@@ -790,6 +790,58 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

     }

 #endif

+    /* Engine max sizes */

+

+    if((opt = optget(opts, "MaxEmbeddedPE"))->active) {

+        if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_EMBEDDEDPE, opt->numarg))) {

+            logg("!cli_engine_set_num(CL_ENGINE_MAX_EMBEDDEDPE) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 1;

+        }

+    }

+    val = cl_engine_get_num(engine, CL_ENGINE_MAX_EMBEDDEDPE, NULL);

+    logg("Limits: MaxEmbeddedPE limit set to %llu bytes.\n", val);

+

+    if((opt = optget(opts, "MaxHTMLNormalize"))->active) {

+        if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_HTMLNORMALIZE, opt->numarg))) {

+            logg("!cli_engine_set_num(CL_ENGINE_MAX_HTMLNORMALIZE) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 1;

+        }

+    }

+    val = cl_engine_get_num(engine, CL_ENGINE_MAX_HTMLNORMALIZE, NULL);

+    logg("Limits: MaxHTMLNormalize limit set to %llu bytes.\n", val);

+

+    if((opt = optget(opts, "MaxHTMLNoTags"))->active) {

+        if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_HTMLNOTAGS, opt->numarg))) {

+            logg("!cli_engine_set_num(CL_ENGINE_MAX_HTMLNOTAGS) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 1;

+        }

+    }

+    val = cl_engine_get_num(engine, CL_ENGINE_MAX_HTMLNOTAGS, NULL);

+    logg("Limits: MaxHTMLNoTags limit set to %llu bytes.\n", val);

+

+    if((opt = optget(opts, "MaxScriptNormalize"))->active) {

+        if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCRIPTNORMALIZE, opt->numarg))) {

+            logg("!cli_engine_set_num(CL_ENGINE_MAX_SCRIPTNORMALIZE) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 1;

+        }

+    }

+    val = cl_engine_get_num(engine, CL_ENGINE_MAX_SCRIPTNORMALIZE, NULL);

+    logg("Limits: MaxScriptNormalize limit set to %llu bytes.\n", val);

+

+    if((opt = optget(opts, "MaxZipTypeRcg"))->active) {

+        if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_ZIPTYPERCG, opt->numarg))) {

+            logg("!cli_engine_set_num(CL_ENGINE_MAX_ZIPTYPERCG) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 1;

+        }

+    }

+    val = cl_engine_get_num(engine, CL_ENGINE_MAX_ZIPTYPERCG, NULL);

+    logg("Limits: MaxZipTypeRcg limit set to %llu bytes.\n", val);

+

     if(optget(opts, "ScanArchive")->enabled) {

 	logg("Archive support enabled.\n");

 	options |= CL_SCAN_ARCHIVE;

@@ -258,7 +258,11 @@ void help(void)

     mprintf("    --max-files=#n                       The maximum number of files to scan for each container file (**)\n");

     mprintf("    --max-recursion=#n                   Maximum archive recursion level for container file (**)\n");

     mprintf("    --max-dir-recursion=#n               Maximum directory recursion level\n");

-

+    mprintf("    --max-embeddedpe=#n                  Maximum size file to check for embedded PE\n");

+    mprintf("    --max-htmlnormalize=#n               Maximum size of HTML file to normalize\n");

+    mprintf("    --max-htmlnotags=#n                  Maximum size of normalized HTML file to scan\n");

+    mprintf("    --max-scriptnormalize=#n             Maximum size of script file to normalize\n");

+    mprintf("    --max-ziptypercg=#n                  Maximum size zip to type reanalyze\n");

     mprintf("\n");

     mprintf("(*) Default scan settings\n");

     mprintf("(**) Certain files (e.g. documents, archives, etc.) may in turn contain other\n");

@@ -736,6 +736,48 @@ int scanmanager(const struct optstruct *opts)

 	}

     }

+    /* Engine max sizes */

+

+    if((opt = optget(opts, "max-embeddedpe"))->active) {

+	if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_EMBEDDEDPE, opt->numarg))) {

+	    logg("!cli_engine_set_num(CL_ENGINE_MAX_EMBEDDEDPE) failed: %s\n", cl_strerror(ret));

+	    cl_engine_free(engine);

+	    return 2;

+	}

+    }

+

+    if((opt = optget(opts, "max-htmlnormalize"))->active) {

+	if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_HTMLNORMALIZE, opt->numarg))) {

+	    logg("!cli_engine_set_num(CL_ENGINE_MAX_HTMLNORMALIZE) failed: %s\n", cl_strerror(ret));

+	    cl_engine_free(engine);

+	    return 2;

+	}

+    }

+

+    if((opt = optget(opts, "max-htmlnotags"))->active) {

+	if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_HTMLNOTAGS, opt->numarg))) {

+	    logg("!cli_engine_set_num(CL_ENGINE_MAX_HTMLNOTAGS) failed: %s\n", cl_strerror(ret));

+	    cl_engine_free(engine);

+	    return 2;

+	}

+    }

+

+    if((opt = optget(opts, "max-scriptnormalize"))->active) {

+	if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCRIPTNORMALIZE, opt->numarg))) {

+	    logg("!cli_engine_set_num(CL_ENGINE_MAX_SCRIPTNORMALIZE) failed: %s\n", cl_strerror(ret));

+	    cl_engine_free(engine);

+	    return 2;

+	}

+    }

+

+    if((opt = optget(opts, "max-ziptypercg"))->active) {

+	if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_ZIPTYPERCG, opt->numarg))) {

+	    logg("!cli_engine_set_num(CL_ENGINE_MAX_ZIPTYPERCG) failed: %s\n", cl_strerror(ret));

+	    cl_engine_free(engine);

+	    return 2;

+	}

+    }

+

     /* set scan options */

     if(optget(opts, "allmatch")->enabled)

 	options |= CL_SCAN_ALLMATCHES;

@@ -437,6 +437,41 @@ Example

 # Default: 10000

 #MaxFiles 15000

+# Maximum size of a file to check for embedded PE. Files larger than this value

+# will skip the additional analysis step.

+# Note: disabling this limit or setting it too high may result in severe damage

+# to the system.

+# Default: 10M

+#MaxEmbeddedPE 10M

+

+# Maximum size of a HTML file to normalize. HTML files larger than this value

+# will not be normalized or scanned.

+# Note: disabling this limit or setting it too high may result in severe damage

+# to the system.

+# Default: 10M

+#MaxHTMLNormalize 10M

+

+# Maximum size of a normalized HTML file to scan. HTML files larger than this

+# value after normalization will not be scanned.

+# Note: disabling this limit or setting it too high may result in severe damage

+# to the system.

+# Default: 2M

+#MaxHTMLNoTags 2M

+

+# Maximum size of a script file to normalize. Script content larger than this

+# value will not be normalized or scanned.

+# Note: disabling this limit or setting it too high may result in severe damage

+# to the system.

+# Default: 5M

+#MaxScriptNormalize 5M

+

+# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger

+# than this value will skip the step to potentially reanalyze as PE.

+# Note: disabling this limit or setting it too high may result in severe damage

+# to the system.

+# Default: 1M

+#MaxZipTypeRcg 1M

+

 ##

 ## Clamuko settings

@@ -185,7 +185,12 @@ enum cl_engine_field {

     CL_ENGINE_KEEPTMP,		    /* uint32_t */

     CL_ENGINE_BYTECODE_SECURITY,    /* uint32_t */

     CL_ENGINE_BYTECODE_TIMEOUT,     /* uint32_t */

-    CL_ENGINE_BYTECODE_MODE         /* uint32_t */

+    CL_ENGINE_BYTECODE_MODE,        /* uint32_t */

+    CL_ENGINE_MAX_EMBEDDEDPE,       /* uint64_t */

+    CL_ENGINE_MAX_HTMLNORMALIZE,    /* uint64_t */

+    CL_ENGINE_MAX_HTMLNOTAGS,       /* uint64_t */

+    CL_ENGINE_MAX_SCRIPTNORMALIZE,  /* uint64_t */

+    CL_ENGINE_MAX_ZIPTYPERCG        /* uint64_t */

 };

 enum bytecode_security {

@@ -37,4 +37,10 @@

 #define CLI_DEFAULT_MIN_CC_COUNT    3

 #define CLI_DEFAULT_MIN_SSN_COUNT   3

+#define CLI_DEFAULT_MAXEMBEDDEDPE       10485760

+#define CLI_DEFAULT_MAXHTMLNORMALIZE    10485760

+#define CLI_DEFAULT_MAXHTMLNOTAGS       2097152

+#define CLI_DEFAULT_MAXSCRIPTNORMALIZE  5242880

+#define CLI_DEFAULT_MAXZIPTYPERCG       1048576

+

 #endif

@@ -312,6 +312,12 @@ struct cl_engine *cl_engine_new(void)

     new->maxfiles = CLI_DEFAULT_MAXFILES;

     new->min_cc_count = CLI_DEFAULT_MIN_CC_COUNT;

     new->min_ssn_count = CLI_DEFAULT_MIN_SSN_COUNT;

+    /* Engine Max sizes */

+    new->maxembeddedpe = CLI_DEFAULT_MAXEMBEDDEDPE;

+    new->maxhtmlnormalize = CLI_DEFAULT_MAXHTMLNORMALIZE;

+    new->maxhtmlnotags = CLI_DEFAULT_MAXHTMLNOTAGS;

+    new->maxscriptnormalize = CLI_DEFAULT_MAXSCRIPTNORMALIZE;

+    new->maxziptypercg = CLI_DEFAULT_MAXZIPTYPERCG;

     new->bytecode_security = CL_BYTECODE_TRUST_SIGNED;

     /* 5 seconds timeout */

@@ -392,6 +398,41 @@ int cl_engine_set_num(struct cl_engine *engine, enum cl_engine_field field, long

 	case CL_ENGINE_MAX_FILES:

 	    engine->maxfiles = num;

 	    break;

+	case CL_ENGINE_MAX_EMBEDDEDPE:

+	    if(num < 0) {

+		cli_warnmsg("MaxEmbeddedPE: negative values are not allowed, using default: %u\n", CLI_DEFAULT_MAXEMBEDDEDPE);

+		engine->maxembeddedpe = CLI_DEFAULT_MAXEMBEDDEDPE;

+	    } else

+		engine->maxembeddedpe = num;

+	    break;

+	case CL_ENGINE_MAX_HTMLNORMALIZE:

+	    if(num < 0) {

+		cli_warnmsg("MaxHTMLNormalize: negative values are not allowed, using default: %u\n", CLI_DEFAULT_MAXHTMLNORMALIZE);

+		engine->maxhtmlnormalize = CLI_DEFAULT_MAXHTMLNORMALIZE;

+	    } else

+		engine->maxhtmlnormalize = num;

+	    break;

+	case CL_ENGINE_MAX_HTMLNOTAGS:

+	    if(num < 0) {

+		cli_warnmsg("MaxHTMLNoTags: negative values are not allowed, using default: %u\n", CLI_DEFAULT_MAXHTMLNOTAGS);

+		engine->maxhtmlnotags = CLI_DEFAULT_MAXHTMLNOTAGS;

+	    } else

+		engine->maxhtmlnotags = num;

+	    break;

+	case CL_ENGINE_MAX_SCRIPTNORMALIZE:

+	    if(num < 0) {

+		cli_warnmsg("MaxScriptNormalize: negative values are not allowed, using default: %u\n", CLI_DEFAULT_MAXSCRIPTNORMALIZE);

+		engine->maxscriptnormalize = CLI_DEFAULT_MAXSCRIPTNORMALIZE;

+	    } else

+		engine->maxscriptnormalize = num;

+	    break;

+	case CL_ENGINE_MAX_ZIPTYPERCG:

+	    if(num < 0) {

+		cli_warnmsg("MaxZipTypeRcg: negative values are not allowed, using default: %u\n", CLI_DEFAULT_MAXZIPTYPERCG);

+		engine->maxziptypercg = CLI_DEFAULT_MAXZIPTYPERCG;

+	    } else

+		engine->maxziptypercg = num;

+	    break;

 	case CL_ENGINE_MIN_CC_COUNT:

 	    engine->min_cc_count = num;

 	    break;

@@ -469,6 +510,16 @@ long long cl_engine_get_num(const struct cl_engine *engine, enum cl_engine_field

 	    return engine->maxreclevel;

 	case CL_ENGINE_MAX_FILES:

 	    return engine->maxfiles;

+	case CL_ENGINE_MAX_EMBEDDEDPE:

+	    return engine->maxembeddedpe;

+	case CL_ENGINE_MAX_HTMLNORMALIZE:

+	    return engine->maxhtmlnormalize;

+	case CL_ENGINE_MAX_HTMLNOTAGS:

+	    return engine->maxhtmlnotags;

+	case CL_ENGINE_MAX_SCRIPTNORMALIZE:

+	    return engine->maxscriptnormalize;

+	case CL_ENGINE_MAX_ZIPTYPERCG:

+	    return engine->maxziptypercg;

 	case CL_ENGINE_MIN_CC_COUNT:

 	    return engine->min_cc_count;

 	case CL_ENGINE_MIN_SSN_COUNT:

@@ -565,6 +616,11 @@ struct cl_settings *cl_engine_settings_copy(const struct cl_engine *engine)

     settings->maxfilesize = engine->maxfilesize;

     settings->maxreclevel = engine->maxreclevel;

     settings->maxfiles = engine->maxfiles;

+    settings->maxembeddedpe = engine->maxembeddedpe;

+    settings->maxhtmlnormalize = engine->maxhtmlnormalize;

+    settings->maxhtmlnotags = engine->maxhtmlnotags;

+    settings->maxscriptnormalize = engine->maxscriptnormalize;

+    settings->maxziptypercg = engine->maxziptypercg;

     settings->min_cc_count = engine->min_cc_count;

     settings->min_ssn_count = engine->min_ssn_count;

     settings->bytecode_security = engine->bytecode_security;

@@ -592,6 +648,11 @@ int cl_engine_settings_apply(struct cl_engine *engine, const struct cl_settings

     engine->maxfilesize = settings->maxfilesize;

     engine->maxreclevel = settings->maxreclevel;

     engine->maxfiles = settings->maxfiles;

+    engine->maxembeddedpe = settings->maxembeddedpe;

+    engine->maxhtmlnormalize = settings->maxhtmlnormalize;

+    engine->maxhtmlnotags = settings->maxhtmlnotags;

+    engine->maxscriptnormalize = settings->maxscriptnormalize;

+    engine->maxziptypercg = settings->maxziptypercg;

     engine->min_cc_count = settings->min_cc_count;

     engine->min_ssn_count = settings->min_ssn_count;

     engine->bytecode_security = settings->bytecode_security;

@@ -274,6 +274,13 @@ struct cl_engine {

     enum bytecode_security bytecode_security;

     uint32_t bytecode_timeout;

     enum bytecode_mode bytecode_mode;

+

+    /* Engine max settings */

+    uint64_t maxembeddedpe;  /* max size to scan MSEXE for PE */

+    uint64_t maxhtmlnormalize; /* max size to normalize HTML */

+    uint64_t maxhtmlnotags; /* max size for scanning normalized HTML */

+    uint64_t maxscriptnormalize; /* max size to normalize scripts */

+    uint64_t maxziptypercg; /* max size to re-do zip filetype */

 };

 struct cl_settings {

@@ -305,6 +312,13 @@ struct cl_settings {

     void *cb_sigload_ctx;

     clcb_msg cb_msg;

     clcb_hash cb_hash;

+

+    /* Engine max settings */

+    uint64_t maxembeddedpe;  /* max size to scan MSEXE for PE */

+    uint64_t maxhtmlnormalize; /* max size to normalize HTML */

+    uint64_t maxhtmlnotags; /* max size for scanning normalized HTML */

+    uint64_t maxscriptnormalize; /* max size to normalize scripts */

+    uint64_t maxziptypercg; /* max size to re-do zip filetype */

 };

 extern int (*cli_unrar_open)(int fd, const char *dirname, unrar_state_t *state);

@@ -1042,19 +1042,17 @@ static int cli_vba_scandir(const char *dirname, cli_ctx *ctx, struct uniq *U)

 static int cli_scanhtml(cli_ctx *ctx)

 {

-	char *tempname, fullname[1024];

-	int ret=CL_CLEAN, fd;

-	fmap_t *map = *ctx->fmap;

-	unsigned int viruses_found = 0;

+    char *tempname, fullname[1024];

+    int ret=CL_CLEAN, fd;

+    fmap_t *map = *ctx->fmap;

+    unsigned int viruses_found = 0;

+    uint64_t curr_len = map->len;

     cli_dbgmsg("in cli_scanhtml()\n");

-    /* Because HTML detection is FP-prone and html_normalise_fd() needs to

-     * mmap the file don't normalise files larger than 10 MB.

-     */

-

-    if(map->len > 10485760) {

-	cli_dbgmsg("cli_scanhtml: exiting (file larger than 10 MB)\n");

+    /* CL_ENGINE_MAX_HTMLNORMALIZE */

+    if(curr_len > ctx->engine->maxhtmlnormalize) {

+	cli_dbgmsg("cli_scanhtml: exiting (file larger than MaxHTMLNormalize)\n");

 	return CL_CLEAN;

     }

@@ -1078,16 +1076,23 @@ static int cli_scanhtml(cli_ctx *ctx)

 	close(fd);

     }

-    if((ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALL)) && map->len < 2097152) {

-	    /* limit to 2 MB, we're not interesting in scanning large files in notags form */

-	    /* TODO: don't even create notags if file is over 2 MB */

-	    snprintf(fullname, 1024, "%s"PATHSEP"notags.html", tempname);

-	    fd = open(fullname, O_RDONLY|O_BINARY);

-	    if(fd >= 0) {

-		if ((ret = cli_scandesc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR, NULL)) == CL_VIRUS) 

-		    viruses_found++;

-		close(fd);

-	    }

+    if(ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALL)) {

+        /* CL_ENGINE_MAX_HTMLNOTAGS */

+        curr_len = map->len;

+        if (curr_len > ctx->engine->maxhtmlnotags) {

+	    /* we're not interested in scanning large files in notags form */

+            /* TODO: don't even create notags if file is over limit */

+            cli_dbgmsg("cli_scanhtml: skipping notags (normalized size over MaxHTMLNoTags)\n");

+	}

+        else {

+            snprintf(fullname, 1024, "%s"PATHSEP"notags.html", tempname);

+            fd = open(fullname, O_RDONLY|O_BINARY);

+            if(fd >= 0) {

+                if ((ret = cli_scandesc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR, NULL)) == CL_VIRUS) 

+                    viruses_found++;

+                close(fd);

+            }

+        }

     }

     if(ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALL)) {

@@ -1120,19 +1125,20 @@ static int cli_scanhtml(cli_ctx *ctx)

 static int cli_scanscript(cli_ctx *ctx)

 {

-	const unsigned char *buff;

-	unsigned char* normalized;

-	struct text_norm_state state;

-	char *tmpname = NULL;

-	int ofd = -1, ret;

-	struct cli_matcher *troot;

-	uint32_t maxpatlen, offset = 0;

-	struct cli_matcher *groot;

-	struct cli_ac_data gmdata, tmdata;

-	struct cli_ac_data *mdata[2];

-	fmap_t *map = *ctx->fmap;

-	size_t at = 0;

-	unsigned int viruses_found = 0;

+    const unsigned char *buff;

+    unsigned char* normalized;

+    struct text_norm_state state;

+    char *tmpname = NULL;

+    int ofd = -1, ret;

+    struct cli_matcher *troot;

+    uint32_t maxpatlen, offset = 0;

+    struct cli_matcher *groot;

+    struct cli_ac_data gmdata, tmdata;

+    struct cli_ac_data *mdata[2];

+    fmap_t *map = *ctx->fmap;

+    size_t at = 0;

+    unsigned int viruses_found = 0;

+    uint64_t curr_len = map->len;

     if (!ctx || !ctx->engine->root)

         return CL_ENULLARG;

@@ -1141,12 +1147,13 @@ static int cli_scanscript(cli_ctx *ctx)

     troot = ctx->engine->root[7];

     maxpatlen = troot ? troot->maxpatlen : 0;

-	cli_dbgmsg("in cli_scanscript()\n");

+    cli_dbgmsg("in cli_scanscript()\n");

-	if(map->len > 5242880) {

-		cli_dbgmsg("cli_scanscript: exiting (file larger than 5 MB)\n");

-		return CL_CLEAN;

-	}

+    /* CL_ENGINE_MAX_SCRIPTNORMALIZE */

+    if(curr_len > ctx->engine->maxscriptnormalize) {

+        cli_dbgmsg("cli_scanscript: exiting (file larger than MaxScriptSize)\n");

+        return CL_CLEAN;

+    }

 	/* dump to disk only if explicitly asked to,

 	 * otherwise we can process just in-memory */

@@ -2100,8 +2107,12 @@ static int cli_scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_file_

 		    case CL_TYPE_MSEXE:

  			if(SCAN_PE && (type == CL_TYPE_MSEXE || type == CL_TYPE_ZIP || type == CL_TYPE_MSOLE2) && ctx->dconf->pe) {

-			    if(map->len > 10485760)

+			    uint64_t curr_len = map->len;

+			    /* CL_ENGINE_MAX_EMBEDDED_PE */

+			    if(curr_len > ctx->engine->maxembeddedpe) {

+				cli_dbgmsg("cli_scanraw: MaxEmbeddedPE exceeded\n");

 				break;

+			    }

 			    ctx->container_type = CL_TYPE_MSEXE; /* PE is a container for another executable here */

 			    ctx->container_size = map->len - fpt->offset; /* not precise */

 			    memset(&peinfo, 0, sizeof(struct cli_exe_info));

@@ -2266,13 +2277,6 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

 	int cache_clean = 0, res;

 	unsigned int viruses_found = 0;

-    cli_dbgmsg("in magic_scandesc\n");

-    if(ctx->engine->maxreclevel && ctx->recursion > ctx->engine->maxreclevel) {

-        cli_dbgmsg("cli_magic_scandesc: Archive recursion limit exceeded (%u, max: %u)\n", ctx->recursion, ctx->engine->maxreclevel);

-	emax_reached(ctx);

-	early_ret_from_magicscan(CL_CLEAN);

-    }

-

     if(!ctx->engine) {

 	cli_errmsg("CRITICAL: engine == NULL\n");

 	early_ret_from_magicscan(CL_ENULLARG);

@@ -2283,6 +2287,12 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

 	early_ret_from_magicscan(CL_EMALFDB);

     }

+    if(ctx->engine->maxreclevel && ctx->recursion > ctx->engine->maxreclevel) {

+        cli_dbgmsg("cli_magic_scandesc: Archive recursion limit exceeded (%u, max: %u)\n", ctx->recursion, ctx->engine->maxreclevel);

+	emax_reached(ctx);

+	early_ret_from_magicscan(CL_CLEAN);

+    }

+

     if(cli_updatelimits(ctx, (*ctx->fmap)->len)!=CL_CLEAN) {

 	emax_reached(ctx);

         early_ret_from_magicscan(CL_CLEAN);

@@ -2636,8 +2646,10 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

     }

     if(type == CL_TYPE_ZIP && SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP)) {

-	if((*ctx->fmap)->len > 1048576) {

-	    cli_dbgmsg("cli_magic_scandesc: Not checking for embedded PEs (zip file > 1 MB)\n");

+	/* CL_ENGINE_MAX_ZIPTYPERCG */

+	uint64_t curr_len = (*ctx->fmap)->len;

+	if(curr_len > ctx->engine->maxziptypercg) {

+	    cli_dbgmsg("cli_magic_scandesc: Not checking for embedded PEs (zip file > MaxZipTypeRcg)\n");

 	    typercg = 0;

 	}

     }

@@ -334,6 +334,18 @@ const struct clam_option __clam_options[] = {

     { "MaxFiles", "max-files", 0, TYPE_NUMBER, MATCH_NUMBER, CLI_DEFAULT_MAXFILES, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Number of files to be scanned within an archive, a document, or any other\ncontainer file.\nThe value of 0 disables the limit.\nWARNING: disabling this limit or setting it too high may result in severe\ndamage to the system.", "10000" },

+    /* Engine maximums */

+    { "MaxEmbeddedPE", "max-embeddedpe", 0, TYPE_SIZE, MATCH_SIZE, CLI_DEFAULT_MAXEMBEDDEDPE, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum size of a file to check for embedded PE.\nFiles larger than this value will skip the additional analysis step.\nNegative values are not allowed.\nWARNING: setting this limit too high may result in severe damage or impact performance.", "10M" },

+

+    { "MaxHTMLNormalize", "max-htmlnormalize", 0, TYPE_SIZE, MATCH_SIZE, CLI_DEFAULT_MAXHTMLNORMALIZE, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum size of a HTML file to normalize.\nHTML files larger than this value will not be normalized or scanned.\nNegative values are not allowed.\nWARNING: setting this limit too high may result in severe damage or impact performance.", "10M" },

+

+    { "MaxHTMLNoTags", "max-htmlnotags", 0, TYPE_SIZE, MATCH_SIZE, CLI_DEFAULT_MAXHTMLNOTAGS, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum size of a normalized HTML file to scan.\nHTML files larger than this value after normalization will not be scanned.\nNegative values are not allowed.\nWARNING: setting this limit too high may result in severe damage or impact performance.", "2M" },

+

+    { "MaxScriptNormalize", "max-scriptnormalize", 0, TYPE_SIZE, MATCH_SIZE, CLI_DEFAULT_MAXSCRIPTNORMALIZE, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum size of a script file to normalize.\nScript content larger than this value will not be normalized or scanned.\nNegative values are not allowed.\nWARNING: setting this limit too high may result in severe damage or impact performance.", "5M" },

+

+    { "MaxZipTypeRcg", "max-ziptypercg", 0, TYPE_SIZE, MATCH_SIZE, CLI_DEFAULT_MAXZIPTYPERCG, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum size of a ZIP file to reanalyze type recognition.\nZIP files larger than this value will skip the step to potentially reanalyze as PE.\nNegative values are not allowed.\nWARNING: setting this limit too high may result in severe damage or impact performance.", "1M" },

+

+    /* OnAccess settings */

     { "ScanOnAccess", NULL, 0, TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD, "This option enables on-access scanning (Linux only)", "no" },

     { "OnAccessIncludePath", NULL, 0, TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option specifies a directory (including all files and directories\ninside it), which should be scanned on access. This option can\nbe used multiple times.", "/home\n/students" },