... | ... |
@@ -253,6 +253,7 @@ void help(void) |
253 | 253 |
mprintf(" --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found\n"); |
254 | 254 |
mprintf(" --phishing-ssl[=yes/no(*)] Always block SSL mismatches in URLs (phishing module)\n"); |
255 | 255 |
mprintf(" --phishing-cloak[=yes/no(*)] Always block cloaked URLs (phishing module)\n"); |
256 |
+ mprintf(" --partition-intersection[=yes/no(*)] Detect partition intersections in raw disk images using heuristics.\n"); |
|
256 | 257 |
mprintf(" --algorithmic-detection[=yes(*)/no] Algorithmic detection\n"); |
257 | 258 |
mprintf(" --scan-pe[=yes(*)/no] Scan PE files\n"); |
258 | 259 |
mprintf(" --scan-elf[=yes(*)/no] Scan ELF files\n"); |
... | ... |
@@ -402,6 +402,11 @@ Always block SSL mismatches in URLs, even if the URL isn't in the database. This |
402 | 402 |
.br |
403 | 403 |
Default: no |
404 | 404 |
.TP |
405 |
+\fBPartitionIntersection BOOL\fR |
|
406 |
+Detect partition intersections in raw disk images using heuristics. |
|
407 |
+.br |
|
408 |
+Default: no |
|
409 |
+.TP |
|
405 | 410 |
\fBHeuristicScanPrecedence BOOL\fR |
406 | 411 |
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phishing it will stop scanning immediately. Recommended, saves CPU scan-time. When disabled, virus/phishing detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported. Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option. |
407 | 412 |
.br |
... | ... |
@@ -144,6 +144,9 @@ Block SSL mismatches in URLs (might lead to false positives!). |
144 | 144 |
\fB\-\-phishing\-cloak[=yes/no(*)]\fR |
145 | 145 |
Block cloaked URLs (might lead to some false positives). |
146 | 146 |
.TP |
147 |
+\fB\-\-partition\-intersection[=yes/no(*)]\fR |
|
148 |
+Detect partition intersections in raw disk images using heuristics. |
|
149 |
+.TP |
|
147 | 150 |
\fB\-\-algorithmic\-detection[=yes(*)/no]\fR |
148 | 151 |
In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be used to control the algorithmic detection. |
149 | 152 |
.TP |
... | ... |
@@ -356,6 +356,10 @@ Example |
356 | 356 |
# Default: no |
357 | 357 |
#PhishingAlwaysBlockCloak no |
358 | 358 |
|
359 |
+# Detect partition intersections in raw disk images using heuristics. |
|
360 |
+# Default: no |
|
361 |
+#PartitionIntersection no |
|
362 |
+ |
|
359 | 363 |
# Allow heuristic match to take precedence. |
360 | 364 |
# When enabled, if a heuristic scan (such as phishingScan) detects |
361 | 365 |
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU |
... | ... |
@@ -326,7 +326,7 @@ const struct clam_option __clam_options[] = { |
326 | 326 |
|
327 | 327 |
{ "PhishingAlwaysBlockSSLMismatch", "phishing-ssl", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Always block SSL mismatches in URLs, even if they're not in the database.\nThis feature can lead to false positives.", "" }, |
328 | 328 |
|
329 |
- { "PartitionIntersection", "partition-intersection", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect partition intersections in raw dmgs using heuristics.", "yes" }, |
|
329 |
+ { "PartitionIntersection", "partition-intersection", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect partition intersections in raw disk images using heuristics.", "yes" }, |
|
330 | 330 |
|
331 | 331 |
{ "HeuristicScanPrecedence", "heuristic-scan-precedence", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Allow heuristic match to take precedence.\nWhen enabled, if a heuristic scan (such as phishingScan) detects\na possible virus/phish it will stop scan immediately. Recommended, saves CPU\nscan-time.\nWhen disabled, virus/phish detected by heuristic scans will be reported only\nat the end of a scan. If an archive contains both a heuristically detected\nvirus/phish, and a real malware, the real malware will be reported.\nKeep this disabled if you intend to handle \"*.Heuristics.*\" viruses\ndifferently from \"real\" malware.\nIf a non-heuristically-detected virus (signature-based) is found first,\nthe scan is interrupted immediately, regardless of this config option.", "yes" }, |
332 | 332 |
|