... | ... |
@@ -501,6 +501,9 @@ int main(int argc, char **argv) |
501 | 501 |
break; |
502 | 502 |
} |
503 | 503 |
|
504 |
+ if (optget(opts, "DisableCertCheck")->enabled) |
|
505 |
+ engine->dconf->pe |= PE_CONF_DISABLECERT; |
|
506 |
+ |
|
504 | 507 |
logg("#Loaded %u signatures.\n", sigs); |
505 | 508 |
if((ret = cl_engine_compile(engine)) != 0) { |
506 | 509 |
logg("!Database initialization error: %s\n", cl_strerror(ret)); |
... | ... |
@@ -253,6 +253,7 @@ void help(void) |
253 | 253 |
mprintf(" --scan-archive[=yes(*)/no] Scan archive files (supported by libclamav)\n"); |
254 | 254 |
mprintf(" --detect-broken[=yes/no(*)] Try to detect broken executable files\n"); |
255 | 255 |
mprintf(" --block-encrypted[=yes/no(*)] Block encrypted archives\n"); |
256 |
+ mprintf(" --nocerts Disable authenticode certificate chain verification in PE files\n"); |
|
256 | 257 |
mprintf("\n"); |
257 | 258 |
mprintf(" --max-filesize=#n Files larger than this will be skipped and assumed clean\n"); |
258 | 259 |
mprintf(" --max-scansize=#n The maximum amount of data to scan for each container file (**)\n"); |
... | ... |
@@ -691,6 +691,9 @@ int scanmanager(const struct optstruct *opts) |
691 | 691 |
cl_engine_set_clcb_post_scan(engine, post); |
692 | 692 |
} |
693 | 693 |
|
694 |
+ if (optget(opts, "nocerts")->enabled) |
|
695 |
+ engine->dconf->pe |= PE_CONF_DISABLECERT; |
|
696 |
+ |
|
694 | 697 |
/* set limits */ |
695 | 698 |
|
696 | 699 |
if((opt = optget(opts, "max-scansize"))->active) { |
... | ... |
@@ -585,8 +585,8 @@ Entertainment Pack FreeCell Game |
585 | 585 |
certificate in the chain against a database of trusted and revoked |
586 | 586 |
certificates. The sinagure format is |
587 | 587 |
\begin{verbatim} |
588 |
-Name;Trusted;Subject;Pubkey;Exponent;CodeSign;TimeSign;NotBefore;Comment |
|
589 |
-[;minFL[;maxFL]] |
|
588 |
+Name;Trusted;Subject;Serial;Pubkey;Exponent;CodeSign;TimeSign;CertSign; |
|
589 |
+NotBefore;Comment[;minFL[;maxFL]] |
|
590 | 590 |
\end{verbatim} |
591 | 591 |
where the corresponding fields are: |
592 | 592 |
\begin{itemize} |
... | ... |
@@ -594,17 +594,21 @@ Name;Trusted;Subject;Pubkey;Exponent;CodeSign;TimeSign;NotBefore;Comment |
594 | 594 |
\item \verb+Trusted:+ bit field, specifying whether the cert is |
595 | 595 |
trusted. 1 for trusted. 0 for revoked |
596 | 596 |
\item \verb+Subject:+ sha1 of the Subject field in hex |
597 |
+ \item \verb+Serial:+ the serial number as clamscan --debug --verbose |
|
598 |
+ reports |
|
597 | 599 |
\item \verb+Pubkey:+ the public key in hex |
598 | 600 |
\item \verb+Exponent:+ the exponent in hex. Currently ignored and |
599 | 601 |
hardcoded to 010001 (in hex) |
600 | 602 |
\item \verb+CodeSign:+ bit field, specifying whether this cert |
601 | 603 |
can sign code. 1 for true, 0 for false |
602 | 604 |
\item \verb+TimeSign:+ bit field. 1 for true, 0 for false |
605 |
+ \item \verb+CertSign:+ bit field, specifying whether this cert |
|
606 |
+ can sign other certs. 1 for true, 0 for false |
|
603 | 607 |
\item \verb+NotBefore:+ integer, cert should not be added before |
604 | 608 |
this variable. Defaults to 0 if left empty |
605 | 609 |
\item \verb+Comment:+ comments for this entry |
606 | 610 |
\end{itemize} |
607 |
- The signatures for certs are stored inside \verb+.crt+ files. |
|
611 |
+ The signatures for certs are stored inside \verb+.crtdb+ files. |
|
608 | 612 |
|
609 | 613 |
\subsection{Signatures based on container metadata} |
610 | 614 |
ClamAV 0.96 allows creating generic signatures matching files stored |
... | ... |
@@ -250,6 +250,16 @@ Example |
250 | 250 |
# Default: yes |
251 | 251 |
#ScanPE yes |
252 | 252 |
|
253 |
+# Certain PE files contain an authenticode signature. By default, we check |
|
254 |
+# the signature chain in the PE file against a database of trusted and |
|
255 |
+# revoked certificates if the file being scanned is marked as a virus. |
|
256 |
+# If any certificate in the chain validates against any trusted root, but |
|
257 |
+# does not match any revoked certificate, the file is marked as whitelisted. |
|
258 |
+# If the file does match a revoked certificate, the file is marked as virus. |
|
259 |
+# The following setting completely turns off authenticode verification. |
|
260 |
+# Default: no |
|
261 |
+#DisableCertCheck yes |
|
262 |
+ |
|
253 | 263 |
# Executable and Linking Format is a standard format for UN*X executables. |
254 | 264 |
# This option allows you to control the scanning of ELF files. |
255 | 265 |
# If you turn off this option, the original files will still be scanned, but |
... | ... |
@@ -1445,6 +1445,9 @@ int asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsig |
1445 | 1445 |
crtmgr certs; |
1446 | 1446 |
int ret; |
1447 | 1447 |
|
1448 |
+ if (engine->dconf->pe & PE_CONF_DISABLECERT) |
|
1449 |
+ return CL_VIRUS; |
|
1450 |
+ |
|
1448 | 1451 |
cli_dbgmsg("in asn1_check_mscat (offset: %lu)\n", offset); |
1449 | 1452 |
crtmgr_init(&certs); |
1450 | 1453 |
if(crtmgr_add_roots(engine, &certs)) { |
... | ... |
@@ -145,7 +145,7 @@ int crtmgr_add(crtmgr *m, cli_crt *x509) { |
145 | 145 |
fp_toradix_n(&i->n, mod, 16, j); |
146 | 146 |
// exp next |
147 | 147 |
fp_toradix_n(&i->e, exp, 16, j); |
148 |
- serial = cli_str2hex(i->serial, SHA1_HASH_SIZE); |
|
148 |
+ serial = cli_str2hex((const char *)(i->serial), (unsigned int)SHA1_HASH_SIZE); |
|
149 | 149 |
// subject and issuer hashes |
150 | 150 |
for(j=0; j<SHA1_HASH_SIZE; j++) { |
151 | 151 |
sprintf(&issuer[j*2], "%02x", i->issuer[j]); |
... | ... |
@@ -429,6 +429,8 @@ const struct clam_option __clam_options[] = { |
429 | 429 |
|
430 | 430 |
{ "Bytecode", NULL, 0, TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_FRESHCLAM, "This option enables downloading of bytecode.cvd, which includes additional\ndetection mechanisms and improvements to the ClamAV engine.", "yes" }, |
431 | 431 |
|
432 |
+ { "DisableCertCheck", "nocerts", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Disable authenticode certificate chain verification in PE files.", "no" }, |
|
433 |
+ |
|
432 | 434 |
/* Deprecated options */ |
433 | 435 |
|
434 | 436 |
{ "MailMaxRecursion", NULL, 0, TYPE_NUMBER, NULL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", "" }, |