@@ -1,3 +1,9 @@

+Thu Feb 17 19:13:15 CET 2011 (tk)

+---------------------------------

+ * clamd: add new config option BytecodeUnsigned (bb#2537); drop

+	  "None" from BytecodeSecurity

+ * clamscan: add new switch --bytecode-unsigned and drop --bytecode-trust-all

+

 Tue Feb 15 19:19:31 CET 2011 (tk)

 ---------------------------------

  * sigtool/sigtool.c: improve handling of bytecode.info (bb#2292)

@@ -436,44 +436,49 @@ int main(int argc, char **argv)

     else

 	logg("#Not loading phishing signatures.\n");

-    if(optget(opts,"Bytecode")->enabled)

+    if(optget(opts,"Bytecode")->enabled) {

 	dboptions |= CL_DB_BYTECODE;

-

-    if((opt = optget(opts,"BytecodeSecurity"))->enabled) {

-	enum bytecode_security s;

-	if (!strcmp(opt->strarg, "TrustSigned"))

-	    s = CL_BYTECODE_TRUST_SIGNED;

-	else if (!strcmp(opt->strarg, "None"))

-	    s = CL_BYTECODE_TRUST_ALL;

-	else if (!strcmp(opt->strarg, "Paranoid"))

-	    s = CL_BYTECODE_TRUST_NOTHING;

-	else {

-	    logg("!Unable to parse bytecode security setting:%s\n",

-		 opt->strarg);

-	    ret = 1;

-	    break;

+	if((opt = optget(opts,"BytecodeSecurity"))->enabled) {

+	    enum bytecode_security s;

+	    if (!strcmp(opt->strarg, "TrustSigned")) {

+		s = CL_BYTECODE_TRUST_SIGNED;

+		logg("Bytecode: Security mode set to \"TrustSigned\".\n");

+	    } else if (!strcmp(opt->strarg, "Paranoid")) {

+		s = CL_BYTECODE_TRUST_NOTHING;

+		logg("Bytecode: Security mode set to \"Paranoid\".\n");

+	    } else {

+		logg("!Unable to parse bytecode security setting:%s\n",

+		    opt->strarg);

+		ret = 1;

+		break;

+	    }

+	    if ((ret = cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, s))) {

+		logg("Invalid bytecode security setting %s: %s\n", opt->strarg, cl_strerror(ret));

+		ret = 1;

+		break;

+	    }

 	}

-	if ((ret = cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, s))) {

-	    logg("Invalid bytecode security setting %s: %s\n", opt->strarg, cl_strerror(ret));

-	    ret = 1;

-	    break;

+	if((opt = optget(opts,"BytecodeUnsigned"))->enabled) {

+	    dboptions |= CL_DB_BYTECODE_UNSIGNED;

+	    logg("Bytecode: Enabled support for unsigned bytecode.\n");

 	}

-    }

-    if((opt = optget(opts,"BytecodeMode"))->enabled) {

-	enum bytecode_mode mode;

-	if (!strcmp(opt->strarg, "ForceJIT"))

-	    mode = CL_BYTECODE_MODE_JIT;

-	else if(!strcmp(opt->strarg, "ForceInterpreter"))

-	    mode = CL_BYTECODE_MODE_INTERPRETER;

-	else if(!strcmp(opt->strarg, "Test"))

-	    mode = CL_BYTECODE_MODE_TEST;

-	else

-	    mode = CL_BYTECODE_MODE_AUTO;

-	cl_engine_set_num(engine, CL_ENGINE_BYTECODE_MODE, mode);

-    }

-    if((opt = optget(opts,"BytecodeTimeout"))->enabled) {

-	cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg);

-    }

+	if((opt = optget(opts,"BytecodeMode"))->enabled) {

+	    enum bytecode_mode mode;

+	    if (!strcmp(opt->strarg, "ForceJIT"))

+		mode = CL_BYTECODE_MODE_JIT;

+	    else if(!strcmp(opt->strarg, "ForceInterpreter"))

+		mode = CL_BYTECODE_MODE_INTERPRETER;

+	    else if(!strcmp(opt->strarg, "Test"))

+		mode = CL_BYTECODE_MODE_TEST;

+	    else

+		mode = CL_BYTECODE_MODE_AUTO;

+	    cl_engine_set_num(engine, CL_ENGINE_BYTECODE_MODE, mode);

+	}

+	if((opt = optget(opts,"BytecodeTimeout"))->enabled) {

+	    cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg);

+	}

+    } else

+	logg("Bytecode support disabled.\n");

     if(optget(opts,"PhishingScanURLs")->enabled)

 	dboptions |= CL_DB_PHISHING_URLS;

@@ -222,7 +222,7 @@ void help(void)

     mprintf("    --include-dir=REGEX                  Only scan directories matching REGEX\n");

     mprintf("\n");

     mprintf("    --bytecode[=yes(*)/no]               Load bytecode from the database\n");

-    mprintf("    --bytecode-trust-all[=yes/no(*)]     Trust all loaded bytecode\n");

+    mprintf("    --bytecode-unsigned[=yes/no(*)]      Load unsigned bytecode\n");

     mprintf("    --bytecode-timeout=N                 Set bytecode timeout (in milliseconds)\n");

     mprintf("    --detect-pua[=yes/no(*)]             Detect Possibly Unwanted Applications\n");

     mprintf("    --exclude-pua=CAT                    Skip PUA sigs of category CAT\n");

@@ -488,8 +488,9 @@ int scanmanager(const struct optstruct *opts)

     if(optget(opts, "leave-temps")->enabled)

 	cl_engine_set_num(engine, CL_ENGINE_KEEPTMP, 1);

-    if(optget(opts, "bytecode-trust-all")->enabled)

-	cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, CL_BYTECODE_TRUST_ALL);

+    if(optget(opts, "bytecode-unsigned")->enabled)

+	dboptions |= CL_DB_BYTECODE_UNSIGNED;

+

     if((opt = optget(opts,"bytecode-timeout"))->enabled)

 	cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg);

     if((opt = optget(opts,"bytecode-mode"))->enabled) {

@@ -974,7 +974,6 @@ with_user

 with_group

 enable_clamav

 enable_debug

-enable_unsigned_bytecode

 enable_no_cache

 enable_dns_fix

 enable_bigstack

@@ -1652,7 +1651,6 @@ Optional Features:

   --enable-yp-check	  use ypmatch utility instead of /etc/passwd parsing

   --disable-clamav	  disable test for clamav user/group

   --enable-debug	  enable debug code

-  --enable-unsigned-bytecode	  enable load of unsigned bytecode

   --enable-no-cache	  use "Cache-Control: no-cache" in freshclam

   --enable-dns-fix	  enable workaround for broken DNS servers (as in SpeedTouch 510)

   --enable-bigstack	  increase thread stack size

@@ -5182,13 +5180,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :

 else

   lt_cv_nm_interface="BSD nm"

   echo "int some_variable = 0;" > conftest.$ac_ext

-  (eval echo "\"\$as_me:5185: $ac_compile\"" >&5)

+  (eval echo "\"\$as_me:5183: $ac_compile\"" >&5)

   (eval "$ac_compile" 2>conftest.err)

   cat conftest.err >&5

-  (eval echo "\"\$as_me:5188: $NM \\\"conftest.$ac_objext\\\"\"" >&5)

+  (eval echo "\"\$as_me:5186: $NM \\\"conftest.$ac_objext\\\"\"" >&5)

   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)

   cat conftest.err >&5

-  (eval echo "\"\$as_me:5191: output\"" >&5)

+  (eval echo "\"\$as_me:5189: output\"" >&5)

   cat conftest.out >&5

   if $GREP 'External.*some_variable' conftest.out > /dev/null; then

     lt_cv_nm_interface="MS dumpbin"

@@ -6383,7 +6381,7 @@ ia64-*-hpux*)

   ;;

 *-*-irix6*)

   # Find out which ABI we are using.

-  echo '#line 6386 "configure"' > conftest.$ac_ext

+  echo '#line 6384 "configure"' > conftest.$ac_ext

   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5

   (eval $ac_compile) 2>&5

   ac_status=$?

@@ -7910,11 +7908,11 @@ else

    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \

    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \

    -e 's:$: $lt_compiler_flag:'`

-   (eval echo "\"\$as_me:7913: $lt_compile\"" >&5)

+   (eval echo "\"\$as_me:7911: $lt_compile\"" >&5)

    (eval "$lt_compile" 2>conftest.err)

    ac_status=$?

    cat conftest.err >&5

-   echo "$as_me:7917: \$? = $ac_status" >&5

+   echo "$as_me:7915: \$? = $ac_status" >&5

    if (exit $ac_status) && test -s "$ac_outfile"; then

      # The compiler can only warn and ignore the option if not recognized

      # So say no if there are warnings other than the usual output.

@@ -8249,11 +8247,11 @@ else

    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \

    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \

    -e 's:$: $lt_compiler_flag:'`

-   (eval echo "\"\$as_me:8252: $lt_compile\"" >&5)

+   (eval echo "\"\$as_me:8250: $lt_compile\"" >&5)

    (eval "$lt_compile" 2>conftest.err)

    ac_status=$?

    cat conftest.err >&5

-   echo "$as_me:8256: \$? = $ac_status" >&5

+   echo "$as_me:8254: \$? = $ac_status" >&5

    if (exit $ac_status) && test -s "$ac_outfile"; then

      # The compiler can only warn and ignore the option if not recognized

      # So say no if there are warnings other than the usual output.

@@ -8354,11 +8352,11 @@ else

    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \

    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \

    -e 's:$: $lt_compiler_flag:'`

-   (eval echo "\"\$as_me:8357: $lt_compile\"" >&5)

+   (eval echo "\"\$as_me:8355: $lt_compile\"" >&5)

    (eval "$lt_compile" 2>out/conftest.err)

    ac_status=$?

    cat out/conftest.err >&5

-   echo "$as_me:8361: \$? = $ac_status" >&5

+   echo "$as_me:8359: \$? = $ac_status" >&5

    if (exit $ac_status) && test -s out/conftest2.$ac_objext

    then

      # The compiler can only warn and ignore the option if not recognized

@@ -8409,11 +8407,11 @@ else

    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \

    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \

    -e 's:$: $lt_compiler_flag:'`

-   (eval echo "\"\$as_me:8412: $lt_compile\"" >&5)

+   (eval echo "\"\$as_me:8410: $lt_compile\"" >&5)

    (eval "$lt_compile" 2>out/conftest.err)

    ac_status=$?

    cat out/conftest.err >&5

-   echo "$as_me:8416: \$? = $ac_status" >&5

+   echo "$as_me:8414: \$? = $ac_status" >&5

    if (exit $ac_status) && test -s out/conftest2.$ac_objext

    then

      # The compiler can only warn and ignore the option if not recognized

@@ -10793,7 +10791,7 @@ else

   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2

   lt_status=$lt_dlunknown

   cat > conftest.$ac_ext <<_LT_EOF

-#line 10796 "configure"

+#line 10794 "configure"

 #include "confdefs.h"

 #if HAVE_DLFCN_H

@@ -10889,7 +10887,7 @@ else

   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2

   lt_status=$lt_dlunknown

   cat > conftest.$ac_ext <<_LT_EOF

-#line 10892 "configure"

+#line 10890 "configure"

 #include "confdefs.h"

 #if HAVE_DLFCN_H

@@ -11561,7 +11559,7 @@ else

   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2

   lt_status=$lt_dlunknown

   cat > conftest.$ac_ext <<_LT_EOF

-#line 11564 "configure"

+#line 11562 "configure"

 #include "confdefs.h"

 #if HAVE_DLFCN_H

@@ -16651,21 +16649,6 @@ $as_echo "#define NDEBUG 1" >>confdefs.h

 fi

-# Check whether --enable-unsigned-bytecode was given.

-if test "${enable_unsigned_bytecode+set}" = set; then :

-  enableval=$enable_unsigned_bytecode; enable_unsignedbytecode="$enableval"

-else

-  enable_unsignedbytecode="no"

-fi

-

-

-if test "$enable_unsignedbytecode" = "yes"; then

-  VERSION_SUFFIX="$VERSION_SUFFIX-unsigned-bc"

-

-$as_echo "#define CL_BCUNSIGNED 1" >>confdefs.h

-

-fi

-

 # Check whether --enable-no-cache was given.

 if test "${enable_no_cache+set}" = set; then :

   enableval=$enable_no_cache; enable_nocache=$enableval

@@ -856,15 +856,6 @@ else

   AC_DEFINE([NDEBUG],1,[disable assertions])

 fi

-AC_ARG_ENABLE([unsigned-bytecode],

-[  --enable-unsigned-bytecode	  enable load of unsigned bytecode],

-enable_unsignedbytecode="$enableval", enable_unsignedbytecode="no")

-

-if test "$enable_unsignedbytecode" = "yes"; then

-  VERSION_SUFFIX="$VERSION_SUFFIX-unsigned-bc"

-  AC_DEFINE([CL_BCUNSIGNED],1,[enable loading of unsigned bytecode])

-fi

-

 AC_ARG_ENABLE([no-cache],

 [  --enable-no-cache	  use "Cache-Control: no-cache" in freshclam],

 enable_nocache=$enableval, enable_nocache="no")

@@ -250,10 +250,15 @@ With this option enabled ClamAV will load bytecode from the database. It is high

 Default: yes

 .TP 

 \fBBytecodeSecurity STRING\fR

-Set bytecode security level. Possible values: \fBNone\fR: no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS, \fBTrustSigned\fR: trust bytecode loaded from signed .c[lv]d files and insert runtime safety checks for bytecode loaded from other sources, \fBParanoid\fR: don't trust any bytecode, insert runtime checks for all. The recommended setting is \fBTrustSigned\fR, because bytecode in .cvd files already has safety checks inserted into it.

+Set bytecode security level. Possible values: \fBTrustSigned\fR: trust bytecode loaded from signed .c[lv]d files and insert runtime safety checks for bytecode loaded from other sources, \fBParanoid\fR: don't trust any bytecode, insert runtime checks for all. The recommended setting is \fBTrustSigned\fR, because bytecode in .cvd files already has safety checks inserted into it.

 .br 

 Default: TrustSigned

 .TP 

+\fBBytecodeUnsigned BOOL\fR

+Allow loading bytecode from outside digitally signed .c[lv]d files.

+.br

+Default: no

+.TP 

 \fBBytecodeTimeout NUMBER\fR

 Set bytecode timeout in milliseconds.

 .br

@@ -87,8 +87,8 @@ Copy infected files into DIRECTORY. Directory must be writable for the '@CLAMAVU

 \fB\-\-bytecode[=yes(*)/no]\fR

 With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option turned on, otherwise you may miss detections for many new viruses.

 .TP 

-\fB\-\-bytecode\-trust\-all[=yes/no(*)]\fR

-This option disables safety checks and makes ClamAV trust all bytecode. It should only be used for debugging.

+\fB\-\-bytecode\-unsigned[=yes/no(*)]\fR

+Allow loading bytecode from outside digitally signed .c[lv]d files.

 .TP 

 \fB\-\-bytecode\-timeout=N\fR

 Set bytecode timeout in milliseconds (default: 60000 = 60s)

@@ -92,6 +92,7 @@ typedef enum {

 #define CL_DB_OFFICIAL_ONLY 0x1000

 #define CL_DB_BYTECODE      0x2000

 #define CL_DB_SIGNED	    0x4000  /* internal */

+#define CL_DB_BYTECODE_UNSIGNED	0x8000

 /* recommended db settings */

 #define CL_DB_STDOPT	    (CL_DB_PHISHING | CL_DB_PHISHING_URLS | CL_DB_BYTECODE)

@@ -160,7 +161,7 @@ enum cl_engine_field {

 };

 enum bytecode_security {

-    CL_BYTECODE_TRUST_ALL=0, /* insecure, debug setting */

+    CL_BYTECODE_TRUST_ALL=0, /* obsolete */

     CL_BYTECODE_TRUST_SIGNED, /* default */

     CL_BYTECODE_TRUST_NOTHING /* paranoid setting */

 };

@@ -413,12 +413,6 @@ int cl_engine_set_num(struct cl_engine *engine, enum cl_engine_field field, long

 	    engine->keeptmp = num;

 	    break;

 	case CL_ENGINE_BYTECODE_SECURITY:

-#ifndef CL_BCUNSIGNED

-	    if (num == CL_BYTECODE_TRUST_ALL) {

-		cli_errmsg("cl_engine_set_num: CL_BYTECODE_TRUST_ALL is only supported when ClamAV is built with ./configure --enable-unsigned-bytecode\n");

-		return CL_EARG;

-	    }

-#endif

 	    if (engine->dboptions & CL_DB_COMPILED) {

 		cli_errmsg("cl_engine_set_num: CL_ENGINE_BYTECODE_SECURITY cannot be set after engine was compiled\n");

 		return CL_EARG;

@@ -1430,13 +1430,12 @@ static int cli_loadcbc(FILE *fs, struct cl_engine *engine, unsigned int *signo,

 	return CL_SUCCESS;

     }

-#ifndef CL_BCUNSIGNED

-    if (!(options & CL_DB_SIGNED)) {

+    if (!(options & CL_DB_BYTECODE_UNSIGNED) && !(options & CL_DB_SIGNED)) {

 	cli_warnmsg("Only loading signed bytecode, skipping load of unsigned bytecode!\n");

-	cli_warnmsg("Build with ./configure --enable-unsigned-bytecode to enable loading of unsigned bytecode\n");

+	cli_warnmsg("Turn on BytecodeUnsigned/--bytecode-unsigned to enable loading of unsigned bytecode\n");

 	return CL_SUCCESS;

     }

-#endif

+

     bcs->all_bcs = cli_realloc2(bcs->all_bcs, sizeof(*bcs->all_bcs)*(bcs->count+1));

     if (!bcs->all_bcs) {

 	cli_errmsg("cli_loadcbc: Can't allocate memory for bytecode entry\n");

@@ -1446,10 +1445,6 @@ static int cli_loadcbc(FILE *fs, struct cl_engine *engine, unsigned int *signo,

     bc = &bcs->all_bcs[bcs->count-1];

     switch (engine->bytecode_security) {

-	case CL_BYTECODE_TRUST_ALL:

-	    security_trust = 1;

-	    cli_dbgmsg("bytecode: trusting all bytecode!\n");

-	    break;

 	case CL_BYTECODE_TRUST_SIGNED:

 	    security_trust = !!(options & CL_DB_SIGNED);

 	    break;

@@ -126,7 +126,6 @@ const struct clam_option __clam_options[] = {

     { NULL, "force-interpreter", 'f', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMBC, "Force using the interpreter instead of the JIT", "" },

     { NULL, "trust-bytecode", 't', TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMBC, "Trust loaded bytecode (default yes)", ""},

-    { NULL, "bytecode-trust-all", 't', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMSCAN, "Trust loaded bytecode (default: only if signed)", ""},

     { NULL, "info", 'i', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMBC, "Load and print bytecode information without executing", ""},

     { NULL, "printsrc", 'p', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMBC, "Print source code of bytecode", ""},

     { NULL, "input", 'r', TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMBC, "Input file to run the bytecode n", ""},

@@ -134,6 +133,7 @@ const struct clam_option __clam_options[] = {

     { NULL, "no-trace-showsource", 's', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMBC, "Don't show source line during tracing",""},

     /* cmdline only - deprecated */

+    { NULL, "bytecode-trust-all", 't', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMSCAN | OPT_DEPRECATED, "", ""},

     { NULL, "http-proxy", 0, TYPE_STRING, NULL, 0, NULL, 0, OPT_FRESHCLAM | OPT_DEPRECATED, "", "" },

     { NULL, "proxy-user", 0, TYPE_STRING, NULL, 0, NULL, 0, OPT_FRESHCLAM | OPT_DEPRECATED, "", "" },

     { NULL, "log-verbose", 0, TYPE_BOOL, NULL, 0, NULL, 0, OPT_FRESHCLAM | OPT_DEPRECATED, "", "" },

@@ -254,12 +254,19 @@ const struct clam_option __clam_options[] = {

     /* Scan options */

     { "Bytecode", "bytecode", 0, TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.", "yes" },

-    { "BytecodeSecurity", NULL, 0, TYPE_STRING, "^(None|TrustSigned|Paranoid)$", -1, "TrustSigned", 0, OPT_CLAMD, 

-	"Set bytecode security level.\nPossible values:\n\tNone - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"},

+

+    { "BytecodeSecurity", NULL, 0, TYPE_STRING, "^(TrustSigned|Paranoid)$", -1, "TrustSigned", 0, OPT_CLAMD, 

+	"Set bytecode security level.\nPossible values:\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"},

+

     { "BytecodeTimeout", "bytecode-timeout", 0, TYPE_NUMBER, MATCH_NUMBER, 5000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, 

 	"Set bytecode timeout in miliseconds.\n","5000"},

+

+    { "BytecodeUnsigned", "bytecode-unsigned", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, 

+	"Allow loading bytecode from outside digitally signed .c[lv]d files.\n","no"},

+

     { "BytecodeMode", "bytecode-mode", 0, TYPE_STRING, "^(Auto|ForceJIT|ForceInterpreter|Test)$", -1, "Auto", FLAG_REQUIRED, OPT_CLAMD | OPT_CLAMSCAN,

 	"Set bytecode execution mode.\nPossible values:\n\tAuto - automatically choose JIT if possible, fallback to interpreter\nForceJIT - always choose JIT, fail if not possible\nForceIntepreter - always choose interpreter\nTest - run with both JIT and interpreter and compare results. Make all failures fatal\n","Auto"},

+

     { "DetectPUA", "detect-pua", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect Potentially Unwanted Applications.", "yes" },

     { "ExcludePUA", "exclude-pua", 0, TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_CLAMSCAN, "Exclude a specific PUA category. This directive can be used multiple times.\nSee http://www.clamav.net/support/pua for the complete list of PUA\ncategories.", "NetTool\nPWTool" },

@@ -505,7 +505,7 @@

 /* #undef USE_SYSLOG */

 /* Version number of package */

-#define VERSION "devel-clamav-0.97-17-ge0aab5d"

+#define VERSION "devel-clamav-0.97-23-ga771899"

 /* Version suffix for package */

 #define VERSION_SUFFIX ""