@@ -1,3 +1,10 @@

+Mon Dec 12 19:34:00 CET 2005 (tk)

+---------------------------------

+  * libclamav: add support for CL_SCAN_ALGO (to control algorithmic detection)

+	       Requested by Tomasz Papszun

+  * clamscan: --no-algo

+  * clamd: ScanAlgo

+

 Sat Dec 10 19:45:48 CET 2005 (tk)

 ---------------------------------

   * fix some compiler warnings, patch by Stefan Huehner <stefan*huehner.org>

@@ -326,6 +326,13 @@ int acceptloop_th(int *socketds, int nsockets, struct cl_node *root, const struc

 	logg("Archive support disabled.\n");

     }

+    if(cfgopt(copt, "ScanAlgo")->enabled) {

+	logg("Algorithmic detection enabled.\n");

+	options |= CL_SCAN_ALGO;

+    } else {

+	logg("Algorithmic detection disabled.\n");

+    }

+

     if(cfgopt(copt, "ScanPE")->enabled) {

 	logg("Portable Executable support enabled.\n");

 	options |= CL_SCAN_PE;

@@ -227,6 +227,7 @@ void help(void)

     mprintf("\n");

     mprintf("    --no-mail                            Disable mail file support\n");

     mprintf("    --no-phishing                        Disable phishing detection\n");

+    mprintf("    --no-algo                            Disable algorithmic detection\n");

     mprintf("    --no-pe                              Disable PE analysis\n");

     mprintf("    --no-ole2                            Disable OLE2 support\n");

     mprintf("    --no-html                            Disable HTML support\n");

@@ -191,6 +191,11 @@ int scanmanager(const struct optstruct *opt)

 #endif

     }

+    if(optl(opt, "no-algo"))

+	options &= ~CL_SCAN_ALGO;

+    else

+	options |= CL_SCAN_ALGO;

+

 #ifdef C_LINUX

     procdev = (dev_t) 0;

     if(stat("/proc", &sb) != -1 && !sb.st_size)

@@ -1,5 +1,5 @@

 /*

- *  Copyright (C) 2001-2002 Tomasz Kojm <zolw@konarski.edu.pl>

+ *  Copyright (C) 2001 - 2005 Tomasz Kojm <tkojm@clamav.net>

  *

  *  This program is free software; you can redistribute it and/or modify

  *  it under the terms of the GNU General Public License as published by

@@ -105,6 +105,7 @@ int main(int argc, char **argv)

 	    {"no-mail", 0, 0, 0},

 	    {"mail-follow-urls", 0, 0, 0},

 	    {"no-phishing", 0, 0, 0},

+	    {"no-algo", 0, 0, 0},

 	    {"unzip", 2, 0, 0},

 	    {"unrar", 2, 0, 0},

 	    {"unace", 2, 0, 0}, /* not used */

@@ -189,10 +189,10 @@ Limit data port range.

 .br 

 Default: 2048

 .TP 

-\fBDisableDefaultScanOptions\fR

-By default clamd uses scan options recommended by libclamav. This option disables recommended options and allows you to enable selected options. DO NOT ENABLE IT unless you know what you are doing.

+\fBScanAlgo\fR

+In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option controls the algorithmic detection.

 .br 

-Default: disabled

+Default: yes

 .TP 

 \fBScanPE\fR

 PE stands for Portable Executable \- it's an executable file format used in all 32\-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX.

@@ -73,6 +73,9 @@ Disable scanning of mail files.

 \fB\-\-no\-phishing\fR

 Disable detection of phishing messages.

 .TP 

+\fB\-\-no\-algo\fR

+In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option disables the algorithmic detection.

+.TP 

 \fB\-\-no\-pe\fR

 PE stands for Portable Executable \- it's an executable file format used in all 32\-bit versions of Windows operating systems. By default ClamAV performs deeper analysis of executable files and attempts to decompress popular executable packers such as UPX, Petite, and FSG. This option \fBdisables\fR PE support and should be used with care!

 .TP 

@@ -162,6 +162,12 @@ LocalSocket /tmp/clamd

 # Default: no

 #LeaveTemporaryFiles yes

+# In some cases (eg. complex malware, exploits in graphic files, and others),

+# ClamAV uses special algorithms to provide accurate detection. This option

+# controls the algorithmic detection.

+# Default: yes

+#ScanAlgo yes

+

 ##

 ## Executable files

 ##

@@ -78,9 +78,10 @@ extern "C"

 #define CL_SCAN_BLOCKBROKEN	64

 #define CL_SCAN_MAILURL		128

 #define CL_SCAN_BLOCKMAX	256

+#define CL_SCAN_ALGO		512

 /* recommended options */

-#define CL_SCAN_STDOPT		(CL_SCAN_ARCHIVE | CL_SCAN_MAIL | CL_SCAN_OLE2 | CL_SCAN_HTML | CL_SCAN_PE) 

+#define CL_SCAN_STDOPT		(CL_SCAN_ARCHIVE | CL_SCAN_MAIL | CL_SCAN_OLE2 | CL_SCAN_HTML | CL_SCAN_PE | CL_SCAN_ALGO) 

 /* aliases for backward compatibility */

 #define CL_RAW		CL_SCAN_RAW

@@ -52,6 +52,7 @@

 #define DETECT_BROKEN		    (options & CL_SCAN_BLOCKBROKEN)

 #define BLOCKMAX		    (options & CL_SCAN_BLOCKMAX)

+#define SCAN_ALGO		    (options & CL_SCAN_ALGO)

 #define UPX_NRV2B "\x11\xdb\x11\xc9\x01\xdb\x75\x07\x8b\x1e\x83\xee\xfc\x11\xdb\x11\xc9\x11\xc9\x75\x20\x41\x01\xdb"

 #define UPX_NRV2D "\x83\xf0\xff\x74\x78\xd1\xf8\x89\xc5\xeb\x0b\x01\xdb\x75\x07\x8b\x1e\x83\xee\xfc\x11\xdb\x11\xc9"

@@ -567,7 +568,7 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

     /* Attempt to detect some popular polymorphic viruses */

     /* W32.Parite.B */

-    if(!dll && ep == EC32(section_hdr[nsections - 1].PointerToRawData)) {

+    if(SCAN_ALGO && !dll && ep == EC32(section_hdr[nsections - 1].PointerToRawData)) {

 	lseek(desc, ep, SEEK_SET);

 	if(read(desc, buff, 4096) == 4096) {

 		const char *pt = cli_memstr(buff, 4040, "\x47\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00", 15);

@@ -585,7 +586,7 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

     }

     /* W32.Magistr.A/B */

-    if(!dll && (EC32(section_hdr[nsections - 1].Characteristics) & 0x80000000)) {

+    if(SCAN_ALGO && !dll && (EC32(section_hdr[nsections - 1].Characteristics) & 0x80000000)) {

 	    uint32_t rsize, vsize;

 	rsize = EC32(section_hdr[nsections - 1].SizeOfRawData);

@@ -96,6 +96,7 @@ extern int cli_mbox(const char *dir, int desc, unsigned int options); /* FIXME *

 #define SCAN_OLE2	    (options & CL_SCAN_OLE2)

 #define SCAN_HTML	    (options & CL_SCAN_HTML)

 #define SCAN_PE		    (options & CL_SCAN_PE)

+#define SCAN_ALGO 	    (options & CL_SCAN_ALGO)

 #define DETECT_ENCRYPTED    (options & CL_SCAN_BLOCKENCRYPTED)

 #define BLOCKMAX	    (options & CL_SCAN_BLOCKMAX)

@@ -1599,11 +1600,13 @@ int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const

 	    break;

 	case CL_TYPE_RIFF:

-	    ret = cli_scanriff(desc, virname);

+	    if(SCAN_ALGO)

+		ret = cli_scanriff(desc, virname);

 	    break;

 	case CL_TYPE_GRAPHICS:

-	    ret = cli_scanjpeg(desc, virname);

+	    if(SCAN_ALGO)

+		ret = cli_scanjpeg(desc, virname);

 	    break;

 	case CL_TYPE_PDF:

@@ -58,6 +58,7 @@ struct cfgstruct *getcfg(const char *cfgfile, int verbose)

 	    {"ScanMail", OPT_BOOL, 1, NULL, 0},

 	    {"MailFollowURLs", OPT_BOOL, 0, NULL, 0},

 	    {"DetectPhishing", OPT_BOOL, 1, NULL, 0},

+	    {"ScanAlgo", OPT_BOOL, 1, NULL, 0},

 	    {"ScanHTML", OPT_BOOL, 1, NULL, 0},

 	    {"ScanOLE2", OPT_BOOL, 1, NULL, 0},

 	    {"ScanArchive", OPT_BOOL, 1, NULL, 0},