Fix issue detecting VBA projects
Previously for documents containing VBA projects, the VBA was treated
as an object within the document and not as a normalized version of
the document. I apparently switched it say that the VBA is a normalized
version of the document. This kind of makes sense in that presently
Javascript extracted from HTML is treated as a normalized version of the
HTML. But it probably shouldn't.
Normalized layers are treated as the same file as the parent.
So now those older signatures that match on VBA projects using
"Container:CL_TYPE_MSOLE2" are failing to match.
So this commit switches it back. VBA project bits written out to a temp
file for scanning will be treated as being contained within the document.
CLAM-2896
Extracted XLM macros had the same issue.
Val S. authored on 2025/10/11 09:32:23Showing 2 changed files
| ... | ... |
@@ -1665,7 +1665,7 @@ static cl_error_t cli_ole2_tempdir_scan_vba_new(const char *dir, cli_ctx *ctx, s |
| 1665 | 1665 |
goto done; |
| 1666 | 1666 |
} |
| 1667 | 1667 |
|
| 1668 |
- ret = cli_scan_desc(tempfd, ctx, CL_TYPE_SCRIPT, false, NULL, AC_SCAN_VIR, NULL, "extracted-vba-project", tempfile, LAYER_ATTRIBUTES_NORMALIZED); |
|
| 1668 |
+ ret = cli_scan_desc(tempfd, ctx, CL_TYPE_SCRIPT, false, NULL, AC_SCAN_VIR, NULL, "extracted-vba-project", tempfile, LAYER_ATTRIBUTES_NONE); |
|
| 1669 | 1669 |
if (CL_SUCCESS != ret) {
|
| 1670 | 1670 |
goto done; |
| 1671 | 1671 |
} |
| ... | ... |
@@ -4950,7 +4950,7 @@ cl_error_t cli_extract_xlm_macros_and_images(const char *dir, cli_ctx *ctx, char |
| 4950 | 4950 |
} |
| 4951 | 4951 |
|
| 4952 | 4952 |
if (CL_VIRUS == cli_scan_desc(out_fd, ctx, CL_TYPE_SCRIPT, false, NULL, AC_SCAN_VIR, |
| 4953 |
- NULL, "xlm-macro", tempfile, LAYER_ATTRIBUTES_NORMALIZED)) {
|
|
| 4953 |
+ NULL, "xlm-macro", tempfile, LAYER_ATTRIBUTES_NONE)) {
|
|
| 4954 | 4954 |
status = CL_VIRUS; |
| 4955 | 4955 |
goto done; |
| 4956 | 4956 |
} |