... | ... |
@@ -283,6 +283,11 @@ void help(void) |
283 | 283 |
mprintf(" --disable-pe-stats Disable submission of individual PE sections in stats submissions\n"); |
284 | 284 |
mprintf(" --stats-timeout=#n Number of seconds to wait for waiting a response back from the stats server\n"); |
285 | 285 |
mprintf(" --stats-host-id=UUID Set the Host ID used when submitting statistical info.\n"); |
286 |
+#if HAVE_PCRE |
|
287 |
+ mprintf(" --pcre-match-limit=#n Maximum calls to the PCRE match function.\n"); |
|
288 |
+ mprintf(" --pcre-recmatch-limit=#n Maximum recursive calls to the PCRE match function.\n"); |
|
289 |
+ mprintf(" --pcre-max-filesize=#n Maximum size file to perform PCRE sunsig matching.\n"); |
|
290 |
+#endif /* HAVE_PCRE */ |
|
286 | 291 |
mprintf("\n"); |
287 | 292 |
mprintf("(*) Default scan settings\n"); |
288 | 293 |
mprintf("(**) Certain files (e.g. documents, archives, etc.) may in turn contain other\n"); |
... | ... |
@@ -209,12 +209,12 @@ attachment.exe: OK |
209 | 209 |
MD5 signature for \verb+test.exe+ use the \verb+--md5+ option of sigtool: |
210 | 210 |
\begin{verbatim} |
211 | 211 |
zolw@localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb |
212 |
-zolw@localhost:/tmp/test$ cat test.hdb |
|
212 |
+zolw@localhost:/tmp/test$ cat test.hdb |
|
213 | 213 |
48c4533230e1ae1c118c741c0db19dfb:17387:test.exe |
214 | 214 |
\end{verbatim} |
215 | 215 |
That's it! The signature is ready for use: |
216 | 216 |
\begin{verbatim} |
217 |
-zolw@localhost:/tmp/test$ clamscan -d test.hdb test.exe |
|
217 |
+zolw@localhost:/tmp/test$ clamscan -d test.hdb test.exe |
|
218 | 218 |
test.exe: test.exe FOUND |
219 | 219 |
|
220 | 220 |
----------- SCAN SUMMARY ----------- |
... | ... |
@@ -242,7 +242,7 @@ Time: 0.024 sec (0 m 0 s) |
242 | 242 |
|
243 | 243 |
\subsubsection{SHA1 and SHA256 hash-based signatures} |
244 | 244 |
ClamAV 0.98 has also added support for SHA1 and SHA256 file checksums. |
245 |
- The format is the same as for MD5 file checksum. |
|
245 |
+ The format is the same as for MD5 file checksum. |
|
246 | 246 |
It can differentiate between them based on the length of the hash string |
247 | 247 |
in the signature. For best backwards compatibility, these should be |
248 | 248 |
placed inside a \verb+*.hsb+ file. The format is: |
... | ... |
@@ -482,7 +482,7 @@ Sig1;Target:0;(0&1&2&3)&(4|1);6b6f74656b;616c61;7a6f6c77;7374656 |
482 | 482 |
6616e;deadbeef |
483 | 483 |
|
484 | 484 |
Sig2;Target:0;((0|1|2)>5,2)&(3|1);6b6f74656b;616c61;7a6f6c77;737 |
485 |
-46566616e |
|
485 |
+46566616e |
|
486 | 486 |
|
487 | 487 |
Sig3;Target:0;((0|1|2|3)=2)&(4|1);6b6f74656b;616c61;7a6f6c77;737 |
488 | 488 |
46566616e;deadbeef |
... | ... |
@@ -492,15 +492,56 @@ f2aef7d14951684cf04100e8110a00;S2+78:22??232c2d252229{-15}6e6573 |
492 | 492 |
(63|64)61706528;S+50:68efa311c3b9963cb1ee8e586d32aeb9043e;f9c58d |
493 | 493 |
cf43987e4f519d629b103375;SL+550:6300680065005c0046006900 |
494 | 494 |
\end{verbatim} |
495 |
- ClamAV 0.96 introduced support for special macro subsignatures in |
|
496 |
- the following format: \verb+${min-max}MACROID$+, where \verb+MACROID+ |
|
497 |
- points to a group of signatures and \verb+{min-max}+ specifies the |
|
498 |
- offset range at which one of the group signatures should match. |
|
499 |
- The range is calculated against the match offset of the previous |
|
500 |
- subsignature. The macro subsignature makes its preceding subsignature |
|
501 |
- considered a match only if both of them get matched. For more |
|
502 |
- information and examples please see |
|
503 |
- \url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=164}. |
|
495 |
+ |
|
496 |
+ \subsection{Special Subsignature Types} |
|
497 |
+ Macro subsignatures(clamav-0.96): \verb+${min-max}MACROID$+: |
|
498 |
+ \begin{itemize} |
|
499 |
+ \item \verb+MACROID+ points to a group of signatures and \verb+{min-max}+ |
|
500 |
+ specifies the offset range at which one of the group signatures should match. |
|
501 |
+ \item The range is calculated against the match offset of the previous subsignature. |
|
502 |
+ \item The macro subsignature makes its preceding subsignature considered a match |
|
503 |
+ only if both of them get matched. |
|
504 |
+ \item For more information and examples please see \url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=164}. |
|
505 |
+ \end{itemize} |
|
506 |
+ PCRE subsignatures(clamav-0.99): \verb+Trigger/PCRE/[Flags]+ |
|
507 |
+ \begin{itemize} |
|
508 |
+ \item \verb+Trigger+ is a required field that is a valid \verb+LogicalExpression+ and |
|
509 |
+ may refer to any subsignatures that precede this subsignature. They cannot neither be |
|
510 |
+ self-referential nor refer to subsequent subsignatures. |
|
511 |
+ \item \verb+PCRE+ is the expression representing the regex to execute. \verb+PCRE+ |
|
512 |
+ must be delimited by '/', but does not need to be escaped within the expression. |
|
513 |
+ \verb+PCRE+ cannot be empty and (?UTF*) control sequence is not allowed. Named substrings |
|
514 |
+ can be used for an execution report displayed when debug is specified. |
|
515 |
+ \item \verb+Flags+ are a series of characters which affect the compilation and execution |
|
516 |
+ of \verb+PCRE+ within the PCRE compiler and the ClamAV engine. This field is optional. |
|
517 |
+ \begin{itemize} |
|
518 |
+ \item \verb+g [CLAMAV_GLOBAL]+ specifies to search for ALL matches of PCRE (default is to |
|
519 |
+ search for first match). NOTE: INCREASES the time needed to run the PCRE |
|
520 |
+ \item \verb+e [CLAMAV_ENCOMPASS]+ specifies to CONFINE matching between the specified offset |
|
521 |
+ and maxshift. Note: DECREASES time needed to run the PCRE |
|
522 |
+ \item \verb+i [PCRE_CASELESS]+ |
|
523 |
+ \item \verb+s [PCRE_DOTALL]+ |
|
524 |
+ \item \verb+m [PCRE_MULTILINE]+ |
|
525 |
+ \item \verb+x [PCRE_EXTENDED]+ |
|
526 |
+ \item \verb+A [PCRE_ANCHORED]+ |
|
527 |
+ \item \verb+E [PCRE_DOLLAR_ENODNLY]+ |
|
528 |
+ \item \verb+G [PCRE_UNGREEDY]+ |
|
529 |
+ \end{itemize} |
|
530 |
+ \end{itemize} |
|
531 |
+ Examples: |
|
532 |
+ \begin{verbatim} |
|
533 |
+Firefox.TreeRange.UseAfterFree;Target:0;0&1&2;2e766965772e73656c |
|
534 |
+656374696f6e;2e696e76616c696461746553656c656374696f6e;0&1/\x2Evi |
|
535 |
+ew\x2Eselection.*?\x2Etree\s*\x3D\s*null.*?\x2Einvalidate/smi |
|
536 |
+ |
|
537 |
+Firefox.IDB.UseAfterFree;Target:0;0&1;4944424b657952616e6765;0/^ |
|
538 |
+\x2e(only|lowerBound|upperBound|bound)\x28.*?\x29.*?\x2e(lower|u |
|
539 |
+pper|lowerOpen|upperOpen)/smi |
|
540 |
+ |
|
541 |
+Firefox.boundElements;Target:0;0&1&2;6576656e742e626f756e64456c6 |
|
542 |
+56d656e7473;77696e646f772e636c6f7365;0&1/on(load|click)\s*=\s*\x |
|
543 |
+22?window\.close\s*\x28/si |
|
544 |
+ \end{verbatim} |
|
504 | 545 |
|
505 | 546 |
\subsection{Icon signatures for PE files} |
506 | 547 |
ClamAV 0.96 includes an approximate/fuzzy icon matcher to help |
... | ... |
@@ -522,6 +522,31 @@ Example |
522 | 522 |
# Default: 100 |
523 | 523 |
#MaxIconsPE 200 |
524 | 524 |
|
525 |
+# This option sets the maximum calls to the PCRE match function during an instance of regex matching. |
|
526 |
+# Instances using more than this limit will be terminated and alert the user but the scan will continue. |
|
527 |
+# For more information on match_limit, see the PCRE documentation. |
|
528 |
+# Negative values are not allowed. |
|
529 |
+# WARNING: setting this limit too high may severely impact performance. |
|
530 |
+# Default: 10000 |
|
531 |
+#PCREMatchLimit 20000 |
|
532 |
+ |
|
533 |
+# This option sets the maximum recursive calls to the PCRE match function during an instance of regex matching. |
|
534 |
+# Instances using more than this limit will be terminated and alert the user but the scan will continue. |
|
535 |
+# For more information on match_limit_recursion, see the PCRE documentation. |
|
536 |
+# Negative values are not allowed and values > PCREMatchLimit are superfluous. |
|
537 |
+# WARNING: setting this limit too high may severely impact performance. |
|
538 |
+# Default: 5000 |
|
539 |
+#PCRERecMatchLimit 10000 |
|
540 |
+ |
|
541 |
+# This option sets the maximum filesize for which PCRE subsigs will be executed. |
|
542 |
+# Files exceeding this limit will not have PCRE subsigs executed unless a subsig is encompassed to a smaller buffer. |
|
543 |
+# Negative values are not allowed. |
|
544 |
+# Setting this value to zero disables the limit. |
|
545 |
+# WARNING: setting this limit too high or disabling it may severely impact performance. |
|
546 |
+# Default: 25M |
|
547 |
+#PCREMaxFileSize 100M |
|
548 |
+ |
|
549 |
+ |
|
525 | 550 |
## |
526 | 551 |
## On-access Scan Settings |
527 | 552 |
## |