled) {
options.heuristic |= CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH;
logg("Phishing: Always checking for ssl mismatches\n");
}
if (optget(opts, "PhishingScanURLs")->enabled) {
/* TODO: Remove deprecated option in a future feature release */
if ((optget(opts, "PhishingAlwaysBlockCloak")->enabled) ||
(optget(opts, "AlertPhishingCloak")->enabled)) {
options.heuristic |= CL_SCAN_HEURISTIC_PHISHING_CLOAK;
logg("Phishing: Always checking for cloaked urls\n");
}
/* TODO: Remove deprecated option in a future feature release */
if ((optget(opts, "PhishingAlwaysBlockSSLMismatch")->enabled) ||
(optget(opts, "AlertPhishingSSLMismatch")->enabled)) {
options.heuristic |= CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH;
logg("Phishing: Always checking for ssl mismatches\n");
}
}
if(optget(opts,"PartitionIntersection")->enabled) {
/* TODO: Remove deprecated option in a future feature release */
if ((optget(opts,"PartitionIntersection")->enabled) ||
(optget(opts,"AlertPartitionIntersection")->enabled)) {
options.heuristic |= CL_SCAN_HEURISTIC_PARTITION_INTXN;
logg("Raw DMG: Always checking for partitions intersections\n");
logg("Raw DMG: Alert on partitions intersections\n");
}
if(optget(opts,"HeuristicScanPrecedence")->enabled) {

22
clamscan/clamscan.c
Unescape View File

@ -251,13 +251,10 @@ void help(void)
mprintf(" --structured-ssn-count=N Min SSN count to generate a detect\n");
mprintf(" --structured-cc-count=N Min CC count to generate a detect\n");
mprintf(" --scan-mail[=yes(*)/no] Scan mail files\n");
mprintf(" --phishing-sigs[=yes(*)/no] Signature-based phishing detection\n");
mprintf(" --phishing-scan-urls[=yes(*)/no] URL-based phishing detection\n");
mprintf(" --phishing-sigs[=yes(*)/no] Enable email signature-based phishing detection\n");
mprintf(" --phishing-scan-urls[=yes(*)/no] Enable URL signature-based phishing detection\n");
mprintf(" --heuristic-alerts[=yes(*)/no] Heuristic alerts\n");
mprintf(" --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found\n");
mprintf(" --phishing-ssl[=yes/no(*)] Always block (flag) SSL mismatches in URLs (phishing module)\n");
mprintf(" --phishing-cloak[=yes/no(*)] Always block (flag) cloaked URLs (phishing module)\n");
mprintf(" --partition-intersection[=yes/no(*)] Detect partition intersections in raw disk images using heuristics\n");
mprintf(" --algorithmic-detection[=yes(*)/no] Algorithmic detection\n");
mprintf(" --normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility\n");
mprintf(" --scan-pe[=yes(*)/no] Scan PE files\n");
mprintf(" --scan-elf[=yes(*)/no] Scan ELF files\n");
@ -268,10 +265,15 @@ void help(void)
mprintf(" --scan-xmldocs[=yes(*)/no] Scan xml-based document files\n");
mprintf(" --scan-hwp3[=yes(*)/no] Scan HWP3 files\n");
mprintf(" --scan-archive[=yes(*)/no] Scan archive files (supported by libclamav)\n");
mprintf(" --detect-broken[=yes/no(*)] Try to detect broken executable files\n");
mprintf(" --block-encrypted[=yes/no(*)] Block (flag) encrypted archives\n");
mprintf(" --block-macros[=yes/no(*)] Block (flag) OLE2 files with VBA macros\n");
mprintf(" --block-max[=yes/no(*)] Block (flag) files that exceed max file size, max scan size, or max recursion limit\n");
mprintf(" --alert-broken[=yes/no(*)] Alert on broken executable files (PE & ELF)\n");
mprintf(" --alert-encrypted[=yes/no(*)] Alert on encrypted archives and documents\n");
mprintf(" --alert-encrypted-archive[=yes/no(*)] Alert on encrypted archives\n");
mprintf(" --alert-encrypted-doc[=yes/no(*)] Alert on encrypted documents\n");
mprintf(" --alert-macros[=yes/no(*)] Alert on OLE2 files containing VBA macros\n");
mprintf(" --alert-exceeds-max[=yes/no(*)] Alert on files that exceed max file size, max scan size, or max recursion limit\n");
mprintf(" --alert-phishing-ssl[=yes/no(*)] Alert on emails containing SSL mismatches in URLs\n");
mprintf(" --alert-phishing-cloak[=yes/no(*)] Alert on emails containing cloaked URLs\n");
mprintf(" --alert-partition-intersection[=yes/no(*)] Alert on raw DMG image files containing partition intersections\n");
mprintf(" --nocerts Disable authenticode certificate chain verification in PE files\n");
mprintf(" --dumpcerts Dump authenticode certificate chain in PE files\n");
mprintf("\n");

40
clamscan/manager.c
Unescape View File

@ -1017,13 +1017,19 @@ int scanmanager(const struct optstruct *opts)
options.general |= CL_SCAN_GENERAL_ALLMATCHES;
}
if(optget(opts,"phishing-ssl")->enabled)
/* TODO: Remove deprecated option in a future feature release */
if ((optget(opts,"phishing-ssl")->enabled) ||
(optget(opts,"alert-phishing-ssl")->enabled))
options.heuristic |= CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH;
if(optget(opts,"phishing-cloak")->enabled)
/* TODO: Remove deprecated option in a future feature release */
if ((optget(opts,"phishing-cloak")->enabled) ||
(optget(opts,"alert-phishing-cloak")->enabled))
options.heuristic |= CL_SCAN_HEURISTIC_PHISHING_CLOAK;
if(optget(opts,"partition-intersection")->enabled)
/* TODO: Remove deprecated option in a future feature release */
if ((optget(opts,"partition-intersection")->enabled) ||
(optget(opts,"alert-partition-intersection")->enabled))
options.heuristic |= CL_SCAN_HEURISTIC_PARTITION_INTXN;
if(optget(opts,"heuristic-scan-precedence")->enabled)
@ -1032,14 +1038,30 @@ int scanmanager(const struct optstruct *opts)
if(optget(opts, "scan-archive")->enabled)
options.parse |= CL_SCAN_PARSE_ARCHIVE;
if(optget(opts, "detect-broken")->enabled)
/* TODO: Remove deprecated option in a future feature release */
if ((optget(opts, "detect-broken")->enabled) ||
(optget(opts, "alert-broken")->enabled)) {
options.heuristic |= CL_SCAN_HEURISTIC_BROKEN;
}
/* TODO: Remove deprecated option in a future feature release */
if ((optget(opts, "block-encrypted")->enabled) ||
(optget(opts, "alert-encrypted")->enabled)) {
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE;
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;
}
if(optget(opts, "block-encrypted")->enabled)
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED;
if (optget(opts, "alert-encrypted-archive")->enabled)
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE;
if(optget(opts, "block-macros")->enabled)
if (optget(opts, "alert-encrypted-doc")->enabled)
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;
/* TODO: Remove deprecated option in a future feature release */
if ((optget(opts, "block-macros")->enabled) ||
(optget(opts, "alert-macros")->enabled)) {
options.heuristic |= CL_SCAN_HEURISTIC_MACROS;
}
if(optget(opts, "scan-pe")->enabled)
options.parse |= CL_SCAN_PARSE_PE;
@ -1071,7 +1093,9 @@ int scanmanager(const struct optstruct *opts)
if(optget(opts, "algorithmic-detection")->enabled)
options.general |= CL_SCAN_GENERAL_HEURISTICS;
if(optget(opts, "block-max")->enabled) {
/* TODO: Remove deprecated option in a future feature release */
if ((optget(opts, "block-max")->enabled) ||
(optget(opts, "alert-exceeds-max")->enabled)) {
options.heuristic |= CL_SCAN_HEURISTIC_EXCEEDS_MAX;
}

10
docs/UserManual/libclamav.md
Unescape View File

@ -316,16 +316,18 @@ Supported flags for each of the fields are as follows:
- **CL_SCAN_GENERAL_HEURISTIC_PRECEDENCE**
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When *disabled*, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported.
- **CL_SCAN_HEURISTIC_ENCRYPTED**
With this flag the library will mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
- **CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE**
With this flag the library will mark encrypted archives as viruses (encrypted .zip, .7zip, .rar).
- **CL_SCAN_HEURISTIC_ENCRYPTED_DOC**
With this flag the library will mark encrypted docuemnts as viruses (encrypted .pdf).
- **CL_SCAN_HEURISTIC_BROKEN**
libclamav will try to detect broken executables and mark them as Broken.Executable.
- **CL_SCAN_HEURISTIC_EXCEEDS_MAX**
Alert when the scan of any file exceeds maximums such as max filesize, max scansize, max recursion level.
- **CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH**
Heuristic for Phishing module: always block SSL mismatches in URLs.
Heuristic for phishing module: alert on SSL mismatches in URLs.
- **CL_SCAN_HEURISTIC_PHISHING_CLOAK**
Phishing module: always block cloaked URLs.
Heuristic for phishing module: alert on cloaked URLs.
- **CL_SCAN_HEURISTIC_MACROS**
OLE2 containers, which contain VBA macros will be marked infected (Heuristics.OLE2.ContainsMacros).
- **CL_SCAN_HEURISTIC_PARTITION_INTXN**

90
docs/man/clamd.conf.5.in
Unescape View File

@ -338,10 +338,15 @@ Only include a specific PUA category. This directive can be used multiple times.
.br
Default: disabled
.TP
\fBAlgorithmicDetection BOOL\fR
\fBHeuristicAlerts BOOL\fR
In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option controls the algorithmic detection.
.br
Default: yes
.TP
\fBHeuristicScanPrecedence BOOL\fR
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phishing it will stop scanning immediately. Recommended, saves CPU scan-time. When disabled, virus/phishing detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported. Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.
.br
Default: no
.TP
\fBScanPE BOOL\fR
PE stands for Portable Executable \- it's an executable file format used in all 32 and 64\-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX.
@ -357,11 +362,6 @@ If you turn off this option, the original files will still be scanned, but witho
.br
Default: yes
.TP
\fBDetectBrokenExecutables BOOL\fR
With this option clamd will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable.
.br
Default: no
.TP
\fBScanMail BOOL\fR
Enable scanning of mail files.
.br
@ -375,35 +375,15 @@ Scan RFC1341 messages split over many emails. You will need to periodically clea
Default: no
.TP
\fBPhishingSignatures BOOL\fR
With this option enabled ClamAV will try to detect phishing attempts by using signatures.
Enable email signature-based phishing detection.
.br
Default: yes
.TP
\fBPhishingScanURLs BOOL\fR
Scan URLs found in mails for phishing attempts using heuristics. This will classify "Possibly Unwanted" phishing emails as Phishing.Heuristics.Email.*
Enable URL signature-based phishing detection (Phishing.Heuristics.Email.*)
.br
Default: yes
.TP
\fBPhishingAlwaysBlockCloak BOOL\fR
Always block cloaked URLs, even if URL isn't in database. This can lead to false positives.
.br
Default: no
.TP
\fBPhishingAlwaysBlockSSLMismatch BOOL\fR
Always block SSL mismatches in URLs, even if the URL isn't in the database. This can lead to false positives.
.br
Default: no
.TP
\fBPartitionIntersection BOOL\fR
Detect partition intersections in raw disk images using heuristics.
.br
Default: no
.TP
\fBHeuristicScanPrecedence BOOL\fR
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phishing it will stop scanning immediately. Recommended, saves CPU scan-time. When disabled, virus/phishing detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported. Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.
.br
Default: no
.TP
\fBStructuredDataDetection BOOL\fR
Enable the DLP module.
.br
@ -443,16 +423,6 @@ If you turn off this option, the original files will still be scanned, but witho
.br
Default: yes
.TP
\fBOLE2BlockMacros BOOL\fR
With this option enabled OLE2 files with VBA macros, which were not detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
.br
Default: no
.TP
\fBBlockMax BOOL\fR
Flag files with "Heuristics.Limits.Exceeded" when scanning is incomplete due to exceeding a scan or file size limit.
.br
Default: no
.TP
\fBScanPDF BOOL\fR
This option enables scanning within PDF files.
.br
@ -487,9 +457,49 @@ Scan within archives and compressed files.
If you turn off this option, the original files will still be scanned, but without unpacking and additional processing.
.br
Default: yes
.TP
\fBAlertBrokenExecutables BOOL\fR
Alert on broken executable files (PE & ELF).
.br
Default: no
.TP
\fBAlertEncrypted BOOL\fR
Alert on encrypted archives and documents (encrypted .zip, .7zip, .rar, .pdf).
.br
Default: no
.TP
\fBAlertEncryptedArchive BOOL\fR
Alert on encrypted archives (encrypted .zip, .7zip, .rar).
.br
Default: no
.TP
\fBAlertEncryptedDoc BOOL\fR
Alert on encrypted documents (encrypted .pdf).
.br
Default: no
.TP
\fBAlertOLE2Macros BOOL\fR
Alert on OLE2 files containing VBA macros (Heuristics.OLE2.ContainsMacros).
.br
Default: no
.TP
\fBAlertExceedsMax BOOL\fR
Alert on files that exceed max file size, max scan size, or max recursion limit (Heuristics.Limits.Exceeded).
.br
Default: no
.TP
\fBAlertPhishingSSLMismatch BOOL\fR
Alert on emails containing SSL mismatches in URLs (might lead to false positives!).
.br
Default: no
.TP
\fBAlertPhishingCloak BOOL\fR
Alert on emails containing cloaked URLs (might lead to some false positives).
.br
Default: no
.TP
\fBArchiveBlockEncrypted BOOL\fR
Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
\fBAlertPartitionIntersection BOOL\fR
Alert on raw DMG image files containing partition intersections.
.br
Default: no
.TP

50
docs/man/clamscan.1.in
Unescape View File

@ -133,26 +133,17 @@ This option sets the lowest number of Credit Card numbers found in a file to gen
Scan mail files. If you turn off this option, the original files will still be scanned, but without parsing individual messages/attachments.
.TP
\fB\-\-phishing\-sigs[=yes(*)/no]\fR
Use the signature-based phishing detection.
Enable email signature-based phishing detection.
.TP
\fB\-\-phishing\-scan\-urls[=yes(*)/no]\fR
Use the url-based heuristic phishing detection (Phishing.Heuristics.Email.*)
Enable URL signature-based phishing detection (Phishing.Heuristics.Email.*)
.TP
\fB\-\-heuristic\-alerts[=yes(*)/no]\fR
In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be used to control the algorithmic detection.
.TP
\fB\-\-heuristic\-scan\-precedence[=yes/no(*)]\fR
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.
.TP
\fB\-\-phishing\-ssl[=yes/no(*)]\fR
Block SSL mismatches in URLs (might lead to false positives!).
.TP
\fB\-\-phishing\-cloak[=yes/no(*)]\fR
Block cloaked URLs (might lead to some false positives).
.TP
\fB\-\-partition\-intersection[=yes/no(*)]\fR
Detect partition intersections in raw disk images using heuristics.
.TP
\fB\-\-algorithmic\-detection[=yes(*)/no]\fR
In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be used to control the algorithmic detection.
.TP
\fB\-\-normalize[=yes(*)/no]\fR
Normalize (compress whitespace, downcase, etc.) html, script, and text files. Use normalize=no for yara compatibility.
.TP
@ -183,17 +174,32 @@ Scan HWP3 files. If you turn off this option, the original files will still be s
\fB\-\-scan\-archive[=yes(*)/no]\fR
Scan archives supported by libclamav. If you turn off this option, the original files will still be scanned, but without unpacking and additional processing.
.TP
\fB\-\-detect\-broken[=yes/no(*)]\fR
Mark broken executables as viruses (Broken.Executable).
\fB\-\-alert\-broken[=yes/no(*)]\fR
Alert on broken executable files (PE & ELF).
.TP
\fB\-\-alert\-encrypted[=yes/no(*)]\fR
Alert on encrypted archives and documents (encrypted .zip, .7zip, .rar, .pdf).
.TP
\fB\-\-alert\-encrypted-archive[=yes/no(*)]\fR
Alert on encrypted archives (encrypted .zip, .7zip, .rar, .pdf).
.TP
\fB\-\-alert\-encrypted-doc[=yes/no(*)]\fR
Alert on encrypted documents (encrypted .zip, .7zip, .rar, .pdf).
.TP
\fB\-\-block\-encrypted[=yes/no(*)]\fR
Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
\fB\-\-alert\-macros[=yes/no(*)]\fR
Alert on OLE2 files containing VBA macros (Heuristics.OLE2.ContainsMacros).
.TP
\fB\-\-block\-macros[=yes/no(*)]\fR
Mark OLE2 files containing VBA macros as viruses (Heuristics.OLE2.ContainsMacros).
\fB\-\-alert\-exceeds\-max[=yes/no(*)]\fR
Alert on files that exceed max file size, max scan size, or max recursion limit (Heuristics.Limits.Exceeded).
.TP
\fB\-\-block\-max[=yes/no(*)]\fR
Flag files with "Heuristics.Limits.Exceeded" when scanning is incomplete due to exceeding a scan or file size limit.
\fB\-\-alert\-phishing\-ssl[=yes/no(*)]\fR
Alert on emails containing SSL mismatches in URLs (might lead to false positives!).
.TP
\fB\-\-alert\-phishing\-cloak[=yes/no(*)]\fR
Alert on emails containing cloaked URLs (might lead to some false positives).
.TP
\fB\-\-alert\-partition\-intersection[=yes/no(*)]\fR
Detect partition intersections in raw disk images using heuristics.
.TP
\fB\-\-max\-filesize=#n\fR
Extract and scan at most #n bytes from each archive. You may pass the value in kilobytes in format xK or xk, or megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 25 MB, max: <4 GB)

131
etc/clamd.conf.sample
Unescape View File

@ -244,12 +244,6 @@ Example
#IncludePUA Scanner
#IncludePUA RAT
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to provide accurate detection. This option
# controls the algorithmic detection.
# Default: yes
#AlgorithmicDetection yes
# This option causes memory or nested map scans to dump the content to disk.
# If you turn on this option, more data is written to disk and is available
# when the LeaveTemporaryFiles option is enabled.
@ -262,6 +256,71 @@ Example
# Default: no
#DisableCache yes
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to detect abnormal patterns and behaviors that
# may be malicious. This option enables alerting on such heuristically
# detected potential threats.
# Default: yes
#HeuristicAlerts yes
# Allow heuristic alerts to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only at
# the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes
##
## Heuristic Alerts
##
# With this option clamav will try to detect broken executables (both PE and
# ELF) and alert on them with the Broken.Executable heuristic signature.
# Default: no
#AlertBrokenExecutables yes
# Alert on encrypted archives _and_ documents with heuristic signature (encrypted .zip, .7zip, .rar, .pdf).
# Default: no
#AlertEncrypted yes
# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, .rar).
# Default: no
#AlertEncryptedArchive yes
# Alert on encrypted archives with heuristic signature (encrypted .pdf).
# Default: no
#AlertEncryptedDoc yes
# With this option enabled OLE2 files containing VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#AlertOLE2Macros yes
# Alert on SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
# Default: no
#AlertPhishingSSLMismatch yes
# Alert on cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
# Default: no
#AlertPhishingCloak yes
# Alert on raw DMG image files containing partition intersections
# Default: no
#AlertPartitionIntersection yes
##
## Executable files
##
@ -292,11 +351,6 @@ Example
# Default: yes
#ScanELF yes
# With this option clamav will try to detect broken executables (both PE and
# ELF) and mark them as Broken.Executable.
# Default: no
#DetectBrokenExecutables yes
##
## Documents
@ -309,11 +363,6 @@ Example
# Default: yes
#ScanOLE2 yes
# With this option enabled OLE2 files with VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#OLE2BlockMacros no
# This option enables scanning within PDF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
@ -358,45 +407,14 @@ Example
#ScanPartialMessages yes
# With this option enabled ClamAV will try to detect phishing attempts by using
# signatures.
# HTML.Phishing and Email.Phishing NDB signatures.
# Default: yes
#PhishingSignatures yes
#PhishingSignatures no
# Scan URLs found in mails for phishing attempts using heuristics.
# With this option enabled ClamAV will try to detect phishing attempts by
# analyzing URLs found in emails using WDB and PDB signature databases.
# Default: yes
#PhishingScanURLs yes
# Always block SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockSSLMismatch no
# Always block cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockCloak no
# Detect partition intersections in raw disk images using heuristics.
# Default: no
#PartitionIntersection no
# Allow heuristic match to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported
# only at the end of a scan. If an archive contains both a heuristically
# detected virus/phish, and a real malware, the real malware will be reported.
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes
#PhishingScanURLs no
##
@ -449,10 +467,6 @@ Example
# Default: yes
#ScanArchive yes
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
#ArchiveBlockEncrypted no
##
## Limits
@ -589,11 +603,12 @@ Example
# Default: 25M
#PCREMaxFileSize 100M
# When BlockMax is set, files exceeding the MaxFileSize, MaxScanSize, or
# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
# MaxRecursion limit will be flagged with the virus
# "Heuristics.Limits.Exceeded".
# Default: no
#BlockMax yes
#AlertExceedsMax yes
##
## On-access Scan Settings

4
libclamav/7z_iface.c
Unescape View File

@ -106,7 +106,7 @@ int cli_7unz (cli_ctx *ctx, size_t offset) {
SzArEx_Init(&db);
res = SzArEx_Open(&db, &lookStream.s, &allocImp, &allocTempImp);
if(res == SZ_ERROR_ENCRYPTED && SCAN_HEURISTIC_ENCRYPTED) {
if(res == SZ_ERROR_ENCRYPTED && SCAN_HEURISTIC_ENCRYPTED_ARCHIVE) {
cli_dbgmsg("cli_7unz: Encrypted header found in archive.\n");
found = cli_append_virus(ctx, "Heuristics.Encrypted.7Zip");
} else if(res == SZ_OK) {
@ -158,7 +158,7 @@ int cli_7unz (cli_ctx *ctx, size_t offset) {
res = SzArEx_Extract(&db, &lookStream.s, i, &blockIndex, &outBuffer, &outBufferSize, &offset, &outSizeProcessed, &allocImp, &allocTempImp);
if(res == SZ_ERROR_ENCRYPTED) {
encrypted = 1;
if(SCAN_HEURISTIC_ENCRYPTED) {
if(SCAN_HEURISTIC_ENCRYPTED_ARCHIVE) {
cli_dbgmsg("cli_7unz: Encrypted files found in archive.\n");
found = cli_append_virus(ctx, "Heuristics.Encrypted.7Zip");
if (found != CL_CLEAN) {

10
libclamav/bytecode_api.c
Unescape View File

@ -1319,7 +1319,8 @@ uint32_t cli_bcapi_engine_scan_options(struct cli_bc_ctx *ctx)
options |= CL_SCAN_PHISHING_BLOCKCLOAK;
if (cctx->options->heuristic & CL_SCAN_HEURISTIC_MACROS)
options |= CL_SCAN_BLOCKMACROS;
if (cctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED)
if ((cctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE) ||
(cctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED_DOC))
options |= CL_SCAN_BLOCKENCRYPTED;
if (cctx->options->heuristic & CL_SCAN_HEURISTIC_PARTITION_INTXN)
options |= CL_SCAN_PARTITION_INTXN;
@ -1429,8 +1430,11 @@ uint32_t cli_bcapi_engine_scan_options_ex(struct cli_bc_ctx *ctx, const uint8_t
if (cli_memstr(option_name_l, name_len, "macros", sizeof("macros"))) {
return (cctx->options->heuristic & CL_SCAN_HEURISTIC_MACROS) ? 1 : 0;
}
if (cli_memstr(option_name_l, name_len, "encrypted", sizeof("encrypted"))) {
return (cctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED) ? 1 : 0;
if (cli_memstr(option_name_l, name_len, "encrypted archive", sizeof("encrypted archive"))) {
return (cctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE) ? 1 : 0;
}
if (cli_memstr(option_name_l, name_len, "encrypted doc", sizeof("encrypted doc"))) {
return (cctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED_DOC) ? 1 : 0;
}
if (cli_memstr(option_name_l, name_len, "partition intxn", sizeof("partition intxn"))) {
return (cctx->options->heuristic & CL_SCAN_HEURISTIC_PARTITION_INTXN) ? 1 : 0;

21
libclamav/clamav.h
Unescape View File

@ -175,16 +175,17 @@ struct cl_scan_options {
#define CL_SCAN_PARSE_PE 0x200
/* heuristic alerting options */
#define CL_SCAN_HEURISTIC_BROKEN 0x2
#define CL_SCAN_HEURISTIC_EXCEEDS_MAX 0x4
#define CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH 0x8
#define CL_SCAN_HEURISTIC_PHISHING_CLOAK 0x10
#define CL_SCAN_HEURISTIC_MACROS 0x20
#define CL_SCAN_HEURISTIC_ENCRYPTED 0x40
#define CL_SCAN_HEURISTIC_PARTITION_INTXN 0x80 /* alert if partition table size doesn't make sense */
#define CL_SCAN_HEURISTIC_STRUCTURED 0x100 /* data loss prevention options, i.e. alert when detecting personal information */
#define CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL 0x200 /* alert when detecting social security numbers */
#define CL_SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED 0x400 /* alert when detecting stripped social security numbers */
#define CL_SCAN_HEURISTIC_BROKEN 0x2 /* alert on broken PE and broken ELF files */
#define CL_SCAN_HEURISTIC_EXCEEDS_MAX 0x4 /* alert when files exceed scan limits (filesize, max scansize, or max recursion depth) */
#define CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH 0x8 /* alert on SSL mismatches */
#define CL_SCAN_HEURISTIC_PHISHING_CLOAK 0x10 /* alert on cloaked URLs in emails */
#define CL_SCAN_HEURISTIC_MACROS 0x20 /* alert on OLE2 files containing macros */
#define CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE 0x40 /* alert if archive is encrypted (rar, zip, etc) */
#define CL_SCAN_HEURISTIC_ENCRYPTED_DOC 0x80 /* alert if a document is encrypted (pdf, docx, etc) */
#define CL_SCAN_HEURISTIC_PARTITION_INTXN 0x100 /* alert if partition table size doesn't make sense */
#define CL_SCAN_HEURISTIC_STRUCTURED 0x200 /* data loss prevention options, i.e. alert when detecting personal information */
#define CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL 0x400 /* alert when detecting social security numbers */
#define CL_SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED 0x800 /* alert when detecting stripped social security numbers */
/* mail scanning options */
#define CL_SCAN_MAIL_PARTIAL_MESSAGE 0x1

3
libclamav/others.h
Unescape View File

@ -511,7 +511,8 @@ extern int have_rar;
#define SCAN_HEURISTIC_PHISHING_SSL_MISMATCH (ctx->options->heuristic & CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH)
#define SCAN_HEURISTIC_PHISHING_CLOAK (ctx->options->heuristic & CL_SCAN_HEURISTIC_PHISHING_CLOAK)
#define SCAN_HEURISTIC_MACROS (ctx->options->heuristic & CL_SCAN_HEURISTIC_MACROS)
#define SCAN_HEURISTIC_ENCRYPTED (ctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED)
#define SCAN_HEURISTIC_ENCRYPTED_ARCHIVE (ctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE)
#define SCAN_HEURISTIC_ENCRYPTED_DOC (ctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED_DOC)
#define SCAN_HEURISTIC_PARTITION_INTXN (ctx->options->heuristic & CL_SCAN_HEURISTIC_PARTITION_INTXN)
#define SCAN_HEURISTIC_STRUCTURED (ctx->options->heuristic & CL_SCAN_HEURISTIC_STRUCTURED)
#define SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL (ctx->options->heuristic & CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL)

2
libclamav/pdf.c
Unescape View File

@ -3099,7 +3099,7 @@ cl_error_t pdf_find_and_extract_objs(struct pdf_struct *pdf, uint32_t *alerts)
(pdf->flags & (1 << DECRYPTABLE_PDF)) ?
"decryptable" : "not decryptable, stream will probably fail to decompress");
if (SCAN_HEURISTIC_ENCRYPTED &&
if (SCAN_HEURISTIC_ENCRYPTED_DOC &&
(pdf->flags & (1 << ENCRYPTED_PDF)) &&
!(pdf->flags & (1 << DECRYPTABLE_PDF)))
{

4
libclamav/scanners.c
Unescape View File

@ -243,7 +243,7 @@ static int cli_unrar_scanmetadata(int desc, unrar_metadata_t *metadata, cli_ctx
virus_found = 1;
}
if (SCAN_HEURISTIC_ENCRYPTED && metadata->encrypted)
if (SCAN_HEURISTIC_ENCRYPTED_ARCHIVE && metadata->encrypted)
{
cli_dbgmsg("RAR: Encrypted files found in archive.\n");
ret = cli_scandesc(desc, ctx, 0, 0, NULL, AC_SCAN_VIR, NULL);
@ -292,7 +292,7 @@ static int cli_scanrar(int desc, cli_ctx *ctx, off_t sfx_offset, uint32_t *sfx_c
if (ret == UNRAR_PASSWD)
{
cli_dbgmsg("RAR: Encrypted main header\n");
if (SCAN_HEURISTIC_ENCRYPTED)
if (SCAN_HEURISTIC_ENCRYPTED_ARCHIVE)
{
if (lseek(desc, 0, SEEK_SET) == -1)
{

2
libclamav/unzip.c
Unescape View File

@ -554,7 +554,7 @@ static unsigned int lhdr(fmap_t *map, uint32_t loff,uint32_t zsize, unsigned int
return 0;
}
if(detect_encrypted && (LH_flags & F_ENCR) && SCAN_HEURISTIC_ENCRYPTED) {
if(detect_encrypted && (LH_flags & F_ENCR) && SCAN_HEURISTIC_ENCRYPTED_ARCHIVE) {
cli_dbgmsg("cli_unzip: Encrypted files found in archive.\n");
*ret = cli_append_virus(ctx, "Heuristics.Encrypted.Zip");
if ((*ret == CL_VIRUS && !SCAN_ALLMATCHES) || *ret != CL_CLEAN) {

38
shared/optparser.c
Unescape View File

@ -186,7 +186,7 @@ const struct clam_option __clam_options[] = {
{ NULL, "deb", 0, CLOPT_TYPE_STRING, NULL, -1, "foo", 0, OPT_CLAMSCAN | OPT_DEPRECATED, "", "" },
/* config file/cmdline options */
{ "BlockMax", "block-max", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "", "" },
{ "AlertExceedsMax", "alert-exceeds-max", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "", "" },
{ "PreludeEnable", "prelude-enable", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Enable prelude"},
@ -308,14 +308,10 @@ const struct clam_option __clam_options[] = {
{ "IncludePUA", "include-pua", 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_CLAMSCAN, "Only include a specific PUA category. This directive can be used multiple\ntimes.", "Spy\nScanner\nRAT" },
{ "AlgorithmicDetection", "algorithmic-detection", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "In some cases (eg. complex malware, exploits in graphic files, and others),\nClamAV uses special algorithms to provide accurate detection. This option\ncontrols the algorithmic detection.", "yes" },
{ "ScanPE", "scan-pe", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "PE stands for Portable Executable - it's an executable file format used\nin all 32- and 64-bit versions of Windows operating systems. This option\nallows ClamAV to perform a deeper analysis of executable files and it's also\nrequired for decompression of popular executable packers such as UPX or FSG.\nIf you turn off this option, the original files will still be scanned, but\nwithout additional processing.", "yes" },
{ "ScanELF", "scan-elf", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Executable and Linking Format is a standard format for UN*X executables.\nThis option allows you to control the scanning of ELF files.\nIf you turn off this option, the original files will still be scanned, but\nwithout additional processing.", "yes" },
{ "DetectBrokenExecutables", "detect-broken", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "With this option enabled clamav will try to detect broken executables\n(both PE and ELF) and mark them as Broken.Executable.", "yes" },
{ "ScanMail", "scan-mail", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Enable the built in email scanner.\nIf you turn off this option, the original files will still be scanned, but\nwithout parsing individual messages/attachments.", "yes" },
{ "ScanPartialMessages", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Scan RFC1341 messages split over many emails. You will need to\nperiodically clean up $TemporaryDirectory/clamav-partial directory.\nWARNING: This option may open your system to a DoS attack. Please don't use\nthis feature on highly loaded servers.", "no" },
@ -324,11 +320,7 @@ const struct clam_option __clam_options[] = {
{ "PhishingScanURLs", "phishing-scan-urls", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Scan URLs found in mails for phishing attempts using heuristics.", "yes" },
{ "PhishingAlwaysBlockCloak", "phishing-cloak", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Always block cloaked URLs, even if they're not in the database.\nThis feature can lead to false positives.", "no" },
{ "PhishingAlwaysBlockSSLMismatch", "phishing-ssl", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Always block SSL mismatches in URLs, even if they're not in the database.\nThis feature can lead to false positives.", "" },
{ "PartitionIntersection", "partition-intersection", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect partition intersections in raw disk images using heuristics.", "yes" },
{ "HeuristicAlerts", "heuristic-alerts", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "In some cases (eg. complex malware, exploits in graphic files, and others),\nClamAV uses special algorithms to provide accurate detection. This option\ncontrols the algorithmic detection.", "yes" },
{ "HeuristicScanPrecedence", "heuristic-scan-precedence", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Allow heuristic match to take precedence.\nWhen enabled, if a heuristic scan (such as phishingScan) detects\na possible virus/phish it will stop scan immediately. Recommended, saves CPU\nscan-time.\nWhen disabled, virus/phish detected by heuristic scans will be reported only\nat the end of a scan. If an archive contains both a heuristically detected\nvirus/phish, and a real malware, the real malware will be reported.\nKeep this disabled if you intend to handle \"*.Heuristics.*\" viruses\ndifferently from \"real\" malware.\nIf a non-heuristically-detected virus (signature-based) is found first,\nthe scan is interrupted immediately, regardless of this config option.", "yes" },
@ -346,7 +338,21 @@ const struct clam_option __clam_options[] = {
{ "ScanOLE2", "scan-ole2", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option enables scanning of OLE2 files, such as Microsoft Office\ndocuments and .msi files.\nIf you turn off this option, the original files will still be scanned, but\nwithout additional processing.", "yes" },
{ "OLE2BlockMacros", "block-macros", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "With this option enabled OLE2 files with VBA macros, which were not\ndetected by signatures will be marked as \"Heuristics.OLE2.ContainsMacros\".", "no" },
{ "AlertBrokenExecutables", "alert-broken", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "With this option enabled clamav will try to detect broken executables\n(both PE and ELF) and alert on them with the Broken.Executable heuristic signature.", "yes" },
{ "AlertEncrypted", "alert-encrypted", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Alert on encrypted archives and documents (encrypted .zip, .7zip, .rar, .pdf).", "no" },
{ "AlertEncryptedArchive", "alert-encrypted-archive", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Alert on encrypted archives (encrypted .zip, .7zip, .rar).", "no" },
{ "AlertEncryptedDoc", "alert-encrypted-doc", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Alert on encrypted documents (encrypted .pdf).", "no" },
{ "AlertOLE2Macros", "alert-macros", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "With this option enabled OLE2 files with VBA macros, which were not\ndetected by signatures will be marked as \"Heuristics.OLE2.ContainsMacros\".", "no" },
{ "AlertPhishingSSLMismatch", "alert-phishing-ssl", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Alert on SSL mismatches in URLs, even if they're not in the database.\nThis feature can lead to false positives.", "" },
{ "AlertPhishingCloak", "alert-phishing-cloak", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Alert on cloaked URLs, even if they're not in the database.\nThis feature can lead to false positives.", "no" },
{ "AlertPartitionIntersection", "alert-partition-intersection", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Alert on raw DMG image files containing partition intersections.", "yes" },
{ "ScanPDF", "scan-pdf", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option enables scanning within PDF files.\nIf you turn off this option, the original files will still be scanned, but\nwithout decoding and additional processing.", "yes" },
@ -358,8 +364,6 @@ const struct clam_option __clam_options[] = {
{ "ScanArchive", "scan-archive", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Scan within archives and compressed files.\nIf you turn off this option, the original files will still be scanned, but\nwithout unpacking and additional processing.", "yes" },
{ "ArchiveBlockEncrypted", "block-encrypted", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).", "no" },
{ "ForceToDisk", "force-to-disk", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option causes memory or nested map scans to dump the content to disk.\nIf you turn on this option, more data is written to disk and is available\nwhen the leave-temps option is enabled at the cost of more disk writes.", "no" },
{ "MaxScanSize", "max-scansize", 0, CLOPT_TYPE_SIZE, MATCH_SIZE, CLI_DEFAULT_MAXSCANSIZE, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum amount of data to be scanned for each input file.\nArchives and other containers are recursively extracted and scanned up to this\nvalue.\nThe value of 0 disables the limit.\nWARNING: disabling this limit or setting it too high may result in severe\ndamage.", "100M" },
@ -487,6 +491,14 @@ const struct clam_option __clam_options[] = {
/* Deprecated options */
{ "DetectBrokenExecutables", "detect-broken", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "Deprecated option to alert on broken PE and ELF executable files.", "no" },
{ "AlgorithmicDetection", "algorithmic-detection", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "Deprecated option to enable heuristic alerts (e.g. \"Heuristics.<sig name>\")", "no" },
{ "BlockMax", "block-max", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "", "" },
{ "PhishingAlwaysBlockSSLMismatch", "phishing-ssl", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "Deprecated option to alert on SSL mismatches in URLs, even if they're not in the database.\nThis feature can lead to false positives.", "no" },
{ "PhishingAlwaysBlockCloak", "phishing-cloak", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "Deprecated option to alert on cloaked URLs, even if they're not in the database.\nThis feature can lead to false positives.", "no" },
{ "PartitionIntersection", "partition-intersection", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "Deprecated option to alert on raw DMG image files containing partition intersections.", "no" },
{ "OLE2BlockMacros", "block-macros", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "With this option enabled OLE2 files with VBA macros, which were not\ndetected by signatures will be marked as \"Heuristics.OLE2.ContainsMacros\".", "no" },
{ "ArchiveBlockEncrypted", "block-encrypted", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "Deprecated option to alert on encrypted archives and documents (encrypted .zip, .7zip, .rar, .pdf).", "no" },
{ "MailMaxRecursion", NULL, 0, CLOPT_TYPE_NUMBER, NULL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", "" },
{ "ArchiveMaxScanSize", NULL, 0, CLOPT_TYPE_SIZE, NULL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", "" },
{ "ArchiveMaxRecursion", NULL, 0, CLOPT_TYPE_NUMBER, NULL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", "" },

2
unit_tests/check_common.sh
Unescape View File

@ -171,7 +171,7 @@ EOF
die "Failed to run clamscan (phish-test)";
fi
if test_run 1 $CLAMSCAN --quiet --phishing-ssl --phishing-cloak -dtest-db $abs_srcdir/input/phish-test-* --log=clamscan3.log; then
if test_run 1 $CLAMSCAN --quiet --alert-phishing-ssl --alert-phishing-cloak -dtest-db $abs_srcdir/input/phish-test-* --log=clamscan3.log; then
cat clamscan3.log;
die "Failed to run clamscan (phish-test2)";
fi

199
win32/conf_examples/clamd.conf.sample
Unescape View File

@ -216,12 +216,6 @@ TCPAddr 127.0.0.1
#IncludePUA Scanner
#IncludePUA RAT
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to provide accurate detection. This option
# controls the algorithmic detection.
# Default: yes
#AlgorithmicDetection yes
# This option causes memory or nested map scans to dump the content to disk.
# If you turn on this option, more data is written to disk and is available
# when the LeaveTemporaryFiles option is enabled.
@ -234,6 +228,71 @@ TCPAddr 127.0.0.1
# Default: no
#DisableCache yes
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to detect abnormal patterns and behaviors that
# may be malicious. This option enables alerting on such heuristically
# detected potential threats.
# Default: yes
#HeuristicAlerts yes
# Allow heuristic alerts to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only at
# the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes
##
## Heuristic Alerts
##
# With this option clamav will try to detect broken executables (both PE and
# ELF) and alert on them with the Broken.Executable heuristic signature.
# Default: no
#AlertBrokenExecutables yes
# Alert on encrypted archives _and_ documents with heuristic signature (encrypted .zip, .7zip, .rar, .pdf).
# Default: no
#AlertEncrypted yes
# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, .rar).
# Default: no
#AlertEncryptedArchive yes
# Alert on encrypted archives with heuristic signature (encrypted .pdf).
# Default: no
#AlertEncryptedDoc yes
# With this option enabled OLE2 files containing VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#AlertOLE2Macros yes
# Alert on SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
# Default: no
#AlertPhishingSSLMismatch yes
# Alert on cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
# Default: no
#AlertPhishingCloak yes
# Alert on raw DMG image files containing partition intersections.
# Default: no
#PartitionIntersection yes
##
## Executable files
##
@ -264,11 +323,6 @@ TCPAddr 127.0.0.1
# Default: yes
#ScanELF yes
# With this option clamav will try to detect broken executables (both PE and
# ELF) and mark them as Broken.Executable.
# Default: no
#DetectBrokenExecutables yes
##
## Documents
@ -281,11 +335,6 @@ TCPAddr 127.0.0.1
# Default: yes
#ScanOLE2 yes
# With this option enabled OLE2 files with VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#OLE2BlockMacros no
# This option enables scanning within PDF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
@ -329,45 +378,14 @@ TCPAddr 127.0.0.1
#ScanPartialMessages yes
# With this option enabled ClamAV will try to detect phishing attempts by using
# signatures.
# HTML.Phishing and Email.Phishing NDB signatures.
# Default: yes
#PhishingSignatures yes
#PhishingSignatures no
# Scan URLs found in mails for phishing attempts using heuristics.
# With this option enabled ClamAV will try to detect phishing attempts by
# analyzing URLs found in emails using WDB and PDB signature databases.
# Default: yes
#PhishingScanURLs yes
# Always block SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockSSLMismatch no
# Always block cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockCloak no
# Detect partition intersections in raw disk images using heuristics.
# Default: no
#PartitionIntersection no
# Allow heuristic match to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only at
# the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes
#PhishingScanURLs no
##
@ -420,10 +438,6 @@ TCPAddr 127.0.0.1
# Default: yes
#ScanArchive yes
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
#ArchiveBlockEncrypted no
##
## Limits
@ -500,74 +514,93 @@ TCPAddr 127.0.0.1
# Default: 1M
#MaxZipTypeRcg 1M
# This option sets the maximum number of partitions of a raw disk image to be scanned.
# Raw disk images with more partitions than this value will have up to the value number
# partitions scanned. Negative values are not allowed.
# Note: setting this limit too high may result in severe damage or impact performance.
# This option sets the maximum number of partitions of a raw disk image to be
# scanned.
# Raw disk images with more partitions than this value will have up to
# the value number partitions scanned. Negative values are not allowed.
# Note: setting this limit too high may result in severe damage or impact
# performance.
# Default: 50
#MaxPartitions 128
# This option sets the maximum number of icons within a PE to be scanned.
# PE files with more icons than this value will have up to the value number icons scanned.
# PE files with more icons than this value will have up to the value number
# icons scanned.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact performance.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 100
#MaxIconsPE 200
# This option sets the maximum recursive calls for HWP3 parsing during scanning.
# HWP3 files using more than this limit will be terminated and alert the user.
# Scans will be unable to scan any HWP3 attachments if the recursive limit is reached.
# This option sets the maximum recursive calls for HWP3 parsing during
# scanning. HWP3 files using more than this limit will be terminated and
# alert the user.
# Scans will be unable to scan any HWP3 attachments if the recursive limit
# is reached.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact performance.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 16
#MaxRecHWP3 16
# This option sets the maximum calls to the PCRE match function during an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user but the scan will continue.
# This option sets the maximum calls to the PCRE match function during
# an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit, see the PCRE documentation.
# Negative values are not allowed.
# WARNING: setting this limit too high may severely impact performance.
# Default: 100000
#PCREMatchLimit 20000
# This option sets the maximum recursive calls to the PCRE match function during an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user but the scan will continue.
# This option sets the maximum recursive calls to the PCRE match function
# during an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit_recursion, see the PCRE documentation.
# Negative values are not allowed and values > PCREMatchLimit are superfluous.
# WARNING: setting this limit too high may severely impact performance.
# Default: 2000
#PCRERecMatchLimit 10000
# This option sets the maximum filesize for which PCRE subsigs will be executed.
# Files exceeding this limit will not have PCRE subsigs executed unless a subsig is encompassed to a smaller buffer.
# This option sets the maximum filesize for which PCRE subsigs will be
# executed. Files exceeding this limit will not have PCRE subsigs executed
# unless a subsig is encompassed to a smaller buffer.
# Negative values are not allowed.
# Setting this value to zero disables the limit.
# WARNING: setting this limit too high or disabling it may severely impact performance.
# WARNING: setting this limit too high or disabling it may severely impact
# performance.
# Default: 25M
#PCREMaxFileSize 100M
# When BlockMax is set, files exceeding the MaxFileSize, MaxScanSize, or MaxRecursion limit will be flagged
# with the virus "Heuristics.Limits.Exceeded".
# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
# MaxRecursion limit will be flagged with the virus
# "Heuristics.Limits.Exceeded".
# Default: no
#BlockMax yes
#AlertExceedsMax yes
##
## Bytecode
##
# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
# It is highly recommended you keep this option on, otherwise you'll miss
# detections for many new viruses.
# Default: yes
#Bytecode yes
# Set bytecode security level.
# Possible values:
# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
# This value is only available if clamav was built with --enable-debug!
# TrustSigned - trust bytecode loaded from signed .c[lv]d files,
# insert runtime safety checks for bytecode loaded from other sources
# Paranoid - don't trust any bytecode, insert runtime checks for all
# Recommended: TrustSigned, because bytecode in .cvd files already has these checks
# None - No security at all, meant for debugging.
# DO NOT USE THIS ON PRODUCTION SYSTEMS.
# This value is only available if clamav was built
# with --enable-debug!
# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert
# runtime safety checks for bytecode loaded from other sources.
# Paranoid - Don't trust any bytecode, insert runtime checks for all.
# Recommended: TrustSigned, because bytecode in .cvd files already has these
# checks.
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
#

Write Preview
Loading…
Cancel
Save