GitList

Browse code

docs: added documentation on partition intersection heuristic

Kevin Lin authored on 2014/03/06 07:36:14
Showing 5 changed files

clamscan/clamscan.c index 68b6538..8ba65e4 100644
docs/man/clamd.conf.5.in index f9e6d78..5fe8ee0 100644
docs/man/clamscan.1.in index 4b90d61..31dcc5f 100644
etc/clamd.conf.sample index 82488ec..8ec1ceb 100644
shared/optparser.c index 47b6d52..75e14a5 100644

@@ -253,6 +253,7 @@ void help(void)
                          mprintf("    --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found\n");
                          mprintf("    --phishing-ssl[=yes/no(*)]           Always block SSL mismatches in URLs (phishing module)\n");
                          mprintf("    --phishing-cloak[=yes/no(*)]         Always block cloaked URLs (phishing module)\n");
                     +    mprintf("    --partition-intersection[=yes/no(*)] Detect partition intersections in raw disk images using heuristics.\n");
                          mprintf("    --algorithmic-detection[=yes(*)/no]  Algorithmic detection\n");
                          mprintf("    --scan-pe[=yes(*)/no]                Scan PE files\n");
                          mprintf("    --scan-elf[=yes(*)/no]               Scan ELF files\n");

docs/man/clamd.conf.5.in

History View file @ e33d837

@@ -402,6 +402,11 @@ Always block SSL mismatches in URLs, even if the URL isn't in the database. This
                      .br
                      Default: no
                      .TP
                     +\fBPartitionIntersection BOOL\fR
                     +Detect partition intersections in raw disk images using heuristics.
                     +.br
                     +Default: no
                     +.TP
                      \fBHeuristicScanPrecedence BOOL\fR
                      Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phishing it will stop scanning immediately. Recommended, saves CPU scan-time. When disabled, virus/phishing detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported. Keep this disabled if you intend to handle "*.Heuristics.*" viruses  differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.
                      .br

docs/man/clamscan.1.in

History View file @ e33d837

@@ -144,6 +144,9 @@ Block SSL mismatches in URLs (might lead to false positives!).
                      \fB\-\-phishing\-cloak[=yes/no(*)]\fR
                      Block cloaked URLs (might lead to some false positives).
                      .TP
                     +\fB\-\-partition\-intersection[=yes/no(*)]\fR
                     +Detect partition intersections in raw disk images using heuristics.
                     +.TP
                      \fB\-\-algorithmic\-detection[=yes(*)/no]\fR
                      In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be used to control the algorithmic detection.
                      .TP

etc/clamd.conf.sample

History View file @ e33d837

@@ -356,6 +356,10 @@ Example
                      # Default: no
                      #PhishingAlwaysBlockCloak no
                     +# Detect partition intersections in raw disk images using heuristics.
                     +# Default: no
                     +#PartitionIntersection no
+                    +
                      # Allow heuristic match to take precedence.
                      # When enabled, if a heuristic scan (such as phishingScan) detects
                      # a possible virus/phish it will stop scan immediately. Recommended, saves CPU

shared/optparser.c

History View file @ e33d837

@@ -326,7 +326,7 @@ const struct clam_option __clam_options[] = {
                          { "PhishingAlwaysBlockSSLMismatch", "phishing-ssl", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Always block SSL mismatches in URLs, even if they're not in the database.\nThis feature can lead to false positives.", "" },
                     -    { "PartitionIntersection", "partition-intersection", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect partition intersections in raw dmgs using heuristics.", "yes" },
                     +    { "PartitionIntersection", "partition-intersection", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect partition intersections in raw disk images using heuristics.", "yes" },
                          { "HeuristicScanPrecedence", "heuristic-scan-precedence", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Allow heuristic match to take precedence.\nWhen enabled, if a heuristic scan (such as phishingScan) detects\na possible virus/phish it will stop scan immediately. Recommended, saves CPU\nscan-time.\nWhen disabled, virus/phish detected by heuristic scans will be reported only\nat the end of a scan. If an archive contains both a heuristically detected\nvirus/phish, and a real malware, the real malware will be reported.\nKeep this disabled if you intend to handle \"*.Heuristics.*\" viruses\ndifferently from \"real\" malware.\nIf a non-heuristically-detected virus (signature-based) is found first,\nthe scan is interrupted immediately, regardless of this config option.", "yes" },