9893a85c |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!--Converted with LaTeX2HTML 99.2beta8 (1.46)
original version by: Nikos Drakos, CBLU, University of Leeds
* revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>Data scan functions</TITLE>
<META NAME="description" CONTENT="Data scan functions">
<META NAME="keywords" CONTENT="clamdoc">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="LaTeX2HTML v99.2beta8">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
<LINK REL="STYLESHEET" HREF="clamdoc.css">
<LINK REL="next" HREF="node42.html">
<LINK REL="previous" HREF="node40.html">
<LINK REL="up" HREF="node40.html">
<LINK REL="next" HREF="node42.html">
</HEAD>
<BODY >
<!--Navigation Panel--> |
9893a85c |
HREF="node1.html">Contents</A></B>
<BR>
<BR>
<!--End of Navigation Panel-->
<H3><A NAME="SECTION00074100000000000000">
Data scan functions</A>
</H3>
It's possible to scan a buffer, a descriptor, or a file with:
<PRE>
int cl_scanbuff(const char *buffer, unsigned int length,
const char **virname, const struct cl_node *root);
int cl_scandesc(int desc, const char **virname, unsigned
long int *scanned, const struct cl_node *root, const
struct cl_limits *limits, unsigned int options);
int cl_scanfile(const char *filename, const char **virname,
unsigned long int *scanned, const struct cl_node *root,
const struct cl_limits *limits, unsigned int options);
</PRE>
All the functions save a virus name under <code>virname</code> pointer.
It points to a field in the internal database structure and must not
be released directly. If the <code>scanned</code> pointer is not NULL the
functions will increase a value represented by this pointer by a size
of scanned data in <code>CL_COUNT_PRECISION</code> units. The last two
functions also support archive limits required to protect against Denial
of Service attacks.
<PRE>
struct cl_limits {
int maxreclevel; /* maximal recursion level */
int maxfiles; /* maximal number of files to be
* scanned within archive
*/
int maxratio; /* maximal compression ratio */
short archivememlim; /* limit memory usage for bzip2 (0/1) */
long int maxfilesize; /* archived files larger than this
* value will not be scanned
*/
};
</PRE>
The <code>options</code> argument configures the scan engine and supports the
following flags (that can be combined using bit operators):
<UL>
<LI><B>CL_SCAN_STDOPT</B>
<BR>
This is an alias for a recommended set of scan options. You
should use it to make your software ready for new features
in future versions of libclamav.
</LI>
<LI><B>CL_SCAN_RAW</B>
<BR>
It does nothing. Please use it (alone) if you don't want
to scan any special files.
</LI>
<LI><B>CL_SCAN_ARCHIVE</B>
<BR>
This flag enables transparent scanning of various archive formats.
</LI>
<LI><B>CL_SCAN_BLOCKENCRYPTED</B>
<BR>
With this flag the library marks encrypted archives as viruses
(Encrypted.Zip, Encrypted.RAR).
</LI>
<LI><B>CL_SCAN_BLOCKMAX</B>
<BR>
Mark archives as viruses if <code>maxfiles</code>, <code>maxfilesize</code>,
or <code>maxreclevel</code> limit is reached.
</LI>
<LI><B>CL_SCAN_MAIL</B>
<BR>
It enables support for mail files.
</LI>
<LI><B>CL_SCAN_MAILURL</B>
<BR>
The mail scanner will download and scan URLs listed in a mail
body. This flag should not be used on loaded servers. Due to
potential problems please do not enable it by default but make
it optional.
</LI>
<LI><B>CL_SCAN_OLE2</B>
<BR>
Enables support for Microsoft Office document files.
</LI>
<LI><B>CL_SCAN_PE</B>
<BR>
This flag enables scanning withing Portable Executable files and
allows libclamav to unpack UPX, Petite, and FSG compressed
executables.
</LI>
<LI><B>CL_SCAN_BLOCKBROKEN</B>
<BR>
libclamav will try to detect broken executables and mark them as
Broken.Executable.
</LI>
<LI><B>CL_SCAN_HTML</B>
<BR>
This flag enables HTML normalisation (including JScript
decryption).
</LI>
</UL>
All functions return 0 (<code>CL_CLEAN</code>) if the file is clean,
<code>CL_VIRUS</code> when virus is detected and an another value on failure.
<PRE>
...
struct cl_limits limits;
const char *virname;
memset(&limits, 0, sizeof(struct cl_limits));
/* maximal number of files in archive */;
limits.maxfiles = 1000
/* maximal archived file size */
limits.maxfilesize = 10 * 1048576; /* 10 MB */
/* maximal recursion level */
limits.maxreclevel = 5;
/* maximal compression ratio */
limits.maxratio = 200;
/* disable memory limit for bzip2 scanner */
limits.archivememlim = 0;
if((ret = cl_scanfile("/home/zolw/test", &virname, NULL, root,
&limits, CL_STDOPT)) == CL_VIRUS) {
printf("Detected %s virus.\n", virname);
} else {
printf("No virus detected.\n");
if(ret != CL_CLEAN)
printf("Error: %s\n", cl_strerror(ret));
}
</PRE>
<P>
<HR>
<!--Navigation Panel--> |