@@ -501,6 +501,9 @@ int main(int argc, char **argv)

 	break;

     }

+    if (optget(opts, "DisableCertCheck")->enabled)

+        engine->dconf->pe |= PE_CONF_DISABLECERT;

+

     logg("#Loaded %u signatures.\n", sigs);

     if((ret = cl_engine_compile(engine)) != 0) {

 	logg("!Database initialization error: %s\n", cl_strerror(ret));

@@ -253,6 +253,7 @@ void help(void)

     mprintf("    --scan-archive[=yes(*)/no]           Scan archive files (supported by libclamav)\n");

     mprintf("    --detect-broken[=yes/no(*)]          Try to detect broken executable files\n");

     mprintf("    --block-encrypted[=yes/no(*)]        Block encrypted archives\n");

+    mprintf("    --nocerts                            Disable authenticode certificate chain verification in PE files\n");

     mprintf("\n");

     mprintf("    --max-filesize=#n                    Files larger than this will be skipped and assumed clean\n");

     mprintf("    --max-scansize=#n                    The maximum amount of data to scan for each container file (**)\n");

@@ -691,6 +691,9 @@ int scanmanager(const struct optstruct *opts)

 	cl_engine_set_clcb_post_scan(engine, post);

     }

+    if (optget(opts, "nocerts")->enabled)

+        engine->dconf->pe |= PE_CONF_DISABLECERT;

+

     /* set limits */

     if((opt = optget(opts, "max-scansize"))->active) {

@@ -585,8 +585,8 @@ Entertainment Pack FreeCell Game

     certificate in the chain against a database of trusted and revoked

     certificates. The sinagure format is

 \begin{verbatim}

-Name;Trusted;Subject;Pubkey;Exponent;CodeSign;TimeSign;NotBefore;Comment

-[;minFL[;maxFL]]

+Name;Trusted;Subject;Serial;Pubkey;Exponent;CodeSign;TimeSign;CertSign;

+NotBefore;Comment[;minFL[;maxFL]]

 \end{verbatim}

     where the corresponding fields are:

     \begin{itemize}

@@ -594,17 +594,21 @@ Name;Trusted;Subject;Pubkey;Exponent;CodeSign;TimeSign;NotBefore;Comment

         \item \verb+Trusted:+ bit field, specifying whether the cert is

             trusted. 1 for trusted. 0 for revoked

         \item \verb+Subject:+ sha1 of the Subject field in hex

+        \item \verb+Serial:+ the serial number as clamscan --debug --verbose

+            reports

         \item \verb+Pubkey:+ the public key in hex

         \item \verb+Exponent:+ the exponent in hex. Currently ignored and

             hardcoded to 010001 (in hex)

         \item \verb+CodeSign:+ bit field, specifying whether this cert

             can sign code. 1 for true, 0 for false

         \item \verb+TimeSign:+ bit field. 1 for true, 0 for false

+        \item \verb+CertSign:+ bit field, specifying whether this cert

+            can sign other certs. 1 for true, 0 for false

         \item \verb+NotBefore:+ integer, cert should not be added before

             this variable. Defaults to 0 if left empty

         \item \verb+Comment:+ comments for this entry

     \end{itemize}

-    The signatures for certs are stored inside \verb+.crt+ files.

+    The signatures for certs are stored inside \verb+.crtdb+ files.

     \subsection{Signatures based on container metadata}

     ClamAV 0.96 allows creating generic signatures matching files stored

@@ -250,6 +250,16 @@ Example

 # Default: yes

 #ScanPE yes

+# Certain PE files contain an authenticode signature. By default, we check

+# the signature chain in the PE file against a database of trusted and

+# revoked certificates if the file being scanned is marked as a virus.

+# If any certificate in the chain validates against any trusted root, but

+# does not match any revoked certificate, the file is marked as whitelisted.

+# If the file does match a revoked certificate, the file is marked as virus.

+# The following setting completely turns off authenticode verification.

+# Default: no

+#DisableCertCheck yes

+

 # Executable and Linking Format is a standard format for UN*X executables.

 # This option allows you to control the scanning of ELF files.

 # If you turn off this option, the original files will still be scanned, but

@@ -1445,6 +1445,9 @@ int asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsig

     crtmgr certs;

     int ret;

+    if (engine->dconf->pe & PE_CONF_DISABLECERT)

+        return CL_VIRUS;

+

     cli_dbgmsg("in asn1_check_mscat (offset: %lu)\n", offset);

     crtmgr_init(&certs);

     if(crtmgr_add_roots(engine, &certs)) {

@@ -145,7 +145,7 @@ int crtmgr_add(crtmgr *m, cli_crt *x509) {

         fp_toradix_n(&i->n, mod, 16, j);

         // exp next

         fp_toradix_n(&i->e, exp, 16, j);

-        serial = cli_str2hex(i->serial, SHA1_HASH_SIZE);

+        serial = cli_str2hex((const char *)(i->serial), (unsigned int)SHA1_HASH_SIZE);

         // subject and issuer hashes

         for(j=0; j<SHA1_HASH_SIZE; j++) {

             sprintf(&issuer[j*2], "%02x", i->issuer[j]);

@@ -71,6 +71,7 @@ static struct dconf_module modules[] = {

     { "PE",	    "UPACK",	    PE_CONF_UPACK,	    1 },

     { "PE",	    "ASPACK",	    PE_CONF_ASPACK,	    1 },

     { "PE",	    "CATALOG",	    PE_CONF_CATALOG,	    1 },

+    { "PE",     "DISABLECERT",  PE_CONF_DISABLECERT,    0 },

     { "ELF",	    NULL,	    0x1,		    1 },

@@ -60,6 +60,7 @@ struct cli_dconf {

 #define PE_CONF_UPACK	    0x4000

 #define PE_CONF_ASPACK	    0x8000

 #define PE_CONF_CATALOG	    0x10000

+#define PE_CONF_DISABLECERT 0x20000

 /* Archive flags */

 #define ARCH_CONF_RAR	    0x1

@@ -429,6 +429,8 @@ const struct clam_option __clam_options[] = {

     { "Bytecode", NULL, 0, TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_FRESHCLAM, "This option enables downloading of bytecode.cvd, which includes additional\ndetection mechanisms and improvements to the ClamAV engine.", "yes" },

+    { "DisableCertCheck", "nocerts", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Disable authenticode certificate chain verification in PE files.", "no" },

+

     /* Deprecated options */

     { "MailMaxRecursion", NULL, 0, TYPE_NUMBER, NULL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", "" },