... | ... |
@@ -256,6 +256,7 @@ void help(void) |
256 | 256 |
mprintf(" --phishing-cloak[=yes/no(*)] Always block cloaked URLs (phishing module)\n"); |
257 | 257 |
mprintf(" --partition-intersection[=yes/no(*)] Detect partition intersections in raw disk images using heuristics.\n"); |
258 | 258 |
mprintf(" --algorithmic-detection[=yes(*)/no] Algorithmic detection\n"); |
259 |
+ mprintf(" --normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility.\n"); |
|
259 | 260 |
mprintf(" --scan-pe[=yes(*)/no] Scan PE files\n"); |
260 | 261 |
mprintf(" --scan-elf[=yes(*)/no] Scan ELF files\n"); |
261 | 262 |
mprintf(" --scan-ole2[=yes(*)/no] Scan OLE2 containers\n"); |
... | ... |
@@ -1080,7 +1080,7 @@ int scanmanager(const struct optstruct *opts) |
1080 | 1080 |
if(optget(opts, "scan-swf")->enabled) |
1081 | 1081 |
options |= CL_SCAN_SWF; |
1082 | 1082 |
|
1083 |
- if(optget(opts, "scan-html")->enabled) |
|
1083 |
+ if(optget(opts, "scan-html")->enabled && optget(opts, "normalize")->enabled) |
|
1084 | 1084 |
options |= CL_SCAN_HTML; |
1085 | 1085 |
|
1086 | 1086 |
if(optget(opts, "scan-mail")->enabled) |
... | ... |
@@ -149,6 +149,9 @@ Detect partition intersections in raw disk images using heuristics. |
149 | 149 |
.TP |
150 | 150 |
\fB\-\-algorithmic\-detection[=yes(*)/no]\fR |
151 | 151 |
In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be used to control the algorithmic detection. |
152 |
+.TP |
|
153 |
+\fB\-\-normalize[=yes(*)/no]\fR |
|
154 |
+Normalize (compress whitespace, downcase, etc.) html, script, and text files. Use normalize=no for yara compatibility. |
|
152 | 155 |
.TP |
153 | 156 |
\fB\-\-scan\-pe[=yes(*)/no]\fR |
154 | 157 |
PE stands for Portable Executable \- it's an executable file format used in all 32\-bit versions of Windows operating systems. By default ClamAV performs deeper analysis of executable files and attempts to decompress popular executable packers such as UPX, Petite, and FSG. If you turn off this option, the original files will still be scanned but without additional processing. |
... | ... |
@@ -3278,7 +3278,7 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type) |
3278 | 3278 |
case CL_TYPE_TEXT_UTF16LE: |
3279 | 3279 |
case CL_TYPE_TEXT_UTF8: |
3280 | 3280 |
perf_nested_start(ctx, PERFT_SCRIPT, PERFT_SCAN); |
3281 |
- if((DCONF_DOC & DOC_CONF_SCRIPT) && dettype != CL_TYPE_HTML && ret != CL_VIRUS) |
|
3281 |
+ if((DCONF_DOC & DOC_CONF_SCRIPT) && dettype != CL_TYPE_HTML && (ret != CL_VIRUS || SCAN_ALL) && SCAN_HTML) |
|
3282 | 3282 |
ret = cli_scanscript(ctx); |
3283 | 3283 |
if(SCAN_MAIL && (DCONF_MAIL & MAIL_CONF_MBOX) && ret != CL_VIRUS && (ctx->container_type == CL_TYPE_MAIL || dettype == CL_TYPE_MAIL)) { |
3284 | 3284 |
ret = cli_fmap_scandesc(ctx, CL_TYPE_MAIL, 0, NULL, AC_SCAN_VIR, NULL, NULL); |
... | ... |
@@ -87,6 +87,7 @@ const struct clam_option __clam_options[] = { |
87 | 87 |
{ NULL, "fdpass", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMDSCAN, "", "" }, |
88 | 88 |
{ NULL, "stream", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMDSCAN, "", "" }, |
89 | 89 |
{ NULL, "allmatch", 'z', CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMSCAN | OPT_CLAMDSCAN, "", "" }, |
90 |
+ { NULL, "normalize", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMSCAN, "Perform HTML, script, and text normalization", "" }, |
|
90 | 91 |
{ NULL, "database", 'd', CLOPT_TYPE_STRING, NULL, -1, DATADIR, FLAG_REQUIRED | FLAG_MULTIPLE, OPT_CLAMSCAN, "", "" }, /* merge it with DatabaseDirectory (and fix conflict with --datadir */ |
91 | 92 |
{ NULL, "recursive", 'r', CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMSCAN, "", "" }, |
92 | 93 |
{ NULL, "gen-mdb", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMSCAN, "Always generate MDB entries for PE sections", "" }, |