git-svn: trunk@4037
Török Edvin authored on 2008/07/31 19:51:46... | ... |
@@ -1,3 +1,9 @@ |
1 |
+Thu Jul 31 13:35:11 EEST 2008 (edwin) |
|
2 |
+------------------------------------- |
|
3 |
+ * clamd, clamscan, libclamav: new option HeuristicScanPrecedence (bb #649) |
|
4 |
+ * docs/: update docs for HeuristicScanPrecedence and ScanPartialMessages |
|
5 |
+ * unit_tests/: add test for HeuristicScanPrecedence |
|
6 |
+ |
|
1 | 7 |
Thu Jul 31 04:01:02 CEST 2008 (acab) |
2 | 8 |
------------------------------------ |
3 | 9 |
* libclamav/upx: add preliminar support for upx/lzma (disabled) |
... | ... |
@@ -455,6 +455,11 @@ int acceptloop_th(int *socketds, int nsockets, struct cl_engine *engine, unsigne |
455 | 455 |
} |
456 | 456 |
} |
457 | 457 |
|
458 |
+ if(cfgopt(copt,"HeuristicScanPrecedence")->enabled) { |
|
459 |
+ options |= CL_SCAN_HEURISTIC_PRECEDENCE; |
|
460 |
+ logg("Heuristic: precedence enabled\n"); |
|
461 |
+ } |
|
462 |
+ |
|
458 | 463 |
if(cfgopt(copt, "StructuredDataDetection")->enabled) { |
459 | 464 |
options |= CL_SCAN_STRUCTURED; |
460 | 465 |
|
... | ... |
@@ -322,7 +322,7 @@ void help(void) |
322 | 322 |
mprintf(" --no-mail Disable mail file support\n"); |
323 | 323 |
mprintf(" --no-phishing-sigs Disable signature-based phishing detection\n"); |
324 | 324 |
mprintf(" --no-phishing-scan-urls Disable url-based phishing detection\n"); |
325 |
- mprintf(" --no-phishing-restrictedscan Enable phishing detection for all domains (might lead to false positives!)\n"); |
|
325 |
+ mprintf(" --heuristic-scan-precedence Stop scanning as soon as a heuristic match is found\n"); |
|
326 | 326 |
mprintf(" --phishing-ssl Always block SSL mismatches in URLs (phishing module)\n"); |
327 | 327 |
mprintf(" --phishing-cloak Always block cloaked URLs (phishing module)\n"); |
328 | 328 |
mprintf(" --no-algorithmic Disable algorithmic detection\n"); |
... | ... |
@@ -76,7 +76,7 @@ static struct option clamscan_longopt[] = { |
76 | 76 |
{"mail-follow-urls", 0, 0, 0}, |
77 | 77 |
{"no-phishing-sigs", 0, 0, 0}, |
78 | 78 |
{"no-phishing-scan-urls", 0, 0, 0}, |
79 |
- {"no-phishing-restrictedscan", 0, 0, 0}, |
|
79 |
+ {"heuristic-scan-precedence", 0, 0, 0}, |
|
80 | 80 |
{"phishing-ssl", 0, 0, 0}, |
81 | 81 |
{"phishing-cloak", 0, 0, 0}, |
82 | 82 |
{"no-algorithmic", 0, 0, 0}, |
... | ... |
@@ -361,6 +361,9 @@ int scanmanager(const struct optstruct *opt) |
361 | 361 |
if(opt_check(opt,"phishing-cloak")) { |
362 | 362 |
options |= CL_SCAN_PHISHING_BLOCKCLOAK; |
363 | 363 |
} |
364 |
+ if(opt_check(opt,"heuristic-scan-precedence")) { |
|
365 |
+ options |= CL_SCAN_HEURISTIC_PRECEDENCE; |
|
366 |
+ } |
|
364 | 367 |
|
365 | 368 |
if(opt_check(opt, "dev-ac-only")) |
366 | 369 |
dboptions |= CL_DB_ACONLY; |
... | ... |
@@ -245,6 +245,11 @@ If an email contains URLs ClamAV can download and scan them. \fBWARNING: This op |
245 | 245 |
.br |
246 | 246 |
Default: no |
247 | 247 |
.TP |
248 |
+\fBScanPartialMessages BOOL\fR |
|
249 |
+Scan RFC1341 messages split over many emails. You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. \fBWARNING: This option may open your system to a DoS attack. Never use it on loaded servers.\fR |
|
250 |
+.br |
|
251 |
+Default: no |
|
252 |
+.TP |
|
248 | 253 |
\fBMailMaxRecursion NUMBER (OBSOLETE)\fR |
249 | 254 |
\fBWARNING:\fR This option is no longer accepted. See \fBMaxRecursion\fR. |
250 | 255 |
.TP |
... | ... |
@@ -268,6 +273,11 @@ Always block cloaked URLs, even if URL isn't in database. This can lead to false |
268 | 268 |
.br |
269 | 269 |
Default: no |
270 | 270 |
.TP |
271 |
+\fBHeuristicScanPrecedence BOOL\fR |
|
272 |
+Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option. |
|
273 |
+.br |
|
274 |
+Default: no |
|
275 |
+.TP |
|
271 | 276 |
\fBStructuredDataDetection BOOL\fR |
272 | 277 |
Enable the DLP module. |
273 | 278 |
.br |
... | ... |
@@ -93,8 +93,8 @@ Disable signature-based phishing detection. |
93 | 93 |
\fB\-\-no\-phishing\-scan\-urls\fR |
94 | 94 |
Disable url-based heuristic phishing detection. This disables Phishing.Heuristics.Email.* |
95 | 95 |
.TP |
96 |
-\fB\-\-no\-phishing\-restrictedscan\fR |
|
97 |
-Enable url-based heuristic phishing detection for all domains (might lead to false positives!). |
|
96 |
+\fB\-\-heuristic\-scan\-precedence\fR |
|
97 |
+Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option. |
|
98 | 98 |
.TP |
99 | 99 |
\fB\-\-phishing\-ssl\fR |
100 | 100 |
Always block SSL mismatches in URLs (might lead to false positives!). |
... | ... |
@@ -259,6 +259,21 @@ LocalSocket /tmp/clamd.socket |
259 | 259 |
# Default: no |
260 | 260 |
#PhishingAlwaysBlockCloak no |
261 | 261 |
|
262 |
+# Allow heuristic match to take precedence. |
|
263 |
+# When enabled, if a heuristic scan (such as phishingScan) detects |
|
264 |
+# a possible virus/phish it will stop scan immediately. Recommended, saves CPU |
|
265 |
+# scan-time. |
|
266 |
+# When disabled, virus/phish detected by heuristic scans will be reported only at |
|
267 |
+# the end of a scan. If an archive contains both a heuristically detected |
|
268 |
+# virus/phish, and a real malware, the real malware will be reported |
|
269 |
+# |
|
270 |
+# Keep this disabled if you intend to handle "*.Heuristics.*" viruses |
|
271 |
+# differently from "real" malware. |
|
272 |
+# If a non-heuristically-detected virus (signature-based) is found first, |
|
273 |
+# the scan is interrupted immediately, regardless of this config option. |
|
274 |
+# |
|
275 |
+# Default: no |
|
276 |
+#HeuristicScanPrecedence yes |
|
262 | 277 |
|
263 | 278 |
## |
264 | 279 |
## Data Loss Prevention (DLP) |
... | ... |
@@ -96,6 +96,7 @@ extern "C" |
96 | 96 |
#define CL_SCAN_STRUCTURED_SSN_NORMAL 0x10000 |
97 | 97 |
#define CL_SCAN_STRUCTURED_SSN_STRIPPED 0x20000 |
98 | 98 |
#define CL_SCAN_PARTIAL_MESSAGE 0x40000 |
99 |
+#define CL_SCAN_HEURISTIC_PRECEDENCE 0x80000 |
|
99 | 100 |
|
100 | 101 |
/* recommended scan settings */ |
101 | 102 |
#define CL_SCAN_STDOPT (CL_SCAN_ARCHIVE | CL_SCAN_MAIL | CL_SCAN_OLE2 | CL_SCAN_HTML | CL_SCAN_PE | CL_SCAN_ALGORITHMIC | CL_SCAN_ELF) |
... | ... |
@@ -725,13 +725,6 @@ cleanupURL(struct string *URL,struct string *pre_URL, int isReal) |
725 | 725 |
|
726 | 726 |
|
727 | 727 |
/* -------end runtime disable---------*/ |
728 |
-static int found_possibly_unwanted(cli_ctx* ctx) |
|
729 |
-{ |
|
730 |
- ctx->found_possibly_unwanted = 1; |
|
731 |
- cli_dbgmsg("Phishcheck: found Possibly Unwanted: %s\n",*ctx->virname); |
|
732 |
- return CL_CLEAN; |
|
733 |
-} |
|
734 |
- |
|
735 | 728 |
int phishingScan(message* m,const char* dir,cli_ctx* ctx,tag_arguments_t* hrefs) |
736 | 729 |
{ |
737 | 730 |
/* TODO: get_host and then apply regex, etc. */ |
... | ... |
@@ -817,31 +810,30 @@ int phishingScan(message* m,const char* dir,cli_ctx* ctx,tag_arguments_t* hrefs) |
817 | 817 |
free_if_needed(&urls); |
818 | 818 |
cli_dbgmsg("Phishcheck: Phishing scan result: %s\n",phishing_ret_toString(rc)); |
819 | 819 |
switch(rc)/*TODO: support flags from ctx->options,*/ |
820 |
- { |
|
821 |
- case CL_PHISH_CLEAN: |
|
822 |
- continue; |
|
823 |
-/* break;*/ |
|
824 |
- case CL_PHISH_HEX_URL: |
|
825 |
- *ctx->virname="Phishing.Heuristics.Email.HexURL"; |
|
826 |
- return found_possibly_unwanted(ctx); |
|
827 |
-/* break;*/ |
|
828 |
- case CL_PHISH_NUMERIC_IP: |
|
829 |
- *ctx->virname="Phishing.Heuristics.Email.Cloaked.NumericIP"; |
|
830 |
- return found_possibly_unwanted(ctx); |
|
831 |
- case CL_PHISH_CLOAKED_NULL: |
|
832 |
- *ctx->virname="Phishing.Heuristics.Email.Cloaked.Null";/*http://www.real.com%01%00@www.evil.com*/ |
|
833 |
- return found_possibly_unwanted(ctx); |
|
834 |
- case CL_PHISH_SSL_SPOOF: |
|
835 |
- *ctx->virname="Phishing.Heuristics.Email.SSL-Spoof"; |
|
836 |
- return found_possibly_unwanted(ctx); |
|
837 |
- case CL_PHISH_CLOAKED_UIU: |
|
838 |
- *ctx->virname="Phishing.Heuristics.Email.Cloaked.Username";/*http://www.ebay.com@www.evil.com*/ |
|
839 |
- return found_possibly_unwanted(ctx); |
|
840 |
- case CL_PHISH_NOMATCH: |
|
841 |
- default: |
|
842 |
- *ctx->virname="Phishing.Heuristics.Email.SpoofedDomain"; |
|
843 |
- return found_possibly_unwanted(ctx); |
|
844 |
- } |
|
820 |
+ { |
|
821 |
+ case CL_PHISH_CLEAN: |
|
822 |
+ continue; |
|
823 |
+ case CL_PHISH_HEX_URL: |
|
824 |
+ *ctx->virname="Phishing.Heuristics.Email.HexURL"; |
|
825 |
+ break; |
|
826 |
+ case CL_PHISH_NUMERIC_IP: |
|
827 |
+ *ctx->virname="Phishing.Heuristics.Email.Cloaked.NumericIP"; |
|
828 |
+ break; |
|
829 |
+ case CL_PHISH_CLOAKED_NULL: |
|
830 |
+ *ctx->virname="Phishing.Heuristics.Email.Cloaked.Null";/*http://www.real.com%01%00@www.evil.com*/ |
|
831 |
+ break; |
|
832 |
+ case CL_PHISH_SSL_SPOOF: |
|
833 |
+ *ctx->virname="Phishing.Heuristics.Email.SSL-Spoof"; |
|
834 |
+ break; |
|
835 |
+ case CL_PHISH_CLOAKED_UIU: |
|
836 |
+ *ctx->virname="Phishing.Heuristics.Email.Cloaked.Username";/*http://www.ebay.com@www.evil.com*/ |
|
837 |
+ break; |
|
838 |
+ case CL_PHISH_NOMATCH: |
|
839 |
+ default: |
|
840 |
+ *ctx->virname="Phishing.Heuristics.Email.SpoofedDomain"; |
|
841 |
+ break; |
|
842 |
+ } |
|
843 |
+ return cli_found_possibly_unwanted(ctx); |
|
845 | 844 |
} |
846 | 845 |
else |
847 | 846 |
if(strcmp((char*)hrefs->tag[i],"href")) |
... | ... |
@@ -2112,6 +2112,27 @@ int cl_scandesc(int desc, const char **virname, unsigned long int *scanned, cons |
2112 | 2112 |
return rc; |
2113 | 2113 |
} |
2114 | 2114 |
|
2115 |
+int cli_found_possibly_unwanted(cli_ctx* ctx) |
|
2116 |
+{ |
|
2117 |
+ if(ctx->virname) { |
|
2118 |
+ cli_dbgmsg("found Possibly Unwanted: %s\n",*ctx->virname); |
|
2119 |
+ if(ctx->options & CL_SCAN_HEURISTIC_PRECEDENCE) { |
|
2120 |
+ /* we found a heuristic match, don't scan further, |
|
2121 |
+ * but consider it a virus. */ |
|
2122 |
+ cli_dbgmsg("cli_found_possibly_unwanted: CL_VIRUS\n"); |
|
2123 |
+ return CL_VIRUS; |
|
2124 |
+ } |
|
2125 |
+ /* heuristic scan isn't taking precedence, keep scanning. |
|
2126 |
+ * If this is part of an archive, and |
|
2127 |
+ * we find a real malware we report that instead of the |
|
2128 |
+ * heuristic match */ |
|
2129 |
+ ctx->found_possibly_unwanted = 1; |
|
2130 |
+ } else { |
|
2131 |
+ cli_warnmsg("cli_found_possibly_unwanted called, but virname is not set\n"); |
|
2132 |
+ } |
|
2133 |
+ return CL_CLEAN; |
|
2134 |
+} |
|
2135 |
+ |
|
2115 | 2136 |
static int cli_scanfile(const char *filename, cli_ctx *ctx) |
2116 | 2137 |
{ |
2117 | 2138 |
int fd, ret; |
... | ... |
@@ -53,7 +53,7 @@ struct cfgoption cfg_options[] = { |
53 | 53 |
/* these are FP prone options, if default isn't used */ |
54 | 54 |
{"PhishingAlwaysBlockCloak", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
55 | 55 |
{"PhishingAlwaysBlockSSLMismatch", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
56 |
- {"PhishingRestrictedScan", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
|
56 |
+ {"HeuristicScanPrecedence", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
|
57 | 57 |
/* end of FP prone options */ |
58 | 58 |
{"DetectPUA", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
59 | 59 |
{"StructuredDataDetection", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
... | ... |
@@ -1,6 +1,13 @@ |
1 |
+SPLIT_DIR=$(top_srcdir)/unit_tests/.split |
|
2 |
+FILES = clam-phish-exe |
|
3 |
+ |
|
4 |
+check_clamd.sh: $(FILES) |
|
5 |
+ |
|
6 |
+$(FILES) : |
|
7 |
+ cat $(SPLIT_DIR)/split.$@aa $(SPLIT_DIR)/split.$@ab > $@ |
|
8 |
+ |
|
1 | 9 |
programs = check_clamav |
2 | 10 |
scripts = check_clamd.sh check_freshclam.sh check_sigtool.sh check_clamscan.sh valgrind_tests.sh |
3 |
- |
|
4 | 11 |
TESTS = $(programs) $(scripts) |
5 | 12 |
if ENABLE_UT_INSTALL |
6 | 13 |
bin_PROGRAMS = $(programs) |
... | ... |
@@ -19,14 +26,14 @@ check_clamscan.sh: $(top_builddir)/test/clam.exe |
19 | 19 |
$(top_builddir)/test/clam.exe: |
20 | 20 |
(cd $(top_builddir)/test && $(MAKE)) |
21 | 21 |
|
22 |
-EXTRA_DIST=test-clamd.conf test-freshclam.conf valgrind.supp inputs/COPYING inputs/daily.pdb inputs/daily.wdb |
|
22 |
+EXTRA_DIST=.split inputs/ test-clamd.conf test-freshclam.conf valgrind.supp |
|
23 | 23 |
if ENABLE_COVERAGE |
24 | 24 |
LCOV_OUTPUT = lcov.out |
25 | 25 |
LCOV_HTML = lcov_html |
26 | 26 |
LCOV_LCOV = @LCOV@ |
27 | 27 |
LCOV_GCOV = @GCOV@ |
28 | 28 |
LCOV_GENHTML = @GENHTML@ |
29 |
-CLEANFILES=lcov.out *.gcno *.gcda *.log /tmp/clamd-test.log |
|
29 |
+CLEANFILES=lcov.out *.gcno *.gcda *.log /tmp/clamd-test.log $(FILES) |
|
30 | 30 |
lcov: $(LCOV_HTML) |
31 | 31 |
|
32 | 32 |
DIRECTORIES=--directory . --directory ../libclamav --directory ../clamd --directory ../freshclam --directory ../sigtool --directory ../clamscan --directory ../clamdscan |
... | ... |
@@ -49,7 +56,7 @@ lcov-clean: |
49 | 49 |
$(LCOV_LCOV) $(DIRECTORIES) --zerocounters |
50 | 50 |
else |
51 | 51 |
|
52 |
-CLEANFILES=/tmp/clamd-test.log |
|
52 |
+CLEANFILES=/tmp/clamd-test.log $(FILES) |
|
53 | 53 |
lcov: |
54 | 54 |
@echo "Coverage information gathering is not enabled in this build" |
55 | 55 |
@echo "Use ./configure --enable-coverage to enable it" |
... | ... |
@@ -217,6 +217,8 @@ target_os = @target_os@ |
217 | 217 |
target_vendor = @target_vendor@ |
218 | 218 |
top_builddir = @top_builddir@ |
219 | 219 |
top_srcdir = @top_srcdir@ |
220 |
+SPLIT_DIR = $(top_srcdir)/unit_tests/.split |
|
221 |
+FILES = clam-phish-exe |
|
220 | 222 |
programs = check_clamav |
221 | 223 |
scripts = check_clamd.sh check_freshclam.sh check_sigtool.sh check_clamscan.sh valgrind_tests.sh |
222 | 224 |
@ENABLE_UT_INSTALL_TRUE@dist_bin_SCRIPTS = $(scripts) |
... | ... |
@@ -224,14 +226,14 @@ scripts = check_clamd.sh check_freshclam.sh check_sigtool.sh check_clamscan.sh v |
224 | 224 |
check_clamav_SOURCES = check_clamav.c check_jsnorm.c check_str.c check_regex.c checks.h $(top_builddir)/libclamav/clamav.h check_disasm.c |
225 | 225 |
check_clamav_CFLAGS = @CHECK_CFLAGS@ -DSRCDIR=\"$(abs_srcdir)\" |
226 | 226 |
check_clamav_LDADD = $(top_builddir)/libclamav/libclamav.la @THREAD_LIBS@ @CHECK_LIBS@ |
227 |
-EXTRA_DIST = test-clamd.conf test-freshclam.conf valgrind.supp inputs/COPYING inputs/daily.pdb inputs/daily.wdb |
|
227 |
+EXTRA_DIST = .split inputs/ test-clamd.conf test-freshclam.conf valgrind.supp |
|
228 | 228 |
@ENABLE_COVERAGE_TRUE@LCOV_OUTPUT = lcov.out |
229 | 229 |
@ENABLE_COVERAGE_TRUE@LCOV_HTML = lcov_html |
230 | 230 |
@ENABLE_COVERAGE_TRUE@LCOV_LCOV = @LCOV@ |
231 | 231 |
@ENABLE_COVERAGE_TRUE@LCOV_GCOV = @GCOV@ |
232 | 232 |
@ENABLE_COVERAGE_TRUE@LCOV_GENHTML = @GENHTML@ |
233 |
-@ENABLE_COVERAGE_FALSE@CLEANFILES = /tmp/clamd-test.log |
|
234 |
-@ENABLE_COVERAGE_TRUE@CLEANFILES = lcov.out *.gcno *.gcda *.log /tmp/clamd-test.log |
|
233 |
+@ENABLE_COVERAGE_FALSE@CLEANFILES = /tmp/clamd-test.log $(FILES) |
|
234 |
+@ENABLE_COVERAGE_TRUE@CLEANFILES = lcov.out *.gcno *.gcda *.log /tmp/clamd-test.log $(FILES) |
|
235 | 235 |
@ENABLE_COVERAGE_TRUE@DIRECTORIES = --directory . --directory ../libclamav --directory ../clamd --directory ../freshclam --directory ../sigtool --directory ../clamscan --directory ../clamdscan |
236 | 236 |
all: all-am |
237 | 237 |
|
... | ... |
@@ -692,6 +694,11 @@ uninstall-am: uninstall-binPROGRAMS uninstall-dist_binSCRIPTS |
692 | 692 |
uninstall-dist_binSCRIPTS |
693 | 693 |
|
694 | 694 |
|
695 |
+check_clamd.sh: $(FILES) |
|
696 |
+ |
|
697 |
+$(FILES) : |
|
698 |
+ cat $(SPLIT_DIR)/split.$@aa $(SPLIT_DIR)/split.$@ab > $@ |
|
699 |
+ |
|
695 | 700 |
check_clamd.sh: $(top_builddir)/test/clam.exe |
696 | 701 |
check_clamscan.sh: $(top_builddir)/test/clam.exe |
697 | 702 |
|
... | ... |
@@ -1,24 +1,33 @@ |
1 |
-#!/bin/sh |
|
1 |
+#!/bin/sh |
|
2 | 2 |
die() { |
3 |
- test /tmp/clamd-test.pid && kill `cat /tmp/clamd-test.pid` |
|
4 |
- rm -rf test-db test-clamd-viraction.conf test-clamd.log |
|
3 |
+ test -f /tmp/clamd-test.pid && kill `cat /tmp/clamd-test.pid` |
|
4 |
+ rm -rf test-db test-clamd-viraction.conf test-clamd.log test-clamd-heur-pred.conf |
|
5 | 5 |
exit $1 |
6 | 6 |
} |
7 |
+run_clamd_test() { |
|
8 |
+ conf_file=$1 |
|
9 |
+ shift |
|
10 |
+ rm -f clamdscan.log |
|
11 |
+ ../clamd/clamd -c $conf_file || { echo "Failed to start clamd!" >&2; die 1;} |
|
12 |
+ ../clamdscan/clamdscan --version --config-file $conf_file 2>&1|grep "^ClamAV" >/dev/null || { echo "clamdscan can't get version of clamd!" >&2; die 2;} |
|
13 |
+ ../clamdscan/clamdscan --quiet --config-file $conf_file $* --log=clamdscan.log |
|
14 |
+ if test $? = 2; then |
|
15 |
+ echo "Failed to run clamdscan!" >&2; |
|
16 |
+ die 3; |
|
17 |
+ fi |
|
18 |
+ test /tmp/clamd-test.pid && kill `cat /tmp/clamd-test.pid` |
|
19 |
+} |
|
7 | 20 |
|
8 | 21 |
mkdir -p test-db |
9 | 22 |
cat <<EOF >test-db/test.hdb |
10 | 23 |
aa15bcf478d165efd2065190eb473bcb:544:ClamAV-Test-File |
11 | 24 |
EOF |
25 |
+cp $srcdir/input/daily.ftm test-db/ |
|
26 |
+cp $srcdir/input/daily.pdb test-db/ |
|
12 | 27 |
|
28 |
+# Test that all testfiles are detected |
|
13 | 29 |
FILES=../test/clam* |
14 |
-../clamd/clamd -c $srcdir/test-clamd.conf || { echo "Failed to start clamd!" >&2; die 1;} |
|
15 |
-rm -f clamdscan.log |
|
16 |
-../clamdscan/clamdscan --version --config-file $srcdir/test-clamd.conf 2>&1|grep "^ClamAV" >/dev/null || { echo "clamdscan can't get version of clamd!" >&2; die 2;} |
|
17 |
-../clamdscan/clamdscan --quiet --config-file $srcdir/test-clamd.conf $FILES --log=clamdscan.log |
|
18 |
-if test $? = 2; then |
|
19 |
- echo "Failed to run clamdscan!" >&2; |
|
20 |
- die 3; |
|
21 |
-fi |
|
30 |
+run_clamd_test $srcdir/test-clamd.conf $FILES |
|
22 | 31 |
NFILES=`ls -1 $FILES | wc -l` |
23 | 32 |
NINFECTED=`grep "Infected files" clamdscan.log | cut -f2 -d:` |
24 | 33 |
if test "$NFILES" -ne "$NINFECTED"; then |
... | ... |
@@ -26,15 +35,31 @@ if test "$NFILES" -ne "$NINFECTED"; then |
26 | 26 |
grep OK clamdscan.log >&2; |
27 | 27 |
die 4; |
28 | 28 |
fi |
29 |
+ |
|
30 |
+# Test VirusEvent feature |
|
29 | 31 |
cp $srcdir/test-clamd.conf test-clamd-viraction.conf |
30 | 32 |
echo "VirusEvent `pwd`/$srcdir/virusaction-test.sh `pwd` \"Virus found: %v\"" >>test-clamd-viraction.conf |
31 | 33 |
rm -f test-clamd.log |
32 |
-test /tmp/clamd-test.pid && kill `cat /tmp/clamd-test.pid` |
|
33 |
-../clamd/clamd -c test-clamd-viraction.conf || { echo "Failed to start clamd!" >&2; die 1;} |
|
34 |
-../clamdscan/clamdscan --quiet --config-file test-clamd-viraction.conf ../test/clam.exe |
|
34 |
+run_clamd_test test-clamd-viraction.conf ../test/clam.exe |
|
35 | 35 |
if ! grep "Virus found: ClamAV-Test-File.UNOFFICIAL" test-clamd.log >/dev/null 2>/dev/null; then |
36 | 36 |
echo "Virusaction test failed!" >&2; |
37 | 37 |
cat test-clamd.log |
38 |
- die 2; |
|
38 |
+ die 5; |
|
39 |
+fi |
|
40 |
+ |
|
41 |
+# Test HeuristicScanPrecedence feature |
|
42 |
+cp $srcdir/test-clamd.conf test-clamd-heur-pred.conf |
|
43 |
+run_clamd_test test-clamd-heur-pred.conf clam-phish-exe |
|
44 |
+if ! grep "ClamAV-Test-File" clamdscan.log >/dev/null 2>/dev/null; then |
|
45 |
+ echo "HeuristicScanPrecedence off test failed!" >&2; |
|
46 |
+ cat clamdscan.log; |
|
47 |
+ die 6; |
|
48 |
+fi |
|
49 |
+echo "HeuristicScanPrecedence yes" >>test-clamd-heur-pred.conf |
|
50 |
+run_clamd_test test-clamd-heur-pred.conf clam-phish-exe |
|
51 |
+if ! grep "Phishing.Heuristics.Email.SpoofedDomain" clamdscan.log >/dev/null 2>/dev/null; then |
|
52 |
+ echo "HeuristicScanPrecedence on test failed!" >&2; |
|
53 |
+ cat clamdscan.log; |
|
54 |
+ die 6; |
|
39 | 55 |
fi |
40 | 56 |
die 0; |
41 | 57 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,103 @@ |
0 |
+0:0:000001b3:MPEG video stream:CL_TYPE_ANY:CL_TYPE_IGNORED |
|
1 |
+0:0:000001ba:MPEG sys stream:CL_TYPE_ANY:CL_TYPE_IGNORED |
|
2 |
+0:0:1f8b:GZip:CL_TYPE_ANY:CL_TYPE_GZ |
|
3 |
+0:0:23407e5e:SCRENC:CL_TYPE_ANY:CL_TYPE_SCRENC |
|
4 |
+0:0:252150532d41646f62652d:PostScript:CL_TYPE_ANY:CL_TYPE_IGNORED |
|
5 |
+0:0:255044462d:PDF document:CL_TYPE_ANY:CL_TYPE_PDF |
|
6 |
+0:0:28546869732066696c65206d75737420626520636f6e76657274656420776974682042696e48657820342e3029:BinHex:CL_TYPE_ANY:CL_TYPE_BINHEX |
|
7 |
+0:0:2e524d46:Real Media File:CL_TYPE_ANY:CL_TYPE_IGNORED |
|
8 |
+0:0:3e46726f6d20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
9 |
+0:0:424d:BMP:CL_TYPE_ANY:CL_TYPE_GRAPHICS |
|
10 |
+0:0:425a68:BZip:CL_TYPE_ANY:CL_TYPE_BZ |
|
11 |
+0:0:446174653a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
12 |
+0:0:44656c6976657265642d546f3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
13 |
+0:0:44656c69766572792d646174653a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
14 |
+0:0:456e76656c6f70652d746f3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
15 |
+0:0:466f723a20:Eserv mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
16 |
+0:0:46726f6d20:MBox:CL_TYPE_ANY:CL_TYPE_MAIL |
|
17 |
+0:0:46726f6d3a20:Exim mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
18 |
+0:0:474946:GIF:CL_TYPE_ANY:CL_TYPE_GRAPHICS |
|
19 |
+0:0:48692e20546869732069732074686520716d61696c2d73656e64:Qmail bounce:CL_TYPE_ANY:CL_TYPE_MAIL |
|
20 |
+0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED |
|
21 |
+0:0:49545346:MS CHM:CL_TYPE_ANY:CL_TYPE_MSCHM |
|
22 |
+0:0:4d534346:MS CAB:CL_TYPE_ANY:CL_TYPE_MSCAB |
|
23 |
+0:0:4d5a:MS-EXE/DLL:CL_TYPE_ANY:CL_TYPE_MSEXE |
|
24 |
+0:0:4d6573736167652d49443a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
25 |
+0:0:4d6573736167652d49643a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
26 |
+0:0:4f676753:Ogg Stream:CL_TYPE_ANY:CL_TYPE_IGNORED |
|
27 |
+0:0:504b0304:ZIP:CL_TYPE_ANY:CL_TYPE_ZIP |
|
28 |
+0:0:504b3030504b0304:ZIP:CL_TYPE_ANY:CL_TYPE_ZIP |
|
29 |
+0:0:52494646:RIFF:CL_TYPE_ANY:CL_TYPE_RIFF |
|
30 |
+0:0:52494658:RIFX:CL_TYPE_ANY:CL_TYPE_RIFF |
|
31 |
+0:0:52617221:RAR:CL_TYPE_ANY:CL_TYPE_RAR |
|
32 |
+0:0:52656365697665643a20:Raw mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
33 |
+0:0:52657475726e2d506174683a20:Maildir:CL_TYPE_ANY:CL_TYPE_MAIL |
|
34 |
+0:0:52657475726e2d706174683a20:Maildir:CL_TYPE_ANY:CL_TYPE_MAIL |
|
35 |
+0:0:535a4444:compress.exed:CL_TYPE_ANY:CL_TYPE_MSSZDD |
|
36 |
+0:0:5375626a6563743a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
37 |
+0:0:546f3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
38 |
+0:0:582d4170706172656e746c792d546f3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
39 |
+0:0:582d455653:EVS mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
40 |
+0:0:582d456e76656c6f70652d46726f6d3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
41 |
+0:0:582d4f726967696e616c2d546f3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
42 |
+0:0:582d5265616c2d546f3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
43 |
+0:0:582d53696576653a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
44 |
+0:0:582d53796d616e7465632d:Symantec:CL_TYPE_ANY:CL_TYPE_MAIL |
|
45 |
+0:0:582d5549444c3a20:Mail:CL_TYPE_ANY:CL_TYPE_MAIL |
|
46 |
+0:0:60ea:ARJ:CL_TYPE_ANY:CL_TYPE_ARJ |
|
47 |
+0:0:626567696e20:UUencoded:CL_TYPE_ANY:CL_TYPE_UUENCODED |
|
48 |
+0:0:763a0a52656365697665643a20:VPOP3 Mail (UNIX):CL_TYPE_ANY:CL_TYPE_MAIL |
|
49 |
+0:0:763a0d0a52656365697665643a20:VPOP3 Mail (DOS):CL_TYPE_ANY:CL_TYPE_MAIL |
|
50 |
+0:0:789f3e22:TNEF:CL_TYPE_ANY:CL_TYPE_TNEF |
|
51 |
+0:0:7f454c46:ELF:CL_TYPE_ANY:CL_TYPE_ELF |
|
52 |
+0:0:89504e47:PNG:CL_TYPE_ANY:CL_TYPE_GRAPHICS |
|
53 |
+0:0:b6b9acaefeffffff:CryptFF:CL_TYPE_ANY:CL_TYPE_CRYPTFF |
|
54 |
+0:0:d0cf11e0a1b11ae1:OLE2 container:CL_TYPE_ANY:CL_TYPE_MSOLE2 |
|
55 |
+0:0:ffd8ff:JPEG:CL_TYPE_ANY:CL_TYPE_GRAPHICS |
|
56 |
+0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED |
|
57 |
+0:6:45786966:JPEG:CL_TYPE_ANY:CL_TYPE_GRAPHICS |
|
58 |
+0:6:4a464946:JPEG:CL_TYPE_ANY:CL_TYPE_GRAPHICS |
|
59 |
+0:8:19040010:SIS:CL_TYPE_ANY:CL_TYPE_SIS |
|
60 |
+1:*:0a46726f6d3a20{-1024}0a4d494d452d56657273696f6e3a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL |
|
61 |
+1:*:0a46726f6d3a20{-2048}0a436f6e74656e742d547970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL |
|
62 |
+1:*:0a52656365697665643a20{-2048}0a436f6e74656e742d547970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL |
|
63 |
+1:*:0a52656365697665643a20{-2048}0a436f6e74656e742d747970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL |
|
64 |
+1:*:3c4120*(68|48)(72|52)4546:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
65 |
+1:*:3c4120*(68|48)(72|52)6566:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
66 |
+1:*:3c484541443e:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
67 |
+1:*:3c48544d4c3e:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
68 |
+1:*:3c486561643e:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
69 |
+1:*:3c48746d6c3e:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
70 |
+1:*:3c494652414d45:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
71 |
+1:*:3c494d47:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
72 |
+1:*:3c496d67:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
73 |
+1:*:3c4f424a454354:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
74 |
+1:*:3c4f626a656374:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
75 |
+1:*:3c534352495054:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
76 |
+1:*:3c536372697074:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
77 |
+1:*:3c5441424c45:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
78 |
+1:*:3c6120*(68|48)(72|52)4546:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
79 |
+1:*:3c6120*(68|48)(72|52)6566:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
80 |
+1:*:3c686561643e:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
81 |
+1:*:3c68746d6c3e:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
82 |
+1:*:3c696672616d65:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
83 |
+1:*:3c696d67:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
84 |
+1:*:3c6f626a656374:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
85 |
+1:*:3c736372697074:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
86 |
+1:*:3c7461626c65:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
87 |
+1:*:4d494d452d56657273696f6e3a20{-2048}0a436f6e74656e742d547970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL |
|
88 |
+1:*:4d534346:CAB-SFX:CL_TYPE_ANY:CL_TYPE_CABSFX |
|
89 |
+1:*:4d5a{60-300}50450000:PE:CL_TYPE_ANY:CL_TYPE_MSEXE |
|
90 |
+1:*:504b0304:ZIP-SFX:CL_TYPE_ANY:CL_TYPE_ZIPSFX |
|
91 |
+1:*:526172211a0700:RAR-SFX:CL_TYPE_ANY:CL_TYPE_RARSFX |
|
92 |
+1:*:60ea{7}0002:ARJ-SFX:CL_TYPE_ANY:CL_TYPE_ARJSFX |
|
93 |
+1:*:60ea{7}0102:ARJ-SFX:CL_TYPE_ANY:CL_TYPE_ARJSFX |
|
94 |
+1:*:60ea{7}0202:ARJ-SFX:CL_TYPE_ANY:CL_TYPE_ARJSFX |
|
95 |
+1:*:a3484bbe986c4aa9994c530a86d6487d41553321454130(35|36):AUTOIT:CL_TYPE_ANY:CL_TYPE_AUTOIT |
|
96 |
+1:*:efbeadde4e756c6c736f6674496e7374:NSIS:CL_TYPE_ANY:CL_TYPE_NULSFT |
|
97 |
+0:0:5349502d48495420285349502f48:SIP log:CL_TYPE_ANY:CL_TYPE_IGNORED |
|
98 |
+1:0:3c2540204c414e4755414745203d:HTML data:CL_TYPE_ANY:CL_TYPE_HTML |
|
99 |
+0:0:7b5c727466:RTF:CL_TYPE_ANY:CL_TYPE_RTF:30 |
|
100 |
+1:*:255044462d??2e:PDF:CL_TYPE_ANY:CL_TYPE_PDF:30 |
|
101 |
+1:*:257064662d??2e:PDF:CL_TYPE_ANY:CL_TYPE_PDF:30 |
|
102 |
+0:257:7573746172:TAR-POSIX:CL_TYPE_ANY:CL_TYPE_POSIX_TAR |