Browse code
Modified mbox.c only mark files as infected with heuristic alerts if heuristic alerts are enabled.
Andy Ragusa authored on 2019/11/20 08:55:47Showing 1 changed files
| ... | ... |
@@ -235,11 +235,11 @@ static blob *getHrefs(message *m, tag_arguments_t *hrefs); |
| 235 | 235 |
static void hrefs_done(blob *b, tag_arguments_t *hrefs); |
| 236 | 236 |
static void checkURLs(message *m, mbox_ctx *mctx, mbox_status *rc, int is_html); |
| 237 | 237 |
|
| 238 |
-static bool haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx); |
|
| 239 |
-static bool hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx); |
|
| 240 |
-static bool haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx); |
|
| 241 |
-static bool haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx); |
|
| 242 |
-static bool haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx); |
|
| 238 |
+static bool haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx, mbox_status * rc); |
|
| 239 |
+static bool hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx, bool * heuristicFound); |
|
| 240 |
+static bool haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx, bool * heuristicFound); |
|
| 241 |
+static bool haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx, bool * heuristicFound); |
|
| 242 |
+static bool haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx, bool * heuristicFound); |
|
| 243 | 243 |
|
| 244 | 244 |
/* Maximum line length according to RFC2821 */ |
| 245 | 245 |
#define RFC2821LENGTH 1000 |
| ... | ... |
@@ -772,7 +772,7 @@ doContinueMultipleEmptyOptions(const char *const line, bool *lastWasOnlySemi) |
| 772 | 772 |
} |
| 773 | 773 |
|
| 774 | 774 |
static bool |
| 775 |
-hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx) |
|
| 775 |
+hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx, bool * heuristicFound) |
|
| 776 | 776 |
{
|
| 777 | 777 |
|
| 778 | 778 |
if (line) {
|
| ... | ... |
@@ -785,6 +785,7 @@ hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx) |
| 785 | 785 |
if ((*lineFoldCnt) >= HEURISTIC_EMAIL_MAX_LINE_FOLDS_PER_HEADER) {
|
| 786 | 786 |
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
|
| 787 | 787 |
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxLineFoldCnt"); |
| 788 |
+ *heuristicFound = TRUE; |
|
| 788 | 789 |
} |
| 789 | 790 |
|
| 790 | 791 |
return TRUE; |
| ... | ... |
@@ -794,12 +795,13 @@ hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx) |
| 794 | 794 |
} |
| 795 | 795 |
|
| 796 | 796 |
static bool |
| 797 |
-haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx) |
|
| 797 |
+haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx, bool * heuristicFound) |
|
| 798 | 798 |
{
|
| 799 | 799 |
|
| 800 | 800 |
if (totalLen > HEURISTIC_EMAIL_MAX_HEADER_BYTES) {
|
| 801 | 801 |
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
|
| 802 | 802 |
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxHeaderBytes"); |
| 803 |
+ *heuristicFound = TRUE; |
|
| 803 | 804 |
} |
| 804 | 805 |
|
| 805 | 806 |
return TRUE; |
| ... | ... |
@@ -808,12 +810,13 @@ haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx) |
| 808 | 808 |
} |
| 809 | 809 |
|
| 810 | 810 |
static bool |
| 811 |
-haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx) |
|
| 811 |
+haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx, bool * heuristicFound) |
|
| 812 | 812 |
{
|
| 813 | 813 |
|
| 814 | 814 |
if (totalHeaderCnt > HEURISTIC_EMAIL_MAX_HEADERS) {
|
| 815 | 815 |
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
|
| 816 | 816 |
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxEmailHeaders"); |
| 817 |
+ *heuristicFound = TRUE; |
|
| 817 | 818 |
} |
| 818 | 819 |
|
| 819 | 820 |
return TRUE; |
| ... | ... |
@@ -822,12 +825,13 @@ haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx) |
| 822 | 822 |
} |
| 823 | 823 |
|
| 824 | 824 |
static bool |
| 825 |
-haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx) |
|
| 825 |
+haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx, mbox_status * rc) |
|
| 826 | 826 |
{
|
| 827 | 827 |
|
| 828 | 828 |
if (mimePartCnt >= HEURISTIC_EMAIL_MAX_MIME_PARTS_PER_MESSAGE) {
|
| 829 | 829 |
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
|
| 830 | 830 |
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxMIMEPartsPerMessage"); |
| 831 |
+ *rc = VIRUS; |
|
| 831 | 832 |
} |
| 832 | 833 |
|
| 833 | 834 |
return TRUE; |
| ... | ... |
@@ -836,12 +840,13 @@ haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx) |
| 836 | 836 |
} |
| 837 | 837 |
|
| 838 | 838 |
static bool |
| 839 |
-haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx) |
|
| 839 |
+haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx, bool * heuristicFound) |
|
| 840 | 840 |
{
|
| 841 | 841 |
|
| 842 | 842 |
if (argCnt >= HEURISTIC_EMAIL_MAX_ARGUMENTS_PER_HEADER) {
|
| 843 | 843 |
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
|
| 844 | 844 |
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxMIMEArguments"); |
| 845 |
+ *heuristicFound = TRUE; |
|
| 845 | 846 |
} |
| 846 | 847 |
|
| 847 | 848 |
return TRUE; |
| ... | ... |
@@ -902,8 +907,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first |
| 902 | 902 |
continue; |
| 903 | 903 |
} |
| 904 | 904 |
|
| 905 |
- if (hitLineFoldCnt(line, &lineFoldCnt, ctx)) {
|
|
| 906 |
- *heuristicFound = TRUE; |
|
| 905 |
+ if (hitLineFoldCnt(line, &lineFoldCnt, ctx, heuristicFound)) {
|
|
| 907 | 906 |
break; |
| 908 | 907 |
} |
| 909 | 908 |
|
| ... | ... |
@@ -950,8 +954,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first |
| 950 | 950 |
DO_VERIFY_POINTER(header); |
| 951 | 951 |
|
| 952 | 952 |
totalHeaderCnt++; |
| 953 |
- if (haveTooManyEmailHeaders(totalHeaderCnt, ctx)) {
|
|
| 954 |
- *heuristicFound = TRUE; |
|
| 953 |
+ if (haveTooManyEmailHeaders(totalHeaderCnt, ctx, heuristicFound)) {
|
|
| 955 | 954 |
break; |
| 956 | 955 |
} |
| 957 | 956 |
needContinue = (parseEmailHeader(ret, header, rfc821, ctx, heuristicFound) < 0); |
| ... | ... |
@@ -1040,8 +1043,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first |
| 1040 | 1040 |
|
| 1041 | 1041 |
if (lineAdded) {
|
| 1042 | 1042 |
totalHeaderBytes += strlen(line); |
| 1043 |
- if (haveTooManyHeaderBytes(totalHeaderBytes, ctx)) {
|
|
| 1044 |
- *heuristicFound = TRUE; |
|
| 1043 |
+ if (haveTooManyHeaderBytes(totalHeaderBytes, ctx, heuristicFound)) {
|
|
| 1045 | 1044 |
break; |
| 1046 | 1045 |
} |
| 1047 | 1046 |
} |
| ... | ... |
@@ -1072,8 +1074,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first |
| 1072 | 1072 |
|
| 1073 | 1073 |
if (0 == needContinue) {
|
| 1074 | 1074 |
totalHeaderCnt++; |
| 1075 |
- if (haveTooManyEmailHeaders(totalHeaderCnt, ctx)) {
|
|
| 1076 |
- *heuristicFound = TRUE; |
|
| 1075 |
+ if (haveTooManyEmailHeaders(totalHeaderCnt, ctx, heuristicFound)) {
|
|
| 1077 | 1076 |
break; |
| 1078 | 1077 |
} |
| 1079 | 1078 |
needContinue = (parseEmailHeader(ret, header, rfc821, ctx, heuristicFound) < 0); |
| ... | ... |
@@ -1208,8 +1209,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound) |
| 1208 | 1208 |
continue; |
| 1209 | 1209 |
} |
| 1210 | 1210 |
|
| 1211 |
- if (hitLineFoldCnt(line, &lineFoldCnt, m->ctx)) {
|
|
| 1212 |
- *heuristicFound = TRUE; |
|
| 1211 |
+ if (hitLineFoldCnt(line, &lineFoldCnt, m->ctx, heuristicFound)) {
|
|
| 1213 | 1212 |
break; |
| 1214 | 1213 |
} |
| 1215 | 1214 |
|
| ... | ... |
@@ -1286,8 +1286,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound) |
| 1286 | 1286 |
} |
| 1287 | 1287 |
|
| 1288 | 1288 |
if (lineAdded) {
|
| 1289 |
- if (haveTooManyHeaderBytes(fulllinelength, m->ctx)) {
|
|
| 1290 |
- *heuristicFound = TRUE; |
|
| 1289 |
+ if (haveTooManyHeaderBytes(fulllinelength, m->ctx, heuristicFound)) {
|
|
| 1291 | 1290 |
break; |
| 1292 | 1291 |
} |
| 1293 | 1292 |
} |
| ... | ... |
@@ -1309,8 +1308,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound) |
| 1309 | 1309 |
} |
| 1310 | 1310 |
|
| 1311 | 1311 |
totalHeaderCnt++; |
| 1312 |
- if (haveTooManyEmailHeaders(totalHeaderCnt, m->ctx)) {
|
|
| 1313 |
- *heuristicFound = TRUE; |
|
| 1312 |
+ if (haveTooManyEmailHeaders(totalHeaderCnt, m->ctx, heuristicFound)) {
|
|
| 1314 | 1313 |
break; |
| 1315 | 1314 |
} |
| 1316 | 1315 |
if (parseEmailHeader(ret, fullline, rfc821, m->ctx, heuristicFound) < 0) {
|
| ... | ... |
@@ -2212,9 +2210,8 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re |
| 2212 | 2212 |
|
| 2213 | 2213 |
free((char *)boundary); |
| 2214 | 2214 |
|
| 2215 |
- if (haveTooManyMIMEPartsPerMessage(multiparts, mctx->ctx)) {
|
|
| 2215 |
+ if (haveTooManyMIMEPartsPerMessage(multiparts, mctx->ctx, &rc)) {
|
|
| 2216 | 2216 |
DO_FREE(messages); |
| 2217 |
- rc = VIRUS; |
|
| 2218 | 2217 |
break; |
| 2219 | 2218 |
} |
| 2220 | 2219 |
|
| ... | ... |
@@ -3293,8 +3290,7 @@ parseMimeHeader(message *m, const char *cmd, const table_t *rfc821Table, const c |
| 3293 | 3293 |
cli_dbgmsg("mimeArgs = '%s'\n", buf);
|
| 3294 | 3294 |
|
| 3295 | 3295 |
argCnt++; |
| 3296 |
- if (haveTooManyMIMEArguments(argCnt, ctx)) {
|
|
| 3297 |
- *heuristicFound = TRUE; |
|
| 3296 |
+ if (haveTooManyMIMEArguments(argCnt, ctx, heuristicFound )) {
|
|
| 3298 | 3297 |
break; |
| 3299 | 3298 |
} |
| 3300 | 3299 |
messageAddArguments(m, buf); |