git-svn: trunk@3721
Tomasz Kojm authored on 2008/03/19 00:40:41... | ... |
@@ -1,3 +1,8 @@ |
1 |
+Tue Mar 18 15:47:47 CET 2008 (tk) |
|
2 |
+--------------------------------- |
|
3 |
+ * docs/clamdoc.*: various documentation updates |
|
4 |
+ * examples/ex1.c: update to new limits |
|
5 |
+ |
|
1 | 6 |
Tue Mar 18 13:35:00 EET 2008 (edwin) |
2 | 7 |
------------------------------------ |
3 | 8 |
* libclamav/entconv.c: fix memory leak (patch from TK) |
... | ... |
@@ -127,7 +127,7 @@ |
127 | 127 |
\item{POSIX compliant, portable} |
128 | 128 |
\item{Fast scanning} |
129 | 129 |
\item{Supports on-access scanning (Linux and FreeBSD only)} |
130 |
- \item{Detects over 158.000 viruses, worms and trojans, including |
|
130 |
+ \item{Detects over 230.000 viruses, worms and trojans, including |
|
131 | 131 |
Microsoft Office macro viruses, mobile malware, and other threats} |
132 | 132 |
\item{Scans within archives and compressed files (also protects |
133 | 133 |
against archive bombs), built-in support includes: |
... | ... |
@@ -144,12 +144,15 @@ |
144 | 144 |
\item MS SZDD compression format |
145 | 145 |
\item BinHex |
146 | 146 |
\item SIS (SymbianOS packages) |
147 |
+ \item AutoIt |
|
147 | 148 |
\end{itemize}} |
148 | 149 |
\item{Supports Portable Executable (32/64-bit) files compressed or obfuscated with:} |
149 | 150 |
\begin{itemize} |
151 |
+ \item AsPack |
|
150 | 152 |
\item UPX |
151 | 153 |
\item FSG |
152 | 154 |
\item Petite |
155 |
+ \item PeSpin |
|
153 | 156 |
\item NsPack |
154 | 157 |
\item wwpack32 |
155 | 158 |
\item MEW |
... | ... |
@@ -200,7 +203,7 @@ |
200 | 200 |
\section{Base package} |
201 | 201 |
|
202 | 202 |
\subsection{Supported platforms} |
203 |
- Most popular UNIX operating systems are supported. Clam AntiVirus 0.90 was |
|
203 |
+ Most popular UNIX operating systems are supported. Clam AntiVirus 0.9x was |
|
204 | 204 |
tested on: |
205 | 205 |
\begin{itemize} |
206 | 206 |
\item{GNU/Linux} |
... | ... |
@@ -223,7 +226,13 @@ |
223 | 223 |
The following elements are required to compile ClamAV: |
224 | 224 |
\begin{itemize} |
225 | 225 |
\item zlib and zlib-devel packages |
226 |
- \item gcc compiler suite (tested with 2.9x, 3.x and 4.x series) |
|
226 |
+ \item gcc compiler suite (tested with 2.9x, 3.x and 4.x series)\\ |
|
227 |
+ \textbf{If you are compiling with higher optimization levels |
|
228 |
+ than the default one (\hbox{-O2} for gcc), be aware that there |
|
229 |
+ have been reports of misoptimizations. The build system of ClamAV |
|
230 |
+ only checks for bugs affecting the default settings, it is your |
|
231 |
+ responsibility to check that your compiler version doesn't |
|
232 |
+ have any bugs.} |
|
227 | 233 |
\end{itemize} |
228 | 234 |
The following packages are optional but \textbf{highly recommended}: |
229 | 235 |
\begin{itemize} |
... | ... |
@@ -610,14 +619,15 @@ N * * * * /usr/local/bin/freshclam --quiet |
610 | 610 |
and 32-bit ELF files. Additionally, it can handle PE files compressed or |
611 | 611 |
obfuscated with the following tools: |
612 | 612 |
\begin{itemize} |
613 |
+ \item Aspack (2.12) |
|
613 | 614 |
\item UPX (all versions) |
614 | 615 |
\item FSG (1.3, 1.31, 1.33, 2.0) |
615 | 616 |
\item Petite (2.x) |
617 |
+ \item PeSpin (1.1) |
|
616 | 618 |
\item NsPack |
617 | 619 |
\item wwpack32 (1.20) |
618 | 620 |
\item MEW |
619 | 621 |
\item Upack |
620 |
- \item SUE |
|
621 | 622 |
\item Y0da Cryptor (1.3) |
622 | 623 |
\end{itemize} |
623 | 624 |
|
... | ... |
@@ -640,6 +650,7 @@ N * * * * /usr/local/bin/freshclam --quiet |
640 | 640 |
\item MS SZDD compression format |
641 | 641 |
\item BinHex |
642 | 642 |
\item SIS (SymbianOS packages) |
643 |
+ \item AutoIt |
|
643 | 644 |
\end{itemize} |
644 | 645 |
|
645 | 646 |
\subsubsection{Documents} |
... | ... |
@@ -694,8 +705,13 @@ N * * * * /usr/local/bin/freshclam --quiet |
694 | 694 |
Load phishing signatures. |
695 | 695 |
\item \textbf{CL\_DB\_PHISHING\_URLS}\\ |
696 | 696 |
Initialize the phishing detection module and load .wdb and .pdb files. |
697 |
+ \item \textbf{CL\_DB\_PUA}\\ |
|
698 |
+ Load signatures for Potentially Unwanted Applications. |
|
699 |
+ \item \textbf{CL\_DB\_CVDNOTMP}\\ |
|
700 |
+ Load CVD files directly without unpacking them into a temporary |
|
701 |
+ directory. |
|
697 | 702 |
\end{itemize} |
698 |
- \verb+cl_load+ returns 0 (\verb+CL_SUCCESS+) on success and a non-negative |
|
703 |
+ \verb+cl_load+ returns 0 (\verb+CL_SUCCESS+) on success and a negative |
|
699 | 704 |
value on failure. |
700 | 705 |
\begin{verbatim} |
701 | 706 |
... |
... | ... |
@@ -751,7 +767,7 @@ N * * * * /usr/local/bin/freshclam --quiet |
751 | 751 |
cl_statinidir(dbdir, &dbstat); |
752 | 752 |
\end{verbatim} |
753 | 753 |
To check for a change you just need to call \verb+cl_statchkdir+ and check |
754 |
- its return value: |
|
754 |
+ its return value (0 - no change, 1 - some change occured): |
|
755 | 755 |
\begin{verbatim} |
756 | 756 |
if(cl_statchkdir(&dbstat) == 1) { |
757 | 757 |
reload_database...; |
... | ... |
@@ -772,7 +788,7 @@ N * * * * /usr/local/bin/freshclam --quiet |
772 | 772 |
long int *scanned, const struct cl_engine *engine, const |
773 | 773 |
struct cl_limits *limits, unsigned int options); |
774 | 774 |
\end{verbatim} |
775 |
- Both functions will save a virus name under the pointer \verb+virname+, |
|
775 |
+ Both functions will store a virus name under the pointer \verb+virname+, |
|
776 | 776 |
the virus name is part of the engine structure and must not be released |
777 | 777 |
directly. If the third argument (\verb+scanned+) is not NULL, the |
778 | 778 |
functions will increase its value with the size of scanned data (in |
... | ... |
@@ -780,16 +796,17 @@ N * * * * /usr/local/bin/freshclam --quiet |
780 | 780 |
limits in order to protect against Denial of Service attacks. |
781 | 781 |
\begin{verbatim} |
782 | 782 |
struct cl_limits { |
783 |
- unsigned int maxreclevel; /* maximum recursion level for archives */ |
|
784 |
- unsigned int maxfiles; /* maximum number of files to be scanned |
|
785 |
- * within a single archive |
|
786 |
- */ |
|
787 |
- unsigned int maxmailrec; /* maximum recursion level for mail files */ |
|
788 |
- unsigned int maxratio; /* maximum compression ratio */ |
|
789 |
- unsigned long int maxfilesize;/* compressed files larger than this limit |
|
790 |
- * will not be scanned |
|
791 |
- */ |
|
792 |
- unsigned short archivememlim; /* limit memory usage for some unpackers */ |
|
783 |
+ unsigned long int maxscansize; /* during the scanning of archives this |
|
784 |
+ * size will never be exceeded |
|
785 |
+ */ |
|
786 |
+ unsigned long int maxfilesize; /* compressed files will only be |
|
787 |
+ * decompressed and scanned up to this size |
|
788 |
+ */ |
|
789 |
+ unsigned int maxreclevel; /* maximum recursion level for archives */ |
|
790 |
+ unsigned int maxfiles; /* maximum number of files to be scanned |
|
791 |
+ * within a single archive |
|
792 |
+ */ |
|
793 |
+ unsigned short archivememlim; /* limit memory usage for some unpackers */ |
|
793 | 794 |
}; |
794 | 795 |
\end{verbatim} |
795 | 796 |
The last argument (\verb+options+) configures the scan engine and supports |
... | ... |
@@ -806,9 +823,6 @@ struct cl_limits { |
806 | 806 |
\item \textbf{CL\_SCAN\_BLOCKENCRYPTED}\\ |
807 | 807 |
With this flag the library will mark encrypted archives as viruses |
808 | 808 |
(Encrypted.Zip, Encrypted.RAR). |
809 |
- \item \textbf{CL\_SCAN\_BLOCKMAX}\\ |
|
810 |
- Mark archives as viruses if \verb+maxfiles+, \verb+maxfilesize+, |
|
811 |
- or \verb+maxreclevel+ limit is reached. |
|
812 | 809 |
\item \textbf{CL\_SCAN\_MAIL}\\ |
813 | 810 |
Enable support for mail files. |
814 | 811 |
\item \textbf{CL\_SCAN\_MAILURL}\\ |
... | ... |
@@ -835,9 +849,6 @@ struct cl_limits { |
835 | 835 |
decryption). |
836 | 836 |
\item \textbf{CL\_SCAN\_ALGORITHMIC}\\ |
837 | 837 |
Enable algorithmic detection of viruses. |
838 |
- \item \textbf{CL\_SCAN\_PHISHING\_DOMAINLIST}\\ |
|
839 |
- Phishing module: restrict URL scanning to domains from .pdf |
|
840 |
- (RECOMMENDED). |
|
841 | 838 |
\item \textbf{CL\_SCAN\_PHISHING\_BLOCKSSL}\\ |
842 | 839 |
Phishing module: always block SSL mismatches in URLs. |
843 | 840 |
\item \textbf{CL\_SCAN\_PHISHING\_BLOCKCLOAK}\\ |
... | ... |
@@ -851,14 +862,10 @@ struct cl_limits { |
851 | 851 |
const char *virname; |
852 | 852 |
|
853 | 853 |
memset(&limits, 0, sizeof(struct cl_limits)); |
854 |
- limits.maxfiles = 1000; /* max files */ |
|
855 |
- limits.maxfilesize = 10 * 1048576; /* maximum size of archived or |
|
856 |
- * compressed file (files exceeding |
|
857 |
- * this limit will be ignored) |
|
858 |
- */ |
|
859 |
- limits.maxreclevel = 5; /* maximum recursion level for archives */ |
|
860 |
- limits.maxmailrec = 64; /* maximum recursion level for mail files */ |
|
861 |
- limits.maxratio = 200; /* maximum compression ratio */ |
|
854 |
+ limits.maxfiles = 10000; |
|
855 |
+ limits.maxscansize = 100 * 1048576; /* 100 MB */ |
|
856 |
+ limits.maxfilesize = 10 * 1048576; /* 10 MB */ |
|
857 |
+ limits.maxreclevel = 16; |
|
862 | 858 |
|
863 | 859 |
if((ret = cl_scanfile("/tmp/test.exe", &virname, NULL, engine, |
864 | 860 |
&limits, CL_STDOPT)) == CL_VIRUS) { |
... | ... |
@@ -871,7 +878,7 @@ struct cl_limits { |
871 | 871 |
\end{verbatim} |
872 | 872 |
|
873 | 873 |
\subsubsection{Memory} |
874 |
- Because the engine structure consumes a few megabytes of system memory, you |
|
874 |
+ Because the engine structure occupies a few megabytes of system memory, you |
|
875 | 875 |
should release it with \verb+cl_free+ if you no longer need to scan files. |
876 | 876 |
|
877 | 877 |
\subsubsection{clamav-config} |
... | ... |
@@ -902,15 +909,16 @@ level required:MD5 checksum:digital signature:builder name:build time (sec) |
902 | 902 |
\verb+sigtool --info+ displays detailed information on CVD files: |
903 | 903 |
\begin{verbatim} |
904 | 904 |
zolw@localhost:/usr/local/share/clamav$ sigtool -i daily.cvd |
905 |
-Build time: 11 Feb 2007 19-28 +0000 |
|
906 |
-Version: 2553 |
|
907 |
-# of signatures: 6063 |
|
908 |
-Functionality level: 9 |
|
905 |
+File: daily.cvd |
|
906 |
+Build time: 10 Mar 2008 10:45 +0000 |
|
907 |
+Version: 6191 |
|
908 |
+Signatures: 59084 |
|
909 |
+Functionality level: 26 |
|
909 | 910 |
Builder: ccordes |
910 |
-MD5: 7f337b409249e11dea3effb04dd352f2 |
|
911 |
-Digital signature: 6Ybd2eeDHBAs8raaEwmayqzoa5ysGDNnQ5Cc89mS2VCm1jRXZP |
|
912 |
-ke/itmkTyYQTc/rgJc2uQPr+NvzvUxRpsniwoyZ/gIkPniCLnqVCYOOytwtmirivbrV8j |
|
913 |
-0kzxb9nHd+5UQqj/Z3rLbS7T5HCbRX3uE0JX1tAo642Gq9ACH9Fc |
|
911 |
+MD5: 6e6e29dae36b4b7315932c921e568330 |
|
912 |
+Digital signature: zz9irc9irupR3z7yX6J+OR6XdFPUat4HIM9ERn3kAcOWpcMFxq |
|
913 |
+Fs4toG5WJsHda0Jj92IUusZ7wAgYjpai1Nr+jFfXHsJxv0dBkS5/XWMntj0T1ctNgqmiF |
|
914 |
++RLU6V0VeTl4Oej3Aya0cVpd9K4XXevEO2eTTvzWNCAq0ZzWNdjc |
|
914 | 915 |
Verification OK. |
915 | 916 |
\end{verbatim} |
916 | 917 |
|
... | ... |
@@ -98,7 +98,7 @@ original version by: Nikos Drakos, CBLU, University of Leeds |
98 | 98 |
. |
99 | 99 |
</PRE> |
100 | 100 |
</DD> |
101 |
-<DT><A NAME="foot135">... system:</A><A |
|
101 |
+<DT><A NAME="foot136">... system:</A><A |
|
102 | 102 |
HREF="node12.html#tex2html7"><SUP><SPAN CLASS="arabic">3</SPAN></SUP></A></DT> |
103 | 103 |
<DD>Cygwin note: If you have not |
104 | 104 |
/etc/passwd you can skip this point |
... | ... |
@@ -135,7 +135,7 @@ original version by: Nikos Drakos, CBLU, University of Leeds |
135 | 135 |
. |
136 | 136 |
</PRE> |
137 | 137 |
</DD> |
138 |
-<DT><A NAME="foot176">... file</A><A |
|
138 |
+<DT><A NAME="foot177">... file</A><A |
|
139 | 139 |
HREF="node19.html#tex2html9"><SUP><SPAN CLASS="arabic">4</SPAN></SUP></A></DT> |
140 | 140 |
<DD>To get more info on clamscan options run 'man clamscan' |
141 | 141 |
|
... | ... |
@@ -171,7 +171,7 @@ original version by: Nikos Drakos, CBLU, University of Leeds |
171 | 171 |
. |
172 | 172 |
</PRE> |
173 | 173 |
</DD> |
174 |
-<DT><A NAME="foot210">... file</A><A |
|
174 |
+<DT><A NAME="foot211">... file</A><A |
|
175 | 175 |
HREF="node23.html#tex2html13"><SUP><SPAN CLASS="arabic">5</SPAN></SUP></A></DT> |
176 | 176 |
<DD>man 5 clamd.conf |
177 | 177 |
|
... | ... |
@@ -207,7 +207,7 @@ original version by: Nikos Drakos, CBLU, University of Leeds |
207 | 207 |
. |
208 | 208 |
</PRE> |
209 | 209 |
</DD> |
210 |
-<DT><A NAME="foot267">... it</A><A |
|
210 |
+<DT><A NAME="foot268">... it</A><A |
|
211 | 211 |
HREF="node30.html#tex2html14"><SUP><SPAN CLASS="arabic">6</SPAN></SUP></A></DT> |
212 | 212 |
<DD>You can still use clamd or clamscan instead |
213 | 213 |
|
... | ... |
@@ -243,7 +243,7 @@ original version by: Nikos Drakos, CBLU, University of Leeds |
243 | 243 |
. |
244 | 244 |
</PRE> |
245 | 245 |
</DD> |
246 |
-<DT><A NAME="foot290">... <code>signo</code></A><A |
|
246 |
+<DT><A NAME="foot291">... <code>signo</code></A><A |
|
247 | 247 |
HREF="node39.html#tex2html15"><SUP><SPAN CLASS="arabic">7</SPAN></SUP></A></DT> |
248 | 248 |
<DD>Remember to initialize the virus counter |
249 | 249 |
variable with 0. |
... | ... |
@@ -61,6 +61,12 @@ Requirements</A> |
61 | 61 |
<LI>zlib and zlib-devel packages |
62 | 62 |
</LI> |
63 | 63 |
<LI>gcc compiler suite (tested with 2.9x, 3.x and 4.x series) |
64 |
+<BR> <SPAN CLASS="textbf">If you are compiling with higher optimization levels |
|
65 |
+ than the default one (-O2 for gcc), be aware that there |
|
66 |
+ have been reports of misoptimizations. The build system of ClamAV |
|
67 |
+ only checks for bugs affecting the default settings, it is your |
|
68 |
+ responsibility to check that your compiler version doesn't |
|
69 |
+ have any bugs.</SPAN> |
|
64 | 70 |
|
65 | 71 |
</LI> |
66 | 72 |
</UL> |
... | ... |
@@ -90,7 +96,7 @@ A note for Solaris/SPARC users: you must set the <SPAN CLASS="textit">ABI</SPAN |
90 | 90 |
<BR><HR> |
91 | 91 |
<ADDRESS> |
92 | 92 |
Tomasz Kojm |
93 |
-2008-03-03 |
|
93 |
+2008-03-18 |
|
94 | 94 |
</ADDRESS> |
95 | 95 |
</BODY> |
96 | 96 |
</HTML> |
... | ... |
@@ -57,7 +57,7 @@ Adding new system user and group</A> |
57 | 57 |
</H2> |
58 | 58 |
If you are installing ClamAV for the first time, you have to add a new |
59 | 59 |
user and group to your system: <A NAME="tex2html7" |
60 |
- HREF="footnode.html#foot135"><SUP><SPAN CLASS="arabic">3</SPAN></SUP></A> <PRE> |
|
60 |
+ HREF="footnode.html#foot136"><SUP><SPAN CLASS="arabic">3</SPAN></SUP></A> <PRE> |
|
61 | 61 |
# groupadd clamav |
62 | 62 |
# useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav |
63 | 63 |
</PRE> |
... | ... |
@@ -69,7 +69,7 @@ Adding new system user and group</A> |
69 | 69 |
<BR><HR> |
70 | 70 |
<ADDRESS> |
71 | 71 |
Tomasz Kojm |
72 |
-2008-03-03 |
|
72 |
+2008-03-18 |
|
73 | 73 |
</ADDRESS> |
74 | 74 |
</BODY> |
75 | 75 |
</HTML> |
... | ... |
@@ -62,7 +62,7 @@ Testing</A> |
62 | 62 |
It should find some test files in the clamav-x.yz/test directory. |
63 | 63 |
The scan result will be saved in the <code>scan.txt</code> log file |
64 | 64 |
<A NAME="tex2html9" |
65 |
- HREF="footnode.html#foot176"><SUP><SPAN CLASS="arabic">4</SPAN></SUP></A>. |
|
65 |
+ HREF="footnode.html#foot177"><SUP><SPAN CLASS="arabic">4</SPAN></SUP></A>. |
|
66 | 66 |
To test <code>clamd</code>, start it and use <code>clamdscan</code> (or instead connect |
67 | 67 |
directly to its socket and run the SCAN command): |
68 | 68 |
<PRE> |
... | ... |
@@ -75,7 +75,7 @@ Testing</A> |
75 | 75 |
<BR><HR> |
76 | 76 |
<ADDRESS> |
77 | 77 |
Tomasz Kojm |
78 |
-2008-03-03 |
|
78 |
+2008-03-18 |
|
79 | 79 |
</ADDRESS> |
80 | 80 |
</BODY> |
81 | 81 |
</HTML> |
... | ... |
@@ -68,7 +68,7 @@ Clam daemon |
68 | 68 |
</UL> |
69 | 69 |
The daemon is fully configurable via the <code>clamd.conf</code> file |
70 | 70 |
<A NAME="tex2html13" |
71 |
- HREF="footnode.html#foot210"><SUP><SPAN CLASS="arabic">5</SPAN></SUP></A>. <code>clamd</code> recognizes the following commands: |
|
71 |
+ HREF="footnode.html#foot211"><SUP><SPAN CLASS="arabic">5</SPAN></SUP></A>. <code>clamd</code> recognizes the following commands: |
|
72 | 72 |
|
73 | 73 |
<UL> |
74 | 74 |
<LI><SPAN CLASS="textbf">PING</SPAN> |
... | ... |
@@ -160,7 +160,7 @@ Start/end a <code>clamd</code> session - you can do multiple commands |
160 | 160 |
<!--End of Navigation Panel--> |
161 | 161 |
<ADDRESS> |
162 | 162 |
Tomasz Kojm |
163 |
-2008-03-03 |
|
163 |
+2008-03-18 |
|
164 | 164 |
</ADDRESS> |
165 | 165 |
</BODY> |
166 | 166 |
</HTML> |
... | ... |
@@ -67,7 +67,7 @@ Features</A> |
67 | 67 |
</LI> |
68 | 68 |
<LI>Supports on-access scanning (Linux and FreeBSD only) |
69 | 69 |
</LI> |
70 |
-<LI>Detects over 158.000 viruses, worms and trojans, including |
|
70 |
+<LI>Detects over 230.000 viruses, worms and trojans, including |
|
71 | 71 |
Microsoft Office macro viruses, mobile malware, and other threats |
72 | 72 |
</LI> |
73 | 73 |
<LI>Scans within archives and compressed files (also protects |
... | ... |
@@ -97,6 +97,8 @@ Features</A> |
97 | 97 |
<LI>BinHex |
98 | 98 |
</LI> |
99 | 99 |
<LI>SIS (SymbianOS packages) |
100 |
+</LI> |
|
101 |
+<LI>AutoIt |
|
100 | 102 |
|
101 | 103 |
</LI> |
102 | 104 |
</UL> |
... | ... |
@@ -104,12 +106,16 @@ Features</A> |
104 | 104 |
<LI>Supports Portable Executable (32/64-bit) files compressed or obfuscated with: |
105 | 105 |
|
106 | 106 |
<UL> |
107 |
+<LI>AsPack |
|
108 |
+</LI> |
|
107 | 109 |
<LI>UPX |
108 | 110 |
</LI> |
109 | 111 |
<LI>FSG |
110 | 112 |
</LI> |
111 | 113 |
<LI>Petite |
112 | 114 |
</LI> |
115 |
+<LI>PeSpin |
|
116 |
+</LI> |
|
113 | 117 |
<LI>NsPack |
114 | 118 |
</LI> |
115 | 119 |
<LI>wwpack32 |
... | ... |
@@ -177,7 +183,7 @@ Features</A> |
177 | 177 |
<!--End of Navigation Panel--> |
178 | 178 |
<ADDRESS> |
179 | 179 |
Tomasz Kojm |
180 |
-2008-03-03 |
|
180 |
+2008-03-18 |
|
181 | 181 |
</ADDRESS> |
182 | 182 |
</BODY> |
183 | 183 |
</HTML> |
... | ... |
@@ -58,14 +58,14 @@ Licence</A> |
58 | 58 |
Libclamav is licensed under the GNU GPL v2 licence. This means you are |
59 | 59 |
<SPAN CLASS="textbf">not allowed</SPAN> to link commercial, close-source applications |
60 | 60 |
against it<A NAME="tex2html14" |
61 |
- HREF="footnode.html#foot267"><SUP><SPAN CLASS="arabic">6</SPAN></SUP></A>. |
|
61 |
+ HREF="footnode.html#foot268"><SUP><SPAN CLASS="arabic">6</SPAN></SUP></A>. |
|
62 | 62 |
All software using libclamav must be GPL compliant. |
63 | 63 |
|
64 | 64 |
<P> |
65 | 65 |
<BR><HR> |
66 | 66 |
<ADDRESS> |
67 | 67 |
Tomasz Kojm |
68 |
-2008-03-03 |
|
68 |
+2008-03-18 |
|
69 | 69 |
</ADDRESS> |
70 | 70 |
</BODY> |
71 | 71 |
</HTML> |
... | ... |
@@ -60,12 +60,16 @@ Executables</A> |
60 | 60 |
obfuscated with the following tools: |
61 | 61 |
|
62 | 62 |
<UL> |
63 |
+<LI>Aspack (2.12) |
|
64 |
+</LI> |
|
63 | 65 |
<LI>UPX (all versions) |
64 | 66 |
</LI> |
65 | 67 |
<LI>FSG (1.3, 1.31, 1.33, 2.0) |
66 | 68 |
</LI> |
67 | 69 |
<LI>Petite (2.x) |
68 | 70 |
</LI> |
71 |
+<LI>PeSpin (1.1) |
|
72 |
+</LI> |
|
69 | 73 |
<LI>NsPack |
70 | 74 |
</LI> |
71 | 75 |
<LI>wwpack32 (1.20) |
... | ... |
@@ -74,8 +78,6 @@ Executables</A> |
74 | 74 |
</LI> |
75 | 75 |
<LI>Upack |
76 | 76 |
</LI> |
77 |
-<LI>SUE |
|
78 |
-</LI> |
|
79 | 77 |
<LI>Y0da Cryptor (1.3) |
80 | 78 |
|
81 | 79 |
</LI> |
... | ... |
@@ -85,7 +87,7 @@ Executables</A> |
85 | 85 |
<BR><HR> |
86 | 86 |
<ADDRESS> |
87 | 87 |
Tomasz Kojm |
88 |
-2008-03-03 |
|
88 |
+2008-03-18 |
|
89 | 89 |
</ADDRESS> |
90 | 90 |
</BODY> |
91 | 91 |
</HTML> |
... | ... |
@@ -80,6 +80,8 @@ Archives and compressed files</A> |
80 | 80 |
<LI>BinHex |
81 | 81 |
</LI> |
82 | 82 |
<LI>SIS (SymbianOS packages) |
83 |
+</LI> |
|
84 |
+<LI>AutoIt |
|
83 | 85 |
|
84 | 86 |
</LI> |
85 | 87 |
</UL> |
... | ... |
@@ -88,7 +90,7 @@ Archives and compressed files</A> |
88 | 88 |
<BR><HR> |
89 | 89 |
<ADDRESS> |
90 | 90 |
Tomasz Kojm |
91 |
-2008-03-03 |
|
91 |
+2008-03-18 |
|
92 | 92 |
</ADDRESS> |
93 | 93 |
</BODY> |
94 | 94 |
</HTML> |
... | ... |
@@ -70,7 +70,7 @@ Database loading</A> |
70 | 70 |
is used for passing in the engine structure which should be previously |
71 | 71 |
initialized with NULL. A number of loaded signatures will be <SPAN CLASS="textbf">added</SPAN> |
72 | 72 |
to <code>signo</code> <A NAME="tex2html15" |
73 |
- HREF="footnode.html#foot290"><SUP><SPAN CLASS="arabic">7</SPAN></SUP></A>. The last argument can pass the following flags: |
|
73 |
+ HREF="footnode.html#foot291"><SUP><SPAN CLASS="arabic">7</SPAN></SUP></A>. The last argument can pass the following flags: |
|
74 | 74 |
|
75 | 75 |
<UL> |
76 | 76 |
<LI><SPAN CLASS="textbf">CL_DB_STDOPT</SPAN> |
... | ... |
@@ -84,10 +84,19 @@ Load phishing signatures. |
84 | 84 |
<LI><SPAN CLASS="textbf">CL_DB_PHISHING_URLS</SPAN> |
85 | 85 |
<BR> |
86 | 86 |
Initialize the phishing detection module and load .wdb and .pdb files. |
87 |
+</LI> |
|
88 |
+<LI><SPAN CLASS="textbf">CL_DB_PUA</SPAN> |
|
89 |
+<BR> |
|
90 |
+Load signatures for Potentially Unwanted Applications. |
|
91 |
+</LI> |
|
92 |
+<LI><SPAN CLASS="textbf">CL_DB_CVDNOTMP</SPAN> |
|
93 |
+<BR> |
|
94 |
+Load CVD files directly without unpacking them into a temporary |
|
95 |
+ directory. |
|
87 | 96 |
|
88 | 97 |
</LI> |
89 | 98 |
</UL> |
90 |
- <code>cl_load</code> returns 0 (<code>CL_SUCCESS</code>) on success and a non-negative |
|
99 |
+ <code>cl_load</code> returns 0 (<code>CL_SUCCESS</code>) on success and a negative |
|
91 | 100 |
value on failure. |
92 | 101 |
<PRE> |
93 | 102 |
... |
... | ... |
@@ -102,7 +111,7 @@ Initialize the phishing detection module and load .wdb and .pdb files. |
102 | 102 |
<BR><HR> |
103 | 103 |
<ADDRESS> |
104 | 104 |
Tomasz Kojm |
105 |
-2008-03-03 |
|
105 |
+2008-03-18 |
|
106 | 106 |
</ADDRESS> |
107 | 107 |
</BODY> |
108 | 108 |
</HTML> |
... | ... |
@@ -72,7 +72,7 @@ Database reloading</A> |
72 | 72 |
cl_statinidir(dbdir, &dbstat); |
73 | 73 |
</PRE> |
74 | 74 |
To check for a change you just need to call <code>cl_statchkdir</code> and check |
75 |
- its return value: |
|
75 |
+ its return value (0 - no change, 1 - some change occured): |
|
76 | 76 |
<PRE> |
77 | 77 |
if(cl_statchkdir(&dbstat) == 1) { |
78 | 78 |
reload_database...; |
... | ... |
@@ -101,7 +101,7 @@ Database reloading</A> |
101 | 101 |
<BR><HR> |
102 | 102 |
<ADDRESS> |
103 | 103 |
Tomasz Kojm |
104 |
-2008-03-03 |
|
104 |
+2008-03-18 |
|
105 | 105 |
</ADDRESS> |
106 | 106 |
</BODY> |
107 | 107 |
</HTML> |
... | ... |
@@ -65,7 +65,7 @@ Data scan functions</A> |
65 | 65 |
long int *scanned, const struct cl_engine *engine, const |
66 | 66 |
struct cl_limits *limits, unsigned int options); |
67 | 67 |
</PRE> |
68 |
- Both functions will save a virus name under the pointer <code>virname</code>, |
|
68 |
+ Both functions will store a virus name under the pointer <code>virname</code>, |
|
69 | 69 |
the virus name is part of the engine structure and must not be released |
70 | 70 |
directly. If the third argument (<code>scanned</code>) is not NULL, the |
71 | 71 |
functions will increase its value with the size of scanned data (in |
... | ... |
@@ -73,16 +73,17 @@ Data scan functions</A> |
73 | 73 |
limits in order to protect against Denial of Service attacks. |
74 | 74 |
<PRE> |
75 | 75 |
struct cl_limits { |
76 |
- unsigned int maxreclevel; /* maximum recursion level for archives */ |
|
77 |
- unsigned int maxfiles; /* maximum number of files to be scanned |
|
78 |
- * within a single archive |
|
79 |
- */ |
|
80 |
- unsigned int maxmailrec; /* maximum recursion level for mail files */ |
|
81 |
- unsigned int maxratio; /* maximum compression ratio */ |
|
82 |
- unsigned long int maxfilesize;/* compressed files larger than this limit |
|
83 |
- * will not be scanned |
|
84 |
- */ |
|
85 |
- unsigned short archivememlim; /* limit memory usage for some unpackers */ |
|
76 |
+ unsigned long int maxscansize; /* during the scanning of archives this |
|
77 |
+ * size will never be exceeded |
|
78 |
+ */ |
|
79 |
+ unsigned long int maxfilesize; /* compressed files will only be |
|
80 |
+ * decompressed and scanned up to this size |
|
81 |
+ */ |
|
82 |
+ unsigned int maxreclevel; /* maximum recursion level for archives */ |
|
83 |
+ unsigned int maxfiles; /* maximum number of files to be scanned |
|
84 |
+ * within a single archive |
|
85 |
+ */ |
|
86 |
+ unsigned short archivememlim; /* limit memory usage for some unpackers */ |
|
86 | 87 |
}; |
87 | 88 |
</PRE> |
88 | 89 |
The last argument (<code>options</code>) configures the scan engine and supports |
... | ... |
@@ -108,11 +109,6 @@ This flag enables transparent scanning of various archive formats. |
108 | 108 |
With this flag the library will mark encrypted archives as viruses |
109 | 109 |
(Encrypted.Zip, Encrypted.RAR). |
110 | 110 |
</LI> |
111 |
-<LI><SPAN CLASS="textbf">CL_SCAN_BLOCKMAX</SPAN> |
|
112 |
-<BR> |
|
113 |
-Mark archives as viruses if <code>maxfiles</code>, <code>maxfilesize</code>, |
|
114 |
- or <code>maxreclevel</code> limit is reached. |
|
115 |
-</LI> |
|
116 | 111 |
<LI><SPAN CLASS="textbf">CL_SCAN_MAIL</SPAN> |
117 | 112 |
<BR> |
118 | 113 |
Enable support for mail files. |
... | ... |
@@ -157,11 +153,6 @@ This flag enables HTML normalisation (including ScrEnc |
157 | 157 |
<BR> |
158 | 158 |
Enable algorithmic detection of viruses. |
159 | 159 |
</LI> |
160 |
-<LI><SPAN CLASS="textbf">CL_SCAN_PHISHING_DOMAINLIST</SPAN> |
|
161 |
-<BR> |
|
162 |
-Phishing module: restrict URL scanning to domains from .pdf |
|
163 |
- (RECOMMENDED). |
|
164 |
-</LI> |
|
165 | 160 |
<LI><SPAN CLASS="textbf">CL_SCAN_PHISHING_BLOCKSSL</SPAN> |
166 | 161 |
<BR> |
167 | 162 |
Phishing module: always block SSL mismatches in URLs. |
... | ... |
@@ -180,14 +171,10 @@ Phishing module: always block cloaked URLs. |
180 | 180 |
const char *virname; |
181 | 181 |
|
182 | 182 |
memset(&limits, 0, sizeof(struct cl_limits)); |
183 |
- limits.maxfiles = 1000; /* max files */ |
|
184 |
- limits.maxfilesize = 10 * 1048576; /* maximum size of archived or |
|
185 |
- * compressed file (files exceeding |
|
186 |
- * this limit will be ignored) |
|
187 |
- */ |
|
188 |
- limits.maxreclevel = 5; /* maximum recursion level for archives */ |
|
189 |
- limits.maxmailrec = 64; /* maximum recursion level for mail files */ |
|
190 |
- limits.maxratio = 200; /* maximum compression ratio */ |
|
183 |
+ limits.maxfiles = 10000; |
|
184 |
+ limits.maxscansize = 100 * 1048576; /* 100 MB */ |
|
185 |
+ limits.maxfilesize = 10 * 1048576; /* 10 MB */ |
|
186 |
+ limits.maxreclevel = 16; |
|
191 | 187 |
|
192 | 188 |
if((ret = cl_scanfile("/tmp/test.exe", &virname, NULL, engine, |
193 | 189 |
&limits, CL_STDOPT)) == CL_VIRUS) { |
... | ... |
@@ -227,7 +214,7 @@ Phishing module: always block cloaked URLs. |
227 | 227 |
<!--End of Navigation Panel--> |
228 | 228 |
<ADDRESS> |
229 | 229 |
Tomasz Kojm |
230 |
-2008-03-03 |
|
230 |
+2008-03-18 |
|
231 | 231 |
</ADDRESS> |
232 | 232 |
</BODY> |
233 | 233 |
</HTML> |
... | ... |
@@ -55,14 +55,14 @@ original version by: Nikos Drakos, CBLU, University of Leeds |
55 | 55 |
<H3><A NAME="SECTION00074200000000000000"> |
56 | 56 |
Memory</A> |
57 | 57 |
</H3> |
58 |
- Because the engine structure consumes a few megabytes of system memory, you |
|
58 |
+ Because the engine structure occupies a few megabytes of system memory, you |
|
59 | 59 |
should release it with <code>cl_free</code> if you no longer need to scan files. |
60 | 60 |
|
61 | 61 |
<P> |
62 | 62 |
<BR><HR> |
63 | 63 |
<ADDRESS> |
64 | 64 |
Tomasz Kojm |
65 |
-2008-03-03 |
|
65 |
+2008-03-18 |
|
66 | 66 |
</ADDRESS> |
67 | 67 |
</BODY> |
68 | 68 |
</HTML> |
... | ... |
@@ -65,15 +65,16 @@ level required:MD5 checksum:digital signature:builder name:build time (sec) |
65 | 65 |
<code>sigtool --info</code> displays detailed information on CVD files: |
66 | 66 |
<PRE> |
67 | 67 |
zolw@localhost:/usr/local/share/clamav$ sigtool -i daily.cvd |
68 |
-Build time: 11 Feb 2007 19-28 +0000 |
|
69 |
-Version: 2553 |
|
70 |
-# of signatures: 6063 |
|
71 |
-Functionality level: 9 |
|
68 |
+File: daily.cvd |
|
69 |
+Build time: 10 Mar 2008 10:45 +0000 |
|
70 |
+Version: 6191 |
|
71 |
+Signatures: 59084 |
|
72 |
+Functionality level: 26 |
|
72 | 73 |
Builder: ccordes |
73 |
-MD5: 7f337b409249e11dea3effb04dd352f2 |
|
74 |
-Digital signature: 6Ybd2eeDHBAs8raaEwmayqzoa5ysGDNnQ5Cc89mS2VCm1jRXZP |
|
75 |
-ke/itmkTyYQTc/rgJc2uQPr+NvzvUxRpsniwoyZ/gIkPniCLnqVCYOOytwtmirivbrV8j |
|
76 |
-0kzxb9nHd+5UQqj/Z3rLbS7T5HCbRX3uE0JX1tAo642Gq9ACH9Fc |
|
74 |
+MD5: 6e6e29dae36b4b7315932c921e568330 |
|
75 |
+Digital signature: zz9irc9irupR3z7yX6J+OR6XdFPUat4HIM9ERn3kAcOWpcMFxq |
|
76 |
+Fs4toG5WJsHda0Jj92IUusZ7wAgYjpai1Nr+jFfXHsJxv0dBkS5/XWMntj0T1ctNgqmiF |
|
77 |
++RLU6V0VeTl4Oej3Aya0cVpd9K4XXevEO2eTTvzWNCAq0ZzWNdjc |
|
77 | 78 |
Verification OK. |
78 | 79 |
</PRE> |
79 | 80 |
|
... | ... |
@@ -81,7 +82,7 @@ Verification OK. |
81 | 81 |
<BR><HR> |
82 | 82 |
<ADDRESS> |
83 | 83 |
Tomasz Kojm |
84 |
-2008-03-03 |
|
84 |
+2008-03-18 |
|
85 | 85 |
</ADDRESS> |
86 | 86 |
</BODY> |
87 | 87 |
</HTML> |
... | ... |
@@ -64,11 +64,11 @@ Mathematics Department, Macquarie University, Sydney. |
64 | 64 |
The command line arguments were: <BR> |
65 | 65 |
<STRONG>latex2html</STRONG> <TT>-local_icons clamdoc.tex</TT> |
66 | 66 |
<P> |
67 |
-The translation was initiated by Tomasz Kojm on 2008-03-03 |
|
67 |
+The translation was initiated by Tomasz Kojm on 2008-03-18 |
|
68 | 68 |
<BR><HR> |
69 | 69 |
<ADDRESS> |
70 | 70 |
Tomasz Kojm |
71 |
-2008-03-03 |
|
71 |
+2008-03-18 |
|
72 | 72 |
</ADDRESS> |
73 | 73 |
</BODY> |
74 | 74 |
</HTML> |
... | ... |
@@ -55,7 +55,7 @@ original version by: Nikos Drakos, CBLU, University of Leeds |
55 | 55 |
<H2><A NAME="SECTION00031000000000000000"> |
56 | 56 |
Supported platforms</A> |
57 | 57 |
</H2> |
58 |
- Most popular UNIX operating systems are supported. Clam AntiVirus 0.90 was |
|
58 |
+ Most popular UNIX operating systems are supported. Clam AntiVirus 0.9x was |
|
59 | 59 |
tested on: |
60 | 60 |
|
61 | 61 |
<UL> |
... | ... |
@@ -80,7 +80,7 @@ Supported platforms</A> |
80 | 80 |
<BR><HR> |
81 | 81 |
<ADDRESS> |
82 | 82 |
Tomasz Kojm |
83 |
-2008-03-03 |
|
83 |
+2008-03-18 |
|
84 | 84 |
</ADDRESS> |
85 | 85 |
</BODY> |
86 | 86 |
</HTML> |
... | ... |
@@ -1,6 +1,9 @@ |
1 | 1 |
/* |
2 | 2 |
* Compilation: gcc -Wall ex1.c -o ex1 -lclamav |
3 | 3 |
* |
4 |
+ * Copyright (C) 2007 - 2008 Sourcefire, Inc. |
|
5 |
+ * Author: Tomasz Kojm <tkojm@clamav.net> |
|
6 |
+ * |
|
4 | 7 |
* Copyright (C) 2002 - 2006 Tomasz Kojm <tkojm@clamav.net> |
5 | 8 |
* |
6 | 9 |
* This program is free software; you can redistribute it and/or modify |
... | ... |
@@ -75,14 +78,15 @@ int main(int argc, char **argv) |
75 | 75 |
|
76 | 76 |
/* set up archive limits */ |
77 | 77 |
memset(&limits, 0, sizeof(struct cl_limits)); |
78 |
- limits.maxfiles = 1000; /* max files */ |
|
79 |
- limits.maxfilesize = 10 * 1048576; /* maximum size of archived/compressed |
|
80 |
- * file (files exceeding this limit |
|
81 |
- * will be ignored) |
|
78 |
+ limits.maxscansize = 100 * 1048576; /* during the scanning of archives this |
|
79 |
+ * size (100 MB) will never be exceeded |
|
80 |
+ */ |
|
81 |
+ limits.maxfilesize = 10 * 1048576; /* compressed files will only be |
|
82 |
+ * decompressed and scanned up to this |
|
83 |
+ * size (10 MB) |
|
82 | 84 |
*/ |
83 |
- limits.maxreclevel = 5; /* maximum recursion level for archives */ |
|
84 |
- limits.maxmailrec = 64; /* maximum recursion level for mail files */ |
|
85 |
- limits.maxratio = 200; /* maximum compression ratio */ |
|
85 |
+ limits.maxfiles = 10000; /* max files */ |
|
86 |
+ limits.maxreclevel = 16; /* maximum recursion level for archives */ |
|
86 | 87 |
|
87 | 88 |
/* scan file descriptor */ |
88 | 89 |
if((ret = cl_scandesc(fd, &virname, &size, engine, &limits, CL_SCAN_STDOPT)) == CL_VIRUS) { |
... | ... |
@@ -84,7 +84,7 @@ extern "C" |
84 | 84 |
#define CL_SCAN_PE 0x20 |
85 | 85 |
#define CL_SCAN_BLOCKBROKEN 0x40 |
86 | 86 |
#define CL_SCAN_MAILURL 0x80 |
87 |
-#define CL_SCAN_BLOCKMAX 0x100 |
|
87 |
+#define CL_SCAN_BLOCKMAX 0x100 /* ignored */ |
|
88 | 88 |
#define CL_SCAN_ALGORITHMIC 0x200 |
89 | 89 |
#define CL_SCAN_PHISHING_BLOCKSSL 0x800 /* ssl mismatches, not ssl by itself*/ |
90 | 90 |
#define CL_SCAN_PHISHING_BLOCKCLOAK 0x1000 |