...
|
...
|
@@ -3360,19 +3360,21 @@ int cli_scanpe(cli_ctx *ctx)
|
3360
|
3360
|
cli_bytecode_context_destroy(bc_ctx);
|
3361
|
3361
|
|
3362
|
3362
|
/* Attempt to run scans on import table */
|
3363
|
|
- /* TODO: should this be target-tree-only? */
|
3364
|
|
- ret = scan_pe_imptbl(ctx, dirs, exe_sections, nsections, hdr_size, pe_plus);
|
3365
|
|
- switch (ret) {
|
3366
|
|
- case CL_ENULLARG:
|
3367
|
|
- cli_warnmsg("cli_scanpe: NULL argument supplied\n");
|
3368
|
|
- break;
|
3369
|
|
- case CL_VIRUS:
|
3370
|
|
- if (SCAN_ALL)
|
|
3363
|
+ /* Run if there are existing signatures and/or preclassing */
|
|
3364
|
+ if (ctx->dconf->pe & PE_CONF_IMPTBL) {
|
|
3365
|
+ ret = scan_pe_imptbl(ctx, dirs, exe_sections, nsections, hdr_size, pe_plus);
|
|
3366
|
+ switch (ret) {
|
|
3367
|
+ case CL_ENULLARG:
|
|
3368
|
+ cli_warnmsg("cli_scanpe: NULL argument supplied\n");
|
3371
|
3369
|
break;
|
3372
|
|
- /* intentional fall-through */
|
3373
|
|
- case CL_BREAK:
|
3374
|
|
- free(exe_sections);
|
3375
|
|
- return ret == CL_VIRUS ? CL_VIRUS : CL_CLEAN;
|
|
3370
|
+ case CL_VIRUS:
|
|
3371
|
+ if (SCAN_ALL)
|
|
3372
|
+ break;
|
|
3373
|
+ /* intentional fall-through */
|
|
3374
|
+ case CL_BREAK:
|
|
3375
|
+ free(exe_sections);
|
|
3376
|
+ return ret == CL_VIRUS ? CL_VIRUS : CL_CLEAN;
|
|
3377
|
+ }
|
3376
|
3378
|
}
|
3377
|
3379
|
/* Attempt to detect some popular polymorphic viruses */
|
3378
|
3380
|
|