git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@848 77e5149b-7576-45b1-b177-96237e5ba77b
Tomasz Kojm authored on 2004/09/13 10:43:57... | ... |
@@ -127,6 +127,7 @@ Ed Phillips <ed*UDel.Edu> |
127 | 127 |
Pierre <pierrezero*fastmail.fm> |
128 | 128 |
Andreas Piesk <Andreas.Piesk*heise.de> |
129 | 129 |
Ant La Porte <ant*dvere.net> |
130 |
+Christophe Poujol <Christophe.Poujol*atosorigin.com> |
|
130 | 131 |
Thomas Quinot <thomas*cuivre.fr.eu.org> |
131 | 132 |
Brian A. Reiter <breiter*wolfereiter.com> |
132 | 133 |
Hector M. Rulot Segovia <Hector.Rulot*uv.es> |
... | ... |
@@ -1,3 +1,11 @@ |
1 |
+Mon Sep 13 03:31:58 CEST 2004 (tk) |
|
2 |
+---------------------------------- |
|
3 |
+ * libclamav: CL_BLOCKMAX: allow blocking (i.e. marking as viruses) of |
|
4 |
+ archives that exceed limits (in std mode they're only ignored). |
|
5 |
+ Patch by Christophe Poujol <Christophe.Poujol*atosorigin.com>. |
|
6 |
+ * clamd: new directive ArchiveBlockMax |
|
7 |
+ * clamscan: new option --block-max |
|
8 |
+ |
|
1 | 9 |
Mon Sep 13 02:22:31 CEST 2004 (tk) |
2 | 10 |
---------------------------------- |
3 | 11 |
* clamscan: fix miscounting when trying to scan inaccessible archives |
... | ... |
@@ -296,17 +296,22 @@ int acceptloop_th(int socketd, struct cl_node *root, const struct cfgstruct *cop |
296 | 296 |
options |= CL_ARCHIVE; |
297 | 297 |
|
298 | 298 |
if(cfgopt(copt, "ScanRAR")) { |
299 |
- logg("RAR support enabled.\n"); |
|
299 |
+ logg("Archive: RAR support enabled.\n"); |
|
300 | 300 |
} else { |
301 |
- logg("RAR support disabled.\n"); |
|
301 |
+ logg("Archive: RAR support disabled.\n"); |
|
302 | 302 |
options |= CL_DISABLERAR; |
303 | 303 |
} |
304 | 304 |
|
305 | 305 |
if(cfgopt(copt, "ArchiveBlockEncrypted")) { |
306 |
- logg("Blocking encrypted archives.\n"); |
|
306 |
+ logg("Archive: Blocking encrypted archives.\n"); |
|
307 | 307 |
options |= CL_ENCRYPTED; |
308 | 308 |
} |
309 | 309 |
|
310 |
+ if(cfgopt(copt, "ArchiveBlockMax")) { |
|
311 |
+ logg("Archive: Blocking archives that exceed limits.\n"); |
|
312 |
+ options |= CL_BLOCKMAX; |
|
313 |
+ } |
|
314 |
+ |
|
310 | 315 |
} else { |
311 | 316 |
logg("Archive support disabled.\n"); |
312 | 317 |
} |
... | ... |
@@ -228,6 +228,7 @@ void help(void) |
228 | 228 |
mprintf(" --no-archive Disable libclamav archive support\n"); |
229 | 229 |
mprintf(" --detect-broken Try to detect broken executable files\n"); |
230 | 230 |
mprintf(" --block-encrypted Block encrypted archives\n"); |
231 |
+ mprintf(" --block-max Block archives that exceed limits\n"); |
|
231 | 232 |
mprintf(" --mail-follow-urls Download and scan URLs\n"); |
232 | 233 |
|
233 | 234 |
mprintf("\n"); |
... | ... |
@@ -228,6 +228,11 @@ Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). |
228 | 228 |
.br |
229 | 229 |
Default: disabled |
230 | 230 |
.TP |
231 |
+\fBArchiveBlockMax\fR |
|
232 |
+Mark archives as viruses if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is reached. |
|
233 |
+.br |
|
234 |
+Default: disabled |
|
235 |
+.TP |
|
231 | 236 |
\fBClamukoScanOnLine\fR |
232 | 237 |
Enable Clamuko \- on\-access scanner for Linux. Dazuko must be already running. |
233 | 238 |
.br |
... | ... |
@@ -87,6 +87,9 @@ Mark broken executables as viruses (Broken.Executable). |
87 | 87 |
\fB\-\-block\-encrypted\fR |
88 | 88 |
Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). |
89 | 89 |
.TP |
90 |
+\fB\-\-block\-max\fR |
|
91 |
+Mark archives as viruses if max\-files, max\-space, or max\-recursion is reached. |
|
92 |
+.TP |
|
90 | 93 |
\fB\-\-mail\-follow\-urls\fR |
91 | 94 |
If an email contains URLs ClamAV can download and scan them. \fBWARNING: This option may open your system to a DoS attack. Never use it on loaded servers.\fR |
92 | 95 |
.TP |
... | ... |
@@ -219,11 +219,15 @@ ArchiveMaxCompressionRatio 200 |
219 | 219 |
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). |
220 | 220 |
#ArchiveBlockEncrypted |
221 | 221 |
|
222 |
+# Mark archives as viruses if ArchiveMaxFiles, ArchiveMaxFileSize, or |
|
223 |
+# ArchiveMaxRecursion limit is reached. |
|
224 |
+#ArchiveBlockMax |
|
225 |
+ |
|
222 | 226 |
|
223 | 227 |
## |
224 | 228 |
## Clamuko settings |
225 | 229 |
## WARNING: This is experimental software. It is very likely it will hang |
226 |
-## up your system !!! |
|
230 |
+## up your system!!! |
|
227 | 231 |
## |
228 | 232 |
|
229 | 233 |
# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running. |
... | ... |
@@ -83,10 +83,10 @@ extern int cli_mbox(const char *dir, int desc, unsigned int options); /* FIXME * |
83 | 83 |
#define SCAN_PE (options & CL_PE) |
84 | 84 |
#define DISABLE_RAR (options & CL_DISABLERAR) |
85 | 85 |
#define DETECT_ENCRYPTED (options & CL_ENCRYPTED) |
86 |
+#define BLOCKMAX (options & CL_BLOCKMAX) |
|
86 | 87 |
|
87 | 88 |
#define MAX_MAIL_RECURSION 15 |
88 | 89 |
|
89 |
- |
|
90 | 90 |
static int cli_scanfile(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec); |
91 | 91 |
|
92 | 92 |
|
... | ... |
@@ -141,17 +141,35 @@ static int cli_scanrar(int desc, const char **virname, long int *scanned, const |
141 | 141 |
} |
142 | 142 |
|
143 | 143 |
if(limits) { |
144 |
+ |
|
145 |
+ if(limits->maxratio && rarlist->item.UnpSize && rarlist->item.PackSize) { |
|
146 |
+ if((unsigned int) rarlist->item.UnpSize / (unsigned int) rarlist->item.PackSize >= limits->maxratio) { |
|
147 |
+ cli_dbgmsg("RAR: Max ratio reached (normal: %d, compressed: %d, max: %ld)\n", (int) rarlist->item.UnpSize, (int) rarlist->item.PackSize, limits->maxratio); |
|
148 |
+ *virname = "Oversized.RAR"; |
|
149 |
+ ret = CL_VIRUS; |
|
150 |
+ break; |
|
151 |
+ } |
|
152 |
+ } |
|
153 |
+ |
|
144 | 154 |
if(limits->maxfilesize && (rarlist->item.UnpSize > (unsigned int) limits->maxfilesize)) { |
145 | 155 |
cli_dbgmsg("RAR: %s: Size exceeded (%u, max: %lu)\n", rarlist->item.Name, (unsigned int) rarlist->item.UnpSize, limits->maxfilesize); |
146 | 156 |
rarlist = rarlist->next; |
147 | 157 |
files++; |
148 |
- /* ret = CL_EMAXSIZE; */ |
|
158 |
+ if(BLOCKMAX) { |
|
159 |
+ *virname = "RAR.ExceededFileSize"; |
|
160 |
+ ret = CL_VIRUS; |
|
161 |
+ break; |
|
162 |
+ } |
|
149 | 163 |
continue; |
150 | 164 |
} |
151 | 165 |
|
152 | 166 |
if(limits->maxfiles && (files > limits->maxfiles)) { |
153 | 167 |
cli_dbgmsg("RAR: Files limit reached (max: %d)\n", limits->maxfiles); |
154 |
- /* ret = CL_EMAXFILES; */ |
|
168 |
+ if(BLOCKMAX) { |
|
169 |
+ *virname = "RAR.ExceededFilesLimit"; |
|
170 |
+ ret = CL_VIRUS; |
|
171 |
+ break; |
|
172 |
+ } |
|
155 | 173 |
break; |
156 | 174 |
} |
157 | 175 |
} |
... | ... |
@@ -318,12 +336,21 @@ static int cli_scanzip(int desc, const char **virname, long int *scanned, const |
318 | 318 |
cli_dbgmsg("Zip: %s: Size exceeded (%d, max: %ld)\n", zdirent.d_name, zdirent.st_size, limits->maxfilesize); |
319 | 319 |
files++; |
320 | 320 |
/* ret = CL_EMAXSIZE; */ |
321 |
- continue; /* this is not a bug */ |
|
321 |
+ if(BLOCKMAX) { |
|
322 |
+ *virname = "Zip.ExceededFileSize"; |
|
323 |
+ ret = CL_VIRUS; |
|
324 |
+ break; |
|
325 |
+ } |
|
326 |
+ continue; /* continue scanning */ |
|
322 | 327 |
} |
323 | 328 |
|
324 | 329 |
if(limits->maxfiles && (files > limits->maxfiles)) { |
325 | 330 |
cli_dbgmsg("Zip: Files limit reached (max: %d)\n", limits->maxfiles); |
326 |
- /* ret = CL_EMAXFILES; */ |
|
331 |
+ if(BLOCKMAX) { |
|
332 |
+ *virname = "Zip.ExceededFilesLimit"; |
|
333 |
+ ret = CL_VIRUS; |
|
334 |
+ break; |
|
335 |
+ } |
|
327 | 336 |
break; |
328 | 337 |
} |
329 | 338 |
} |
... | ... |
@@ -76,6 +76,7 @@ struct cfgstruct *parsecfg(const char *cfgfile, int messages) |
76 | 76 |
{"ArchiveMaxCompressionRatio", OPT_NUM}, |
77 | 77 |
{"ArchiveLimitMemoryUsage", OPT_NOARG}, |
78 | 78 |
{"ArchiveBlockEncrypted", OPT_NOARG}, |
79 |
+ {"ArchiveBlockMax", OPT_NOARG}, |
|
79 | 80 |
{"DataDirectory", OPT_STR}, /* obsolete */ |
80 | 81 |
{"DatabaseDirectory", OPT_STR}, /* clamd + freshclam */ |
81 | 82 |
{"TCPAddr", OPT_STR}, |