@@ -1,3 +1,9 @@

+Thu Jul 31 13:35:11 EEST 2008 (edwin)

+-------------------------------------

+  * clamd, clamscan, libclamav: new option HeuristicScanPrecedence (bb #649)

+  * docs/: update docs for HeuristicScanPrecedence and ScanPartialMessages

+  * unit_tests/: add test for HeuristicScanPrecedence

+

 Thu Jul 31 04:01:02 CEST 2008 (acab)

 ------------------------------------

   * libclamav/upx: add preliminar support for upx/lzma (disabled)

@@ -455,6 +455,11 @@ int acceptloop_th(int *socketds, int nsockets, struct cl_engine *engine, unsigne

 	}

     }

+    if(cfgopt(copt,"HeuristicScanPrecedence")->enabled) {

+	    options |= CL_SCAN_HEURISTIC_PRECEDENCE;

+	    logg("Heuristic: precedence enabled\n");

+    }

+

     if(cfgopt(copt, "StructuredDataDetection")->enabled) {

         options |= CL_SCAN_STRUCTURED;

@@ -322,7 +322,7 @@ void help(void)

     mprintf("    --no-mail                            Disable mail file support\n");

     mprintf("    --no-phishing-sigs                   Disable signature-based phishing detection\n");

     mprintf("    --no-phishing-scan-urls              Disable url-based phishing detection\n");

-    mprintf("    --no-phishing-restrictedscan         Enable phishing detection for all domains (might lead to false positives!)\n");

+    mprintf("    --heuristic-scan-precedence          Stop scanning as soon as a heuristic match is found\n");

     mprintf("    --phishing-ssl                       Always block SSL mismatches in URLs (phishing module)\n");

     mprintf("    --phishing-cloak                     Always block cloaked URLs (phishing module)\n");

     mprintf("    --no-algorithmic                     Disable algorithmic detection\n");

@@ -76,7 +76,7 @@ static struct option clamscan_longopt[] = {

     {"mail-follow-urls", 0, 0, 0},

     {"no-phishing-sigs", 0, 0, 0},

     {"no-phishing-scan-urls", 0, 0, 0},

-    {"no-phishing-restrictedscan", 0, 0, 0},

+    {"heuristic-scan-precedence", 0, 0, 0},

     {"phishing-ssl", 0, 0, 0},

     {"phishing-cloak", 0, 0, 0},

     {"no-algorithmic", 0, 0, 0},

@@ -361,6 +361,9 @@ int scanmanager(const struct optstruct *opt)

     if(opt_check(opt,"phishing-cloak")) {

 	options |= CL_SCAN_PHISHING_BLOCKCLOAK;

     }

+    if(opt_check(opt,"heuristic-scan-precedence")) {

+	options |= CL_SCAN_HEURISTIC_PRECEDENCE;

+    }

     if(opt_check(opt, "dev-ac-only"))

 	dboptions |= CL_DB_ACONLY;

@@ -245,6 +245,11 @@ If an email contains URLs ClamAV can download and scan them. \fBWARNING: This op

 .br 

 Default: no

 .TP

+\fBScanPartialMessages BOOL\fR

+Scan RFC1341 messages split over many emails. You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. \fBWARNING: This option may open your system to a DoS attack. Never use it on loaded servers.\fR

+.br

+Default: no

+.TP

 \fBMailMaxRecursion NUMBER (OBSOLETE)\fR

 \fBWARNING:\fR This option is no longer accepted. See \fBMaxRecursion\fR.

 .TP 

@@ -268,6 +273,11 @@ Always block cloaked URLs, even if URL isn't in database. This can lead to false

 .br

 Default: no

 .TP

+\fBHeuristicScanPrecedence BOOL\fR

+Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected  virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses  differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first,  the scan is interrupted immediately, regardless of this config option.

+.br

+Default: no

+.TP

 \fBStructuredDataDetection BOOL\fR

 Enable the DLP module.

 .br 

@@ -93,8 +93,8 @@ Disable signature-based phishing detection.

 \fB\-\-no\-phishing\-scan\-urls\fR

 Disable url-based heuristic phishing detection. This disables Phishing.Heuristics.Email.*

 .TP

-\fB\-\-no\-phishing\-restrictedscan\fR

-Enable url-based heuristic phishing detection for all domains (might lead to false positives!).

+\fB\-\-heuristic\-scan\-precedence\fR

+Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected  virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses  differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first,  the scan is interrupted immediately, regardless of this config option.

 .TP

 \fB\-\-phishing\-ssl\fR

 Always block SSL mismatches in URLs (might lead to false positives!).

@@ -259,6 +259,21 @@ LocalSocket /tmp/clamd.socket

 # Default: no

 #PhishingAlwaysBlockCloak no

+# Allow heuristic match to take precedence.

+# When enabled, if a heuristic scan (such as phishingScan) detects

+# a possible virus/phish it will stop scan immediately. Recommended, saves CPU

+# scan-time.

+# When disabled, virus/phish detected by heuristic scans will be reported only at

+# the end of a scan. If an archive contains both a heuristically detected

+# virus/phish, and a real malware, the real malware will be reported

+#

+# Keep this disabled if you intend to handle "*.Heuristics.*" viruses 

+# differently from "real" malware.

+# If a non-heuristically-detected virus (signature-based) is found first, 

+# the scan is interrupted immediately, regardless of this config option.

+#

+# Default: no

+#HeuristicScanPrecedence yes

 ##

 ## Data Loss Prevention (DLP)

@@ -96,6 +96,7 @@ extern "C"

 #define CL_SCAN_STRUCTURED_SSN_NORMAL	0x10000

 #define CL_SCAN_STRUCTURED_SSN_STRIPPED	0x20000

 #define CL_SCAN_PARTIAL_MESSAGE         0x40000

+#define CL_SCAN_HEURISTIC_PRECEDENCE    0x80000

 /* recommended scan settings */

 #define CL_SCAN_STDOPT		(CL_SCAN_ARCHIVE | CL_SCAN_MAIL | CL_SCAN_OLE2 | CL_SCAN_HTML | CL_SCAN_PE | CL_SCAN_ALGORITHMIC | CL_SCAN_ELF)

@@ -725,13 +725,6 @@ cleanupURL(struct string *URL,struct string *pre_URL, int isReal)

 /* -------end runtime disable---------*/

-static int found_possibly_unwanted(cli_ctx* ctx)

-{

-	ctx->found_possibly_unwanted = 1;

-	cli_dbgmsg("Phishcheck: found Possibly Unwanted: %s\n",*ctx->virname);

-	return CL_CLEAN;

-}

-

 int phishingScan(message* m,const char* dir,cli_ctx* ctx,tag_arguments_t* hrefs)

 {

 	/* TODO: get_host and then apply regex, etc. */

@@ -817,31 +810,30 @@ int phishingScan(message* m,const char* dir,cli_ctx* ctx,tag_arguments_t* hrefs)

 			free_if_needed(&urls);

 			cli_dbgmsg("Phishcheck: Phishing scan result: %s\n",phishing_ret_toString(rc));

 			switch(rc)/*TODO: support flags from ctx->options,*/

-				{

-					case CL_PHISH_CLEAN:

-						continue;

-/*						break;*/

-					case CL_PHISH_HEX_URL:

-						*ctx->virname="Phishing.Heuristics.Email.HexURL";

-						return found_possibly_unwanted(ctx);

-/*						break;*/

-					case CL_PHISH_NUMERIC_IP:

-						*ctx->virname="Phishing.Heuristics.Email.Cloaked.NumericIP";

-						return found_possibly_unwanted(ctx);

-					case CL_PHISH_CLOAKED_NULL:

-						*ctx->virname="Phishing.Heuristics.Email.Cloaked.Null";/*http://www.real.com%01%00@www.evil.com*/

-						return found_possibly_unwanted(ctx);

-					case CL_PHISH_SSL_SPOOF:

-						*ctx->virname="Phishing.Heuristics.Email.SSL-Spoof";

-						return found_possibly_unwanted(ctx);

-					case CL_PHISH_CLOAKED_UIU:

-						*ctx->virname="Phishing.Heuristics.Email.Cloaked.Username";/*http://www.ebay.com@www.evil.com*/

-						return found_possibly_unwanted(ctx);

-					case CL_PHISH_NOMATCH:

-					default:

-						*ctx->virname="Phishing.Heuristics.Email.SpoofedDomain";

-						return found_possibly_unwanted(ctx);

-				}

+			{

+				case CL_PHISH_CLEAN:

+					continue;

+				case CL_PHISH_HEX_URL:

+					*ctx->virname="Phishing.Heuristics.Email.HexURL";

+					break;

+				case CL_PHISH_NUMERIC_IP:

+					*ctx->virname="Phishing.Heuristics.Email.Cloaked.NumericIP";

+					break;

+				case CL_PHISH_CLOAKED_NULL:

+					*ctx->virname="Phishing.Heuristics.Email.Cloaked.Null";/*http://www.real.com%01%00@www.evil.com*/

+					break;

+				case CL_PHISH_SSL_SPOOF:

+					*ctx->virname="Phishing.Heuristics.Email.SSL-Spoof";

+					break;

+				case CL_PHISH_CLOAKED_UIU:

+					*ctx->virname="Phishing.Heuristics.Email.Cloaked.Username";/*http://www.ebay.com@www.evil.com*/

+					break;

+				case CL_PHISH_NOMATCH:

+				default:

+					*ctx->virname="Phishing.Heuristics.Email.SpoofedDomain";

+					break;

+			}

+			return cli_found_possibly_unwanted(ctx);

 		}

 		else

 			if(strcmp((char*)hrefs->tag[i],"href"))

@@ -2112,6 +2112,27 @@ int cl_scandesc(int desc, const char **virname, unsigned long int *scanned, cons

     return rc;

 }

+int cli_found_possibly_unwanted(cli_ctx* ctx)

+{

+	if(ctx->virname) {

+		cli_dbgmsg("found Possibly Unwanted: %s\n",*ctx->virname);

+		if(ctx->options & CL_SCAN_HEURISTIC_PRECEDENCE) {

+			/* we found a heuristic match, don't scan further,

+			 * but consider it a virus. */

+			cli_dbgmsg("cli_found_possibly_unwanted: CL_VIRUS\n");

+			return CL_VIRUS;

+		}

+		/* heuristic scan isn't taking precedence, keep scanning.

+		 * If this is part of an archive, and 

+		 * we find a real malware we report that instead of the 

+		 * heuristic match */

+		ctx->found_possibly_unwanted = 1;

+	} else {

+		cli_warnmsg("cli_found_possibly_unwanted called, but virname is not set\n");

+	}

+	return CL_CLEAN;

+}

+

 static int cli_scanfile(const char *filename, cli_ctx *ctx)

 {

 	int fd, ret;

@@ -25,5 +25,6 @@

 #include "others.h"

 int cli_magic_scandesc(int desc, cli_ctx *ctx);

+int cli_found_possibly_unwanted(cli_ctx* ctx);

 #endif

@@ -53,7 +53,7 @@ struct cfgoption cfg_options[] = {

     /* these are FP prone options, if default isn't used */

     {"PhishingAlwaysBlockCloak", OPT_BOOL, 0, NULL, 0, OPT_CLAMD},

     {"PhishingAlwaysBlockSSLMismatch", OPT_BOOL, 0, NULL, 0, OPT_CLAMD},

-    {"PhishingRestrictedScan", OPT_BOOL, 1, NULL, 0, OPT_CLAMD},

+    {"HeuristicScanPrecedence", OPT_BOOL, 0, NULL, 0, OPT_CLAMD},

     /* end of FP prone options */

     {"DetectPUA", OPT_BOOL, 0, NULL, 0, OPT_CLAMD},

     {"StructuredDataDetection", OPT_BOOL, 0, NULL, 0, OPT_CLAMD},

new file mode 100644

Binary files /dev/null and b/unit_tests/.split/split.clam-phish-exeaa differ

new file mode 100644

Binary files /dev/null and b/unit_tests/.split/split.clam-phish-exeab differ

@@ -1,6 +1,13 @@

+SPLIT_DIR=$(top_srcdir)/unit_tests/.split

+FILES = clam-phish-exe

+

+check_clamd.sh: $(FILES)

+

+$(FILES) :

+	cat $(SPLIT_DIR)/split.$@aa $(SPLIT_DIR)/split.$@ab > $@

+

 programs = check_clamav

 scripts = check_clamd.sh check_freshclam.sh check_sigtool.sh check_clamscan.sh valgrind_tests.sh

-

 TESTS = $(programs) $(scripts)

 if ENABLE_UT_INSTALL 

 bin_PROGRAMS = $(programs)

@@ -19,14 +26,14 @@ check_clamscan.sh: $(top_builddir)/test/clam.exe

 $(top_builddir)/test/clam.exe:

 	(cd $(top_builddir)/test && $(MAKE))

-EXTRA_DIST=test-clamd.conf test-freshclam.conf valgrind.supp inputs/COPYING inputs/daily.pdb inputs/daily.wdb

+EXTRA_DIST=.split inputs/ test-clamd.conf test-freshclam.conf valgrind.supp

 if ENABLE_COVERAGE

 LCOV_OUTPUT = lcov.out

 LCOV_HTML = lcov_html

 LCOV_LCOV = @LCOV@

 LCOV_GCOV = @GCOV@

 LCOV_GENHTML = @GENHTML@

-CLEANFILES=lcov.out *.gcno *.gcda *.log /tmp/clamd-test.log

+CLEANFILES=lcov.out *.gcno *.gcda *.log /tmp/clamd-test.log $(FILES)

 lcov: $(LCOV_HTML)

 DIRECTORIES=--directory . --directory ../libclamav --directory ../clamd --directory ../freshclam --directory ../sigtool --directory ../clamscan --directory ../clamdscan

@@ -49,7 +56,7 @@ lcov-clean:

 	$(LCOV_LCOV) $(DIRECTORIES) --zerocounters

 else

-CLEANFILES=/tmp/clamd-test.log

+CLEANFILES=/tmp/clamd-test.log $(FILES)

 lcov:

 	@echo "Coverage information gathering is not enabled in this build"

 	@echo "Use ./configure --enable-coverage to enable it"

@@ -217,6 +217,8 @@ target_os = @target_os@

 target_vendor = @target_vendor@

 top_builddir = @top_builddir@

 top_srcdir = @top_srcdir@

+SPLIT_DIR = $(top_srcdir)/unit_tests/.split

+FILES = clam-phish-exe

 programs = check_clamav

 scripts = check_clamd.sh check_freshclam.sh check_sigtool.sh check_clamscan.sh valgrind_tests.sh

 @ENABLE_UT_INSTALL_TRUE@dist_bin_SCRIPTS = $(scripts)

@@ -224,14 +226,14 @@ scripts = check_clamd.sh check_freshclam.sh check_sigtool.sh check_clamscan.sh v

 check_clamav_SOURCES = check_clamav.c check_jsnorm.c check_str.c check_regex.c checks.h $(top_builddir)/libclamav/clamav.h check_disasm.c

 check_clamav_CFLAGS = @CHECK_CFLAGS@ -DSRCDIR=\"$(abs_srcdir)\"

 check_clamav_LDADD = $(top_builddir)/libclamav/libclamav.la @THREAD_LIBS@ @CHECK_LIBS@

-EXTRA_DIST = test-clamd.conf test-freshclam.conf valgrind.supp inputs/COPYING inputs/daily.pdb inputs/daily.wdb

+EXTRA_DIST = .split inputs/ test-clamd.conf test-freshclam.conf valgrind.supp

 @ENABLE_COVERAGE_TRUE@LCOV_OUTPUT = lcov.out

 @ENABLE_COVERAGE_TRUE@LCOV_HTML = lcov_html

 @ENABLE_COVERAGE_TRUE@LCOV_LCOV = @LCOV@

 @ENABLE_COVERAGE_TRUE@LCOV_GCOV = @GCOV@

 @ENABLE_COVERAGE_TRUE@LCOV_GENHTML = @GENHTML@

-@ENABLE_COVERAGE_FALSE@CLEANFILES = /tmp/clamd-test.log

-@ENABLE_COVERAGE_TRUE@CLEANFILES = lcov.out *.gcno *.gcda *.log /tmp/clamd-test.log

+@ENABLE_COVERAGE_FALSE@CLEANFILES = /tmp/clamd-test.log $(FILES)

+@ENABLE_COVERAGE_TRUE@CLEANFILES = lcov.out *.gcno *.gcda *.log /tmp/clamd-test.log $(FILES)

 @ENABLE_COVERAGE_TRUE@DIRECTORIES = --directory . --directory ../libclamav --directory ../clamd --directory ../freshclam --directory ../sigtool --directory ../clamscan --directory ../clamdscan

 all: all-am

@@ -692,6 +694,11 @@ uninstall-am: uninstall-binPROGRAMS uninstall-dist_binSCRIPTS

 	uninstall-dist_binSCRIPTS

+check_clamd.sh: $(FILES)

+

+$(FILES) :

+	cat $(SPLIT_DIR)/split.$@aa $(SPLIT_DIR)/split.$@ab > $@

+

 check_clamd.sh: $(top_builddir)/test/clam.exe

 check_clamscan.sh: $(top_builddir)/test/clam.exe

@@ -1,24 +1,33 @@

-#!/bin/sh

+#!/bin/sh 

 die() {

-	test /tmp/clamd-test.pid && kill `cat /tmp/clamd-test.pid` 

-	rm -rf test-db test-clamd-viraction.conf test-clamd.log

+	test -f /tmp/clamd-test.pid && kill `cat /tmp/clamd-test.pid` 

+	rm -rf test-db test-clamd-viraction.conf test-clamd.log test-clamd-heur-pred.conf

 	exit $1

 }

+run_clamd_test() {

+	conf_file=$1

+	shift

+	rm -f clamdscan.log

+	../clamd/clamd -c $conf_file || { echo "Failed to start clamd!" >&2; die 1;}

+	../clamdscan/clamdscan --version --config-file $conf_file 2>&1|grep "^ClamAV" >/dev/null || { echo "clamdscan can't get version of clamd!" >&2; die 2;}

+	../clamdscan/clamdscan --quiet --config-file $conf_file $* --log=clamdscan.log

+	if test $? = 2; then 

+		echo "Failed to run clamdscan!" >&2;

+		die 3;	

+	fi

+	test /tmp/clamd-test.pid && kill `cat /tmp/clamd-test.pid` 

+}

 mkdir -p test-db

 cat <<EOF >test-db/test.hdb

 aa15bcf478d165efd2065190eb473bcb:544:ClamAV-Test-File

 EOF

+cp $srcdir/input/daily.ftm test-db/

+cp $srcdir/input/daily.pdb test-db/

+# Test that all testfiles are detected

 FILES=../test/clam*

-../clamd/clamd -c $srcdir/test-clamd.conf || { echo "Failed to start clamd!" >&2; die 1;}

-rm -f clamdscan.log

-../clamdscan/clamdscan --version --config-file $srcdir/test-clamd.conf 2>&1|grep "^ClamAV" >/dev/null || { echo "clamdscan can't get version of clamd!" >&2; die 2;}

-../clamdscan/clamdscan --quiet --config-file $srcdir/test-clamd.conf $FILES --log=clamdscan.log

-if test $? = 2; then 

-	echo "Failed to run clamdscan!" >&2;

-	die 3;

-fi

+run_clamd_test $srcdir/test-clamd.conf $FILES

 NFILES=`ls -1 $FILES | wc -l`

 NINFECTED=`grep "Infected files" clamdscan.log | cut -f2 -d:`

 if test "$NFILES" -ne "$NINFECTED"; then

@@ -26,15 +35,31 @@ if test "$NFILES" -ne "$NINFECTED"; then

 	grep OK clamdscan.log >&2;

 	die 4;

 fi

+

+# Test VirusEvent feature

 cp $srcdir/test-clamd.conf test-clamd-viraction.conf

 echo "VirusEvent `pwd`/$srcdir/virusaction-test.sh `pwd` \"Virus found: %v\"" >>test-clamd-viraction.conf

 rm -f test-clamd.log

-test /tmp/clamd-test.pid && kill `cat /tmp/clamd-test.pid` 

-../clamd/clamd -c test-clamd-viraction.conf || { echo "Failed to start clamd!" >&2; die 1;}

-../clamdscan/clamdscan --quiet --config-file test-clamd-viraction.conf ../test/clam.exe 

+run_clamd_test test-clamd-viraction.conf ../test/clam.exe

 if ! grep "Virus found: ClamAV-Test-File.UNOFFICIAL" test-clamd.log >/dev/null 2>/dev/null; then

 	echo "Virusaction test failed!" >&2;

 	cat test-clamd.log

-	die 2;

+	die 5;

+fi

+

+# Test HeuristicScanPrecedence feature

+cp $srcdir/test-clamd.conf test-clamd-heur-pred.conf

+run_clamd_test test-clamd-heur-pred.conf clam-phish-exe

+if ! grep "ClamAV-Test-File" clamdscan.log >/dev/null 2>/dev/null; then

+	echo "HeuristicScanPrecedence off test failed!" >&2;

+	cat clamdscan.log;

+	die 6;

+fi

+echo "HeuristicScanPrecedence yes" >>test-clamd-heur-pred.conf

+run_clamd_test test-clamd-heur-pred.conf clam-phish-exe

+if ! grep "Phishing.Heuristics.Email.SpoofedDomain" clamdscan.log >/dev/null 2>/dev/null; then

+	echo "HeuristicScanPrecedence on test failed!" >&2;

+	cat clamdscan.log;

+	die 6;

 fi

 die 0;

new file mode 100644

@@ -0,0 +1,103 @@

+0:0:000001b3:MPEG video stream:CL_TYPE_ANY:CL_TYPE_IGNORED

+0:0:000001ba:MPEG sys stream:CL_TYPE_ANY:CL_TYPE_IGNORED

+0:0:1f8b:GZip:CL_TYPE_ANY:CL_TYPE_GZ

+0:0:23407e5e:SCRENC:CL_TYPE_ANY:CL_TYPE_SCRENC

+0:0:252150532d41646f62652d:PostScript:CL_TYPE_ANY:CL_TYPE_IGNORED

+0:0:255044462d:PDF document:CL_TYPE_ANY:CL_TYPE_PDF

+0:0:28546869732066696c65206d75737420626520636f6e76657274656420776974682042696e48657820342e3029:BinHex:CL_TYPE_ANY:CL_TYPE_BINHEX

+0:0:2e524d46:Real Media File:CL_TYPE_ANY:CL_TYPE_IGNORED

+0:0:3e46726f6d20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:424d:BMP:CL_TYPE_ANY:CL_TYPE_GRAPHICS

+0:0:425a68:BZip:CL_TYPE_ANY:CL_TYPE_BZ

+0:0:446174653a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:44656c6976657265642d546f3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:44656c69766572792d646174653a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:456e76656c6f70652d746f3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:466f723a20:Eserv mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:46726f6d20:MBox:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:46726f6d3a20:Exim mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:474946:GIF:CL_TYPE_ANY:CL_TYPE_GRAPHICS

+0:0:48692e20546869732069732074686520716d61696c2d73656e64:Qmail bounce:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED

+0:0:49545346:MS CHM:CL_TYPE_ANY:CL_TYPE_MSCHM

+0:0:4d534346:MS CAB:CL_TYPE_ANY:CL_TYPE_MSCAB

+0:0:4d5a:MS-EXE/DLL:CL_TYPE_ANY:CL_TYPE_MSEXE

+0:0:4d6573736167652d49443a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:4d6573736167652d49643a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:4f676753:Ogg Stream:CL_TYPE_ANY:CL_TYPE_IGNORED

+0:0:504b0304:ZIP:CL_TYPE_ANY:CL_TYPE_ZIP

+0:0:504b3030504b0304:ZIP:CL_TYPE_ANY:CL_TYPE_ZIP

+0:0:52494646:RIFF:CL_TYPE_ANY:CL_TYPE_RIFF

+0:0:52494658:RIFX:CL_TYPE_ANY:CL_TYPE_RIFF

+0:0:52617221:RAR:CL_TYPE_ANY:CL_TYPE_RAR

+0:0:52656365697665643a20:Raw mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:52657475726e2d506174683a20:Maildir:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:52657475726e2d706174683a20:Maildir:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:535a4444:compress.exed:CL_TYPE_ANY:CL_TYPE_MSSZDD

+0:0:5375626a6563743a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:546f3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:582d4170706172656e746c792d546f3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:582d455653:EVS mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:582d456e76656c6f70652d46726f6d3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:582d4f726967696e616c2d546f3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:582d5265616c2d546f3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:582d53696576653a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:582d53796d616e7465632d:Symantec:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:582d5549444c3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:60ea:ARJ:CL_TYPE_ANY:CL_TYPE_ARJ

+0:0:626567696e20:UUencoded:CL_TYPE_ANY:CL_TYPE_UUENCODED

+0:0:763a0a52656365697665643a20:VPOP3 Mail (UNIX):CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:763a0d0a52656365697665643a20:VPOP3 Mail (DOS):CL_TYPE_ANY:CL_TYPE_MAIL

+0:0:789f3e22:TNEF:CL_TYPE_ANY:CL_TYPE_TNEF

+0:0:7f454c46:ELF:CL_TYPE_ANY:CL_TYPE_ELF

+0:0:89504e47:PNG:CL_TYPE_ANY:CL_TYPE_GRAPHICS

+0:0:b6b9acaefeffffff:CryptFF:CL_TYPE_ANY:CL_TYPE_CRYPTFF

+0:0:d0cf11e0a1b11ae1:OLE2 container:CL_TYPE_ANY:CL_TYPE_MSOLE2

+0:0:ffd8ff:JPEG:CL_TYPE_ANY:CL_TYPE_GRAPHICS

+0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED

+0:6:45786966:JPEG:CL_TYPE_ANY:CL_TYPE_GRAPHICS

+0:6:4a464946:JPEG:CL_TYPE_ANY:CL_TYPE_GRAPHICS

+0:8:19040010:SIS:CL_TYPE_ANY:CL_TYPE_SIS

+1:*:0a46726f6d3a20{-1024}0a4d494d452d56657273696f6e3a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL

+1:*:0a46726f6d3a20{-2048}0a436f6e74656e742d547970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL

+1:*:0a52656365697665643a20{-2048}0a436f6e74656e742d547970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL

+1:*:0a52656365697665643a20{-2048}0a436f6e74656e742d747970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL

+1:*:3c4120*(68|48)(72|52)4546:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c4120*(68|48)(72|52)6566:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c484541443e:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c48544d4c3e:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c486561643e:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c48746d6c3e:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c494652414d45:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c494d47:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c496d67:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c4f424a454354:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c4f626a656374:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c534352495054:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c536372697074:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c5441424c45:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c6120*(68|48)(72|52)4546:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c6120*(68|48)(72|52)6566:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c686561643e:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c68746d6c3e:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c696672616d65:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c696d67:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c6f626a656374:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c736372697074:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:3c7461626c65:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+1:*:4d494d452d56657273696f6e3a20{-2048}0a436f6e74656e742d547970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL

+1:*:4d534346:CAB-SFX:CL_TYPE_ANY:CL_TYPE_CABSFX

+1:*:4d5a{60-300}50450000:PE:CL_TYPE_ANY:CL_TYPE_MSEXE

+1:*:504b0304:ZIP-SFX:CL_TYPE_ANY:CL_TYPE_ZIPSFX

+1:*:526172211a0700:RAR-SFX:CL_TYPE_ANY:CL_TYPE_RARSFX

+1:*:60ea{7}0002:ARJ-SFX:CL_TYPE_ANY:CL_TYPE_ARJSFX

+1:*:60ea{7}0102:ARJ-SFX:CL_TYPE_ANY:CL_TYPE_ARJSFX

+1:*:60ea{7}0202:ARJ-SFX:CL_TYPE_ANY:CL_TYPE_ARJSFX

+1:*:a3484bbe986c4aa9994c530a86d6487d41553321454130(35|36):AUTOIT:CL_TYPE_ANY:CL_TYPE_AUTOIT

+1:*:efbeadde4e756c6c736f6674496e7374:NSIS:CL_TYPE_ANY:CL_TYPE_NULSFT

+0:0:5349502d48495420285349502f48:SIP log:CL_TYPE_ANY:CL_TYPE_IGNORED

+1:0:3c2540204c414e4755414745203d:HTML data:CL_TYPE_ANY:CL_TYPE_HTML

+0:0:7b5c727466:RTF:CL_TYPE_ANY:CL_TYPE_RTF:30

+1:*:255044462d??2e:PDF:CL_TYPE_ANY:CL_TYPE_PDF:30

+1:*:257064662d??2e:PDF:CL_TYPE_ANY:CL_TYPE_PDF:30

+0:257:7573746172:TAR-POSIX:CL_TYPE_ANY:CL_TYPE_POSIX_TAR