git-svn: trunk@4850
Tomasz Kojm authored on 2009/02/24 03:58:57... | ... |
@@ -71,7 +71,7 @@ |
71 | 71 |
\vspace{3cm} |
72 | 72 |
\begin{flushright} |
73 | 73 |
\rule[-1ex]{8cm}{3pt}\\ |
74 |
- \huge Clam AntiVirus 0.94.2\\ |
|
74 |
+ \huge Clam AntiVirus 0.95rc1\\ |
|
75 | 75 |
\huge \emph{User Manual}\\ |
76 | 76 |
\end{flushright} |
77 | 77 |
|
... | ... |
@@ -83,8 +83,8 @@ |
83 | 83 |
\noindent |
84 | 84 |
\begin{boxedminipage}[b]{\textwidth} |
85 | 85 |
ClamAV User Manual, |
86 |
- \copyright \ 2007 - 2008 Sourcefire, Inc. |
|
87 |
- \copyright \ 2002 - 2007 Tomasz Kojm\\ |
|
86 |
+ \copyright \ 2007 - 2009 Sourcefire, Inc. |
|
87 |
+ Authors: Tomasz Kojm\\ |
|
88 | 88 |
This document is distributed under the terms of the GNU General |
89 | 89 |
Public License v2.\\ |
90 | 90 |
|
... | ... |
@@ -127,7 +127,7 @@ |
127 | 127 |
\item{POSIX compliant, portable} |
128 | 128 |
\item{Fast scanning} |
129 | 129 |
\item{Supports on-access scanning (Linux and FreeBSD only)} |
130 |
- \item{Detects over 450.000 viruses, worms and trojans, including |
|
130 |
+ \item{Detects over 500.000 viruses, worms and trojans, including |
|
131 | 131 |
Microsoft Office macro viruses, mobile malware, and other threats} |
132 | 132 |
\item{Scans within archives and compressed files (also protects |
133 | 133 |
against archive bombs), built-in support includes: |
... | ... |
@@ -237,16 +237,6 @@ |
237 | 237 |
The following packages are optional but \textbf{highly recommended}: |
238 | 238 |
\begin{itemize} |
239 | 239 |
\item bzip2 and bzip2-devel library |
240 |
- \item GNU MP 3\\ |
|
241 |
- It's very important to install the GMP package because it allows |
|
242 |
- \verb+freshclam+ to verify the digital signatures of the virus |
|
243 |
- databases and scripted updates. If freshclam was compiled without GMP |
|
244 |
- support it will display "SECURITY WARNING: NO SUPPORT FOR DIGITAL |
|
245 |
- SIGNATURES" on every update. You can download GNU MP at |
|
246 |
- \url{http://www.swox.com/gmp/}\\ |
|
247 |
- A note for Solaris/SPARC users: you must set the \emph{ABI} system |
|
248 |
- variable to 32 (e.g. \verb+setenv ABI 32+) before running the |
|
249 |
- configuration script of GMP. |
|
250 | 240 |
\item \verb+check+ unit testing framework \footnote{See section \ref{unit-testing} on how to run the unit tests}. |
251 | 241 |
\end{itemize} |
252 | 242 |
|
... | ... |
@@ -323,7 +313,7 @@ |
323 | 323 |
When \verb+make check+ is finished, you should get a message similar to this: |
324 | 324 |
\begin{verbatim} |
325 | 325 |
================== |
326 |
-All 5 tests passed |
|
326 |
+All 8 tests passed |
|
327 | 327 |
================== |
328 | 328 |
\end{verbatim} |
329 | 329 |
|
... | ... |
@@ -331,7 +321,7 @@ All 5 tests passed |
331 | 331 |
See the next section on how to report a bug when a unit test fails. |
332 | 332 |
\begin{verbatim} |
333 | 333 |
======================================== |
334 |
-1 of 5 tests failed |
|
334 |
+1 of 8 tests failed |
|
335 | 335 |
Please report to http://bugs.clamav.net/ |
336 | 336 |
======================================== |
337 | 337 |
\end{verbatim} |
... | ... |
@@ -423,27 +413,13 @@ $ CK_FORK=no ./libtool --mode=execute valgrind unit_tests/check-clamav |
423 | 423 |
section. |
424 | 424 |
|
425 | 425 |
\subsection{clamav-milter} |
426 |
- Nigel Horne's \verb+clamav-milter+ is a very efficient email scanner |
|
427 |
- designed for Sendmail. It's written entirely in C and only depends on |
|
428 |
- \verb+libclamav+ or \verb+clamd+. You can find detailed installation |
|
429 |
- instructions in the \verb+INSTALL+ file that comes with the clamav-milter |
|
430 |
- sources. Basically, to connect it with Sendmail add the following lines to |
|
431 |
- \verb+/etc/mail/sendmail.mc+: |
|
432 |
- \begin{verbatim} |
|
433 |
-INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock, |
|
434 |
-F=, T=S:4m;R:4m')dnl |
|
435 |
-define(`confINPUT_MAIL_FILTERS', `clmilter') |
|
436 |
- \end{verbatim} |
|
437 |
- If you're running it in \verb+--external+ mode, check entry in |
|
438 |
- \verb+clamd.conf+ of the form: |
|
439 |
- \begin{verbatim} |
|
440 |
- LocalSocket /var/run/clamav/clamd.sock |
|
441 |
- \end{verbatim} |
|
442 |
- Start clamav-milter |
|
443 |
- \begin{verbatim} |
|
444 |
- /usr/local/sbin/clamav-milter -lo /var/run/clamav/clmilter.sock |
|
445 |
- \end{verbatim} |
|
446 |
- and restart sendmail. |
|
426 |
+ ClamAV 0.95 includes a new, redesigned clamav-milter. The most notable |
|
427 |
+ difference is that the internal mode has been dropped and now a working |
|
428 |
+ clamd companion is required. The second important difference is that now |
|
429 |
+ the milter has got its own configuration and log files. To compile ClamAV |
|
430 |
+ with the clamav-milter just run \verb+./configure+ \verb+--enable-milter+ |
|
431 |
+ and make as usual. Please consult your MTA's manual on how to connect it |
|
432 |
+ with the milter. |
|
447 | 433 |
|
448 | 434 |
\subsection{Testing} |
449 | 435 |
Try to scan recursively the source directory: |
... | ... |
@@ -525,6 +501,29 @@ N * * * * /usr/local/bin/freshclam --quiet |
525 | 525 |
mirror fails for some reason. The full list of two-letters country codes |
526 | 526 |
is available at \url{http://www.iana.org/cctld/cctld-whois.htm} |
527 | 527 |
|
528 |
+ \subsection{ClamAV Active Malware Report} |
|
529 |
+ |
|
530 |
+ The ClamAV Active Malware Report that was introduced in ClamAV 0.94.1 uses |
|
531 |
+ freshclam to send summary data to our server about the malware that has |
|
532 |
+ been detected. This data is then used to generate real-time reports on |
|
533 |
+ active malware. These reports, along with geographical and historic trends, |
|
534 |
+ will be published on \url{http://www.clamav.net/}. |
|
535 |
+ |
|
536 |
+ The more data that we receive from ClamAV users, the more reports, and the |
|
537 |
+ better the quality of the reports, will be. To enable the submission of |
|
538 |
+ data to us for use in the Active Malware Report, enable |
|
539 |
+ SubmitDetectionStats in freshclam.conf, and LogTime and LogFile in |
|
540 |
+ clamd.conf. You should only enable this feature if you're running clamd |
|
541 |
+ to scan incoming data in your environment. |
|
542 |
+ |
|
543 |
+ The only private data that is transferred is an IP address, which is used |
|
544 |
+ to create the geographical data. The size of the data that is sent is small; |
|
545 |
+ it contains just the filename, malware name and time of detection. The data |
|
546 |
+ is sent in sets of 10 records, up to 50 records per session. For example, |
|
547 |
+ if you have 45 new records, then freshclam will submit 40; if 78 then it |
|
548 |
+ will submit the latest 50 entries; and if you have 9 records no statistics |
|
549 |
+ will be sent. |
|
550 |
+ |
|
528 | 551 |
\section{Usage} |
529 | 552 |
|
530 | 553 |
\subsection{Clam daemon}\label{clamd} |
... | ... |
@@ -557,20 +556,73 @@ N * * * * /usr/local/bin/freshclam --quiet |
557 | 557 |
\item \textbf{MULTISCAN file/directory}\\ |
558 | 558 |
Scan file in a standard way or scan directory (recursively) using |
559 | 559 |
multiple threads (to make the scanning faster on SMP machines). |
560 |
- \item \textbf{STREAM}\\ |
|
561 |
- Scan stream: \verb+clamd+ will return a new port number you should |
|
560 |
+ \item \textbf{INSTREAM}\\ |
|
561 |
+ \emph{It is mandatory to prefix this command with \textbf{n} or |
|
562 |
+ \textbf{z}.}\\ |
|
563 |
+ Scan a stream of data. The stream is sent to clamd in chunks, |
|
564 |
+ after INSTREAM, on the same socket on which the command |
|
565 |
+ was sent. This avoids the overhead of establishing new TCP |
|
566 |
+ connections and problems with NAT. The format of the chunk is: |
|
567 |
+ \verb+<length><data>+ where \verb+<length>+ is the size of the |
|
568 |
+ following data in bytes expressed as a 4 byte unsigned integer in |
|
569 |
+ network byte order and \verb+<data>+ is the actual chunk. Streaming |
|
570 |
+ is terminated by sending a zero-length chunk. Note: do not exceed |
|
571 |
+ StreamMaxLength as defined in clamd.conf, otherwise clamd will |
|
572 |
+ reply with \emph{INSTREAM size limit exceeded} and close the |
|
573 |
+ connection. |
|
574 |
+ \item \textbf{FILDES}\\ |
|
575 |
+ \emph{It is mandatory to newline terminate this command, or prefix |
|
576 |
+ with \textbf{n} or \textbf{z}. This command only works on UNIX |
|
577 |
+ domain sockets.}\\ |
|
578 |
+ Scan a file descriptor. After issuing a FILDES command a subsequent |
|
579 |
+ rfc2292/bsd4.4 style packet (with at least one dummy character) is |
|
580 |
+ sent to clamd carrying the file descriptor to be scanned inside the |
|
581 |
+ ancillary data. Alternatively the file descriptor may be sent in |
|
582 |
+ the same packet, including the extra character. |
|
583 |
+ \item \textbf{STATS}\\ |
|
584 |
+ \emph{It is mandatory to newline terminate this command, or prefix |
|
585 |
+ with \textbf{n} or \textbf{z}, it is recommended to only use the |
|
586 |
+ \textbf{z} prefix.}\\ |
|
587 |
+ On this command clamd provides statistics about the scan queue, |
|
588 |
+ contents of scan queue, and memory usage. The exact reply format is |
|
589 |
+ subject to changes in future releases. |
|
590 |
+ \item \textbf{IDSESSION, END}\\ |
|
591 |
+ \emph{It is mandatory to prefix this command with \textbf{n} or |
|
592 |
+ \textbf{z}, also all commands inside \textbf{IDSESSION} must be |
|
593 |
+ prefixed.}\\ |
|
594 |
+ Start/end a clamd session. Within a session multiple |
|
595 |
+ SCAN, INSTREAM, FILDES, VERSION, STATS commands can be sent on the |
|
596 |
+ same socket without opening new connections. Replies from clamd |
|
597 |
+ will be in the form \verb+<id>: <response>+ where \verb+<id>+ is |
|
598 |
+ the request number (in ASCII, starting from 1) and \verb+<response>+ |
|
599 |
+ is the usual clamd reply. The reply lines have the same delimiter |
|
600 |
+ as the corresponding command had. Clamd will process the commands |
|
601 |
+ asynchronously, and reply as soon as it has finished processing. |
|
602 |
+ Clamd requires clients to read all the replies it sent, before |
|
603 |
+ sending more commands to prevent send() deadlocks. The recommended |
|
604 |
+ way to implement a client that uses IDSESSION is with non-blocking |
|
605 |
+ sockets, and a select()/poll() loop: whenever send would block, |
|
606 |
+ sleep in select/poll until either you can write more data, or read |
|
607 |
+ more replies. \emph{Note that using non-blocking sockets without |
|
608 |
+ the select/poll loop and alternating recv()/send() doesn't comply |
|
609 |
+ with clamd's requirements.} If clamd detects that a client has |
|
610 |
+ deadlocked, it will close the connection. Note that clamd may |
|
611 |
+ close an IDSESSION connection too if the client doesn't follow the |
|
612 |
+ protocol's requirements. |
|
613 |
+ \item \textbf{STREAM} (deprecated, use \textbf{INSTREAM} instead)\\ |
|
614 |
+ Scan stream: clamd will return a new port number you should |
|
562 | 615 |
connect to and send data to scan. |
563 |
- \item \textbf{SESSION, END}\\ |
|
564 |
- Start/end a \verb+clamd+ session - you can do multiple commands |
|
565 |
- per TCP session (WARNING: due to the \verb+clamd+ implementation the |
|
566 |
- \textbf{RELOAD} command will break the session). |
|
567 | 616 |
\end{itemize} |
568 |
- It's recommended to prefix clamd commands with the letter \verb+n+ |
|
569 |
- (eg. \verb+nSCAN+) to indicate that the command will be delimited by |
|
570 |
- a newline character and that clamd should continue reading command data |
|
571 |
- until a newline is read. The newline delimiter assures that the complete |
|
572 |
- command and its entire argument will be processed as a single command.\\ |
|
573 |
- |
|
617 |
+ It's recommended to prefix clamd commands with the letter \textbf{z} |
|
618 |
+ (eg. zSCAN) to indicate that the command will be delimited by a NULL |
|
619 |
+ character and that clamd should continue reading command data until a NULL |
|
620 |
+ character is read. The null delimiter assures that the complete command |
|
621 |
+ and its entire argument will be processed as a single command. Alternatively |
|
622 |
+ commands may be prefixed with the letter \textbf{n} (e.g. nSCAN) to use |
|
623 |
+ a newline character as the delimiter. Clamd replies will honour the |
|
624 |
+ requested terminator in turn. If clamd doesn't recognize the command, or |
|
625 |
+ the command doesn't follow the requirements specified below, it will reply |
|
626 |
+ with an error message, and close the connection. |
|
574 | 627 |
\noindent |
575 | 628 |
Clamd can handle the following signals: |
576 | 629 |
\begin{itemize} |
... | ... |
@@ -591,8 +643,9 @@ N * * * * /usr/local/bin/freshclam --quiet |
591 | 591 |
\item although it accepts the same command line options as |
592 | 592 |
\verb+clamscan+ most of them are ignored because they must be |
593 | 593 |
enabled directly in \verb+clamd+, i.e. \verb+clamd.conf+ |
594 |
- \item scanned files must be accessible for \verb+clamd+ |
|
595 |
- \item it can't use external unpackers |
|
594 |
+ \item in TCP mode scanned files must be accessible for \verb+clamd+, |
|
595 |
+ if you enabled LocalSocket in clamd.conf then clamdscan will |
|
596 |
+ try to workaround this limitation by using FILDES |
|
596 | 597 |
\end{itemize} |
597 | 598 |
|
598 | 599 |
\subsection{Clamuko}\label{clamuko} |
... | ... |
@@ -644,21 +697,6 @@ N * * * * /usr/local/bin/freshclam --quiet |
644 | 644 |
zolw@localhost:/tmp$ clamscan malware.zip |
645 | 645 |
malware.zip: Worm.Mydoom.U FOUND |
646 | 646 |
\end{verbatim} |
647 |
- \emph{\textbf{TIP:} You can force clamscan to list all infected |
|
648 |
- files in an archive using --no-archive (this option disables |
|
649 |
- transparent decompressors built into libclamav) and enabling external |
|
650 |
- decompressors: --unzip --unrar...}.\\[4pt] |
|
651 |
- \begin{verbatim} |
|
652 |
- zolw@localhost:/tmp$ clamscan --no-archive --unzip malware.zip |
|
653 |
- Archive: /tmp/malware.zip |
|
654 |
- inflating: test1.exe |
|
655 |
- inflating: test2.exe |
|
656 |
- inflating: test3.exe |
|
657 |
- /tmp/clamav-77e7bfdbb2d3872b/test1.exe: Worm.Mydoom.U FOUND |
|
658 |
- /tmp/clamav-77e7bfdbb2d3872b/test2.exe: Trojan.Taskkill.A FOUND |
|
659 |
- /tmp/clamav-77e7bfdbb2d3872b/test3.exe: Worm.Nyxem.D FOUND |
|
660 |
- /tmp/malware.zip: Infected.Archive FOUND |
|
661 |
- \end{verbatim} |
|
662 | 647 |
|
663 | 648 |
\subsubsection{clamd} |
664 | 649 |
The output format of \verb+clamd+ is very similar to \verb+clamscan+. |
... | ... |
@@ -736,6 +774,7 @@ N * * * * /usr/local/bin/freshclam --quiet |
736 | 736 |
\item BinHex |
737 | 737 |
\item SIS (SymbianOS packages) |
738 | 738 |
\item AutoIt |
739 |
+ \item NSIS |
|
739 | 740 |
\end{itemize} |
740 | 741 |
|
741 | 742 |
\subsubsection{Documents} |
... | ... |
@@ -747,6 +786,10 @@ N * * * * /usr/local/bin/freshclam --quiet |
747 | 747 |
\item HTML |
748 | 748 |
\end{itemize} |
749 | 749 |
|
750 |
+ \subsubsection{Data Loss Prevention} |
|
751 |
+ Libclamav includes a DLP module which can detect credit card and |
|
752 |
+ social security numbers inside text files. |
|
753 |
+ |
|
750 | 754 |
\subsubsection{Others} |
751 | 755 |
Libclamav can handle various obfuscators, encoders, files vulnerable to |
752 | 756 |
security risks such as: |
... | ... |
@@ -766,23 +809,39 @@ N * * * * /usr/local/bin/freshclam --quiet |
766 | 766 |
#include <clamav.h> |
767 | 767 |
\end{verbatim} |
768 | 768 |
|
769 |
+ \subsection{Initialization} |
|
770 |
+ Before using libclamav, you should call \verb+cl_init()+ to initialize |
|
771 |
+ it. When it's done, you're ready to create a new scan engine by calling |
|
772 |
+ \verb+cl_engine_new()+. To free resources allocated by the engine use |
|
773 |
+ \verb+cl_engine_free()+. Function prototypes: |
|
774 |
+ \begin{verbatim} |
|
775 |
+ int cl_init(unsigned int options); |
|
776 |
+ struct cl_engine *cl_engine_new(void); |
|
777 |
+ int cl_engine_free(struct cl_engine *engine); |
|
778 |
+ \end{verbatim} |
|
779 |
+ \verb+cl_init()+ and \verb+cl_engine_free()+ return \verb+CL_SUCCESS+ |
|
780 |
+ on success or another code on error. \verb+cl_engine_new()+ return |
|
781 |
+ a pointer or NULL if there's not enough memory to allocate a new |
|
782 |
+ engine structure. |
|
783 |
+ |
|
769 | 784 |
\subsubsection{Database loading} |
770 | 785 |
The following set of functions provides an interface for loading |
771 | 786 |
the virus database: |
772 | 787 |
\begin{verbatim} |
773 | 788 |
const char *cl_retdbdir(void); |
774 | 789 |
|
775 |
- int cl_load(const char *path, struct cl_engine **engine, |
|
790 |
+ int cl_load(const char *path, struct cl_engine *engine, |
|
776 | 791 |
unsigned int *signo, unsigned int options); |
777 | 792 |
\end{verbatim} |
778 |
- \verb+cl_retdbdir+ returns the default (hardcoded) path to the directory |
|
793 |
+ \verb+cl_retdbdir()+ returns the default (hardcoded) path to the directory |
|
779 | 794 |
with ClamAV databases. |
780 |
- \verb+cl_load+ loads a single database file or all databases from a |
|
781 |
- directory (if \verb+path+ points to a directory). The second argument |
|
782 |
- is used for passing in the engine structure which should be previously |
|
783 |
- initialized with NULL. A number of loaded signatures will be \textbf{added} |
|
784 |
- to \verb+signo+ \footnote{Remember to initialize the virus counter |
|
785 |
- variable with 0.}. The last argument can pass the following flags: |
|
795 |
+ \verb+cl_load()+ loads a single database file or all databases from a |
|
796 |
+ given directory (when \verb+path+ points to a directory). The second |
|
797 |
+ argument is used for passing in the pointer to the engine that should |
|
798 |
+ be previously allocated with \verb+cl_engine_new()+. A number of loaded |
|
799 |
+ signatures will be \textbf{added} to \verb+signo+ \footnote{Remember to |
|
800 |
+ initialize the virus counter variable with 0.}. The last argument can |
|
801 |
+ pass the following flags: |
|
786 | 802 |
\begin{itemize} |
787 | 803 |
\item \textbf{CL\_DB\_STDOPT}\\ |
788 | 804 |
This is an alias for a recommended set of scan options. |
... | ... |
@@ -796,48 +855,74 @@ N * * * * /usr/local/bin/freshclam --quiet |
796 | 796 |
Load CVD files directly without unpacking them into a temporary |
797 | 797 |
directory. |
798 | 798 |
\end{itemize} |
799 |
- \verb+cl_load+ returns 0 (\verb+CL_SUCCESS+) on success and a negative |
|
800 |
- value on failure. |
|
799 |
+ \verb+cl_load()+ returns \verb+CL_SUCCESS+ on success and another code on |
|
800 |
+ failure. |
|
801 | 801 |
\begin{verbatim} |
802 | 802 |
... |
803 |
- struct cl_engine *engine = NULL; |
|
803 |
+ struct cl_engine *engine; |
|
804 | 804 |
unsigned int sigs = 0; |
805 | 805 |
int ret; |
806 | 806 |
|
807 |
- ret = cl_load(cl_retdbdir(), &engine, &sigs, CL_DB_STDOPT); |
|
807 |
+ if((ret = cl_init()) != CL_SUCCESS) { |
|
808 |
+ printf("cl_init() error: %s\n", cl_strerror(ret)); |
|
809 |
+ return 1; |
|
810 |
+ } |
|
811 |
+ |
|
812 |
+ if(!(engine = cl_engine_new())) { |
|
813 |
+ printf("Can't create new engine\n"); |
|
814 |
+ return 1; |
|
815 |
+ } |
|
816 |
+ |
|
817 |
+ ret = cl_load(cl_retdbdir(), engine, &sigs, CL_DB_STDOPT); |
|
808 | 818 |
\end{verbatim} |
809 | 819 |
|
810 | 820 |
\subsubsection{Error handling} |
811 |
- Use \verb+cl_strerror+ to convert error codes into human readable messages. |
|
812 |
- The function returns a statically allocated string: |
|
821 |
+ Use \verb+cl_strerror()+ to convert error codes into human readable |
|
822 |
+ messages. The function returns a statically allocated string: |
|
813 | 823 |
\begin{verbatim} |
814 |
- if(ret) { |
|
824 |
+ if(ret != CL_SUCCESS) { |
|
815 | 825 |
printf("cl_load() error: %s\n", cl_strerror(ret)); |
816 |
- exit(1); |
|
826 |
+ cl_engine_free(engine); |
|
827 |
+ return 1; |
|
817 | 828 |
} |
818 | 829 |
\end{verbatim} |
819 | 830 |
|
820 | 831 |
\subsubsection{Engine structure} |
821 | 832 |
When all required databases are loaded you should prepare the detection |
822 |
- engine by calling \verb+cl_build+. In the case of failure you should |
|
823 |
- free the memory occupied by the engine with \verb+cl_free+: |
|
833 |
+ engine by calling \verb+cl_engine_compile()+. In case of failure you |
|
834 |
+ should still free the memory allocated to the engine with |
|
835 |
+ \verb+cl_engine_free()+: |
|
824 | 836 |
\begin{verbatim} |
825 |
- int cl_build(struct cl_engine *engine); |
|
826 |
- void cl_free(struct cl_engine *engine); |
|
837 |
+ int cl_engine_compile(struct cl_engine *engine); |
|
827 | 838 |
\end{verbatim} |
828 | 839 |
In our example: |
829 | 840 |
\begin{verbatim} |
830 |
- if((ret = cl_build(engine))) { |
|
831 |
- printf("cl_build() error: %s\n", cl_strerror(ret)); |
|
832 |
- cl_free(engine); |
|
833 |
- exit(1); |
|
841 |
+ if((ret = cl_engine_compile(engine)) != CL_SUCCESS) { |
|
842 |
+ printf("cl_engine_compile() error: %s\n", cl_strerror(ret)); |
|
843 |
+ cl_engine_free(engine); |
|
844 |
+ return 1; |
|
834 | 845 |
} |
835 | 846 |
\end{verbatim} |
836 | 847 |
|
848 |
+ \subsection{Limits} |
|
849 |
+ When you create a new engine with \verb+cl_engine_new()+, it will have |
|
850 |
+ all internal settings set to default values as recommended by the |
|
851 |
+ ClamAV authors. It's possible to check and modify the values using |
|
852 |
+ this couple of functions: |
|
853 |
+ \begin{verbatim} |
|
854 |
+ int cl_engine_set(struct cl_engine *engine, |
|
855 |
+ enum cl_engine_field field, const void *val); |
|
856 |
+ |
|
857 |
+ int cl_engine_get(const struct cl_engine *engine, |
|
858 |
+ enum cl_engine_field fi eld, void *val); |
|
859 |
+ \end{verbatim} |
|
860 |
+ Please don't modify the default values unless you know what you're doing. |
|
861 |
+ Refer to ClamAV sources (clamscan, clamd) for examples. |
|
862 |
+ |
|
837 | 863 |
\subsection{Database reloading} |
838 |
- The most important thing is to keep the internal instance of the database |
|
839 |
- up to date. You can watch database changes with the \verb+cl_stat+ |
|
840 |
- family of functions. |
|
864 |
+ It's very important to keep the internal instance of the database up to |
|
865 |
+ date. You can watch database changes with the \verb+cl_stat..()+ family |
|
866 |
+ of functions. |
|
841 | 867 |
\begin{verbatim} |
842 | 868 |
int cl_statinidir(const char *dirname, struct cl_stat *dbstat); |
843 | 869 |
int cl_statchkdir(const struct cl_stat *dbstat); |
... | ... |
@@ -860,42 +945,26 @@ N * * * * /usr/local/bin/freshclam --quiet |
860 | 860 |
cl_statinidir(cl_retdbdir(), &dbstat); |
861 | 861 |
} |
862 | 862 |
\end{verbatim} |
863 |
- Remember to reset the \verb+cl_stat+ structure after reload. |
|
863 |
+ Remember to reset the \verb+cl_stat+ structure after each reload. |
|
864 | 864 |
|
865 | 865 |
\subsubsection{Data scan functions} |
866 | 866 |
It's possible to scan a file or descriptor using: |
867 | 867 |
\begin{verbatim} |
868 | 868 |
int cl_scanfile(const char *filename, const char **virname, |
869 | 869 |
unsigned long int *scanned, const struct cl_engine *engine, |
870 |
- const struct cl_limits *limits, unsigned int options); |
|
870 |
+ unsigned int options); |
|
871 | 871 |
|
872 | 872 |
int cl_scandesc(int desc, const char **virname, unsigned |
873 |
- long int *scanned, const struct cl_engine *engine, const |
|
874 |
- struct cl_limits *limits, unsigned int options); |
|
873 |
+ long int *scanned, const struct cl_engine *engine, |
|
874 |
+ unsigned int options); |
|
875 | 875 |
\end{verbatim} |
876 | 876 |
Both functions will store a virus name under the pointer \verb+virname+, |
877 | 877 |
the virus name is part of the engine structure and must not be released |
878 | 878 |
directly. If the third argument (\verb+scanned+) is not NULL, the |
879 | 879 |
functions will increase its value with the size of scanned data (in |
880 |
- \verb+CL_COUNT_PRECISION+ units). Both functions have support for archive |
|
881 |
- limits in order to protect against Denial of Service attacks. |
|
882 |
- \begin{verbatim} |
|
883 |
-struct cl_limits { |
|
884 |
- unsigned long int maxscansize; /* during the scanning of archives this |
|
885 |
- * size will never be exceeded |
|
886 |
- */ |
|
887 |
- unsigned long int maxfilesize; /* compressed files will only be |
|
888 |
- * decompressed and scanned up to this size |
|
889 |
- */ |
|
890 |
- unsigned int maxreclevel; /* maximum recursion level for archives */ |
|
891 |
- unsigned int maxfiles; /* maximum number of files to be scanned |
|
892 |
- * within a single archive |
|
893 |
- */ |
|
894 |
- unsigned short archivememlim; /* limit memory usage for some unpackers */ |
|
895 |
-}; |
|
896 |
- \end{verbatim} |
|
897 |
- The last argument (\verb+options+) configures the scan engine and supports |
|
898 |
- the following flags (that can be combined using bit operators): |
|
880 |
+ \verb+CL_COUNT_PRECISION+ units). |
|
881 |
+ The last argument (\verb+options+) specified the scan options and supports |
|
882 |
+ the following flags (which can be combined using bit operators): |
|
899 | 883 |
\begin{itemize} |
900 | 884 |
\item \textbf{CL\_SCAN\_STDOPT}\\ |
901 | 885 |
This is an alias for a recommended set of scan options. You |
... | ... |
@@ -938,22 +1007,34 @@ struct cl_limits { |
938 | 938 |
Phishing module: always block SSL mismatches in URLs. |
939 | 939 |
\item \textbf{CL\_SCAN\_PHISHING\_BLOCKCLOAK}\\ |
940 | 940 |
Phishing module: always block cloaked URLs. |
941 |
+ \item \textbf{CL\_SCAN\_STRUCTURED}\\ |
|
942 |
+ Enable the DLP module which scans for credit card and SSN |
|
943 |
+ numbers. |
|
944 |
+ \item \textbf{CL\_SCAN\_STRUCTURED\_SSN\_NORMAL}\\ |
|
945 |
+ Search for SSNs formatted as xx-yy-zzzz. |
|
946 |
+ \item \textbf{CL\_SCAN\_STRUCTURED\_SSN\_STRIPPED}\\ |
|
947 |
+ Search for SSNs formatted as xxyyzzzz. |
|
948 |
+ \item \textbf{CL\_SCAN\_PARTIAL\_MESSAGE}\\ |
|
949 |
+ Scan RFC1341 messages split over many emails. You will need to |
|
950 |
+ periodically clean up \verb+$TemporaryDirectory/clamav-partial+ |
|
951 |
+ directory. |
|
952 |
+ \item \textbf{CL\_SCAN\_HEURISTIC\_PRECEDENCE}\\ |
|
953 |
+ Allow heuristic match to take precedence. When enabled, if |
|
954 |
+ a heuristic scan (such as phishingScan) detects a possible |
|
955 |
+ virus/phish it will stop scan immediately. Recommended, saves CPU |
|
956 |
+ scan-time. When disabled, virus/phish detected by heuristic scans |
|
957 |
+ will be reported only at the end of a scan. If an archive |
|
958 |
+ contains both a heuristically detected virus/phishing, and a real |
|
959 |
+ malware, the real malware will be reported. |
|
941 | 960 |
\end{itemize} |
942 |
- All functions return 0 (\verb+CL_CLEAN+) when the file seems clean, |
|
961 |
+ All functions return \verb+CL_CLEAN+ when the file seems clean, |
|
943 | 962 |
\verb+CL_VIRUS+ when a virus is detected and another value on failure. |
944 | 963 |
\begin{verbatim} |
945 | 964 |
... |
946 |
- struct cl_limits limits; |
|
947 | 965 |
const char *virname; |
948 | 966 |
|
949 |
- memset(&limits, 0, sizeof(struct cl_limits)); |
|
950 |
- limits.maxfiles = 10000; |
|
951 |
- limits.maxscansize = 100 * 1048576; /* 100 MB */ |
|
952 |
- limits.maxfilesize = 10 * 1048576; /* 10 MB */ |
|
953 |
- limits.maxreclevel = 16; |
|
954 |
- |
|
955 | 967 |
if((ret = cl_scanfile("/tmp/test.exe", &virname, NULL, engine, |
956 |
- &limits, CL_STDOPT)) == CL_VIRUS) { |
|
968 |
+ CL_STDOPT)) == CL_VIRUS) { |
|
957 | 969 |
printf("Virus detected: %s\n", virname); |
958 | 970 |
} else { |
959 | 971 |
printf("No virus detected.\n"); |
... | ... |
@@ -964,7 +1045,8 @@ struct cl_limits { |
964 | 964 |
|
965 | 965 |
\subsubsection{Memory} |
966 | 966 |
Because the engine structure occupies a few megabytes of system memory, you |
967 |
- should release it with \verb+cl_free+ if you no longer need to scan files. |
|
967 |
+ should release it with \verb+cl_engine_free()+ if you no longer need to |
|
968 |
+ scan files. |
|
968 | 969 |
|
969 | 970 |
\subsubsection{Forking daemons} |
970 | 971 |
If you're using libclamav with a forking daemon you should call |
... | ... |
@@ -983,9 +1065,9 @@ struct cl_limits { |
983 | 983 |
\end{verbatim} |
984 | 984 |
|
985 | 985 |
\subsubsection{Example} |
986 |
- You will find an example scanner application in the clamav sources |
|
987 |
- (/example). Don't forget that all programs based on libclamav must be |
|
988 |
- linked against it: |
|
986 |
+ You will find an example scanner application in the clamav source |
|
987 |
+ package (/example). Provided you have ClamAV already installed, execute |
|
988 |
+ the following to compile it: |
|
989 | 989 |
\begin{verbatim} |
990 | 990 |
gcc -Wall ex1.c -o ex1 -lclamav |
991 | 991 |
\end{verbatim} |