@@ -1365,7 +1365,7 @@ static int asn1_parse_countersignature(fmap_t *map, const void **asn1data, unsig

     return 1;

 }

-static cl_error_t asn1_parse_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsigned int size, crtmgr *cmgr, int embedded, const void **hashes, unsigned int *hashes_size, char **certname)

+static cl_error_t asn1_parse_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsigned int size, crtmgr *cmgr, int embedded, const void **hashes, unsigned int *hashes_size, cli_ctx *ctx)

 {

     struct cli_asn1 asn1, deep, deeper;

     uint8_t issuer[SHA1_HASH_SIZE], serial[SHA1_HASH_SIZE];

@@ -1378,7 +1378,7 @@ static cl_error_t asn1_parse_mscat(struct cl_engine *engine, fmap_t *map, size_t

     // md is used to hold the message digest we extract from the signature

     uint8_t md[MAX_HASH_SIZE];

     cli_crt *x509;

-    void *ctx;

+    void *hash_ctx;

     int result;

     cl_error_t ret = CL_EPARSE;

@@ -1589,17 +1589,23 @@ static cl_error_t asn1_parse_mscat(struct cl_engine *engine, fmap_t *map, size_t

                     /* Use &(engine->cmgr) for this check, since we don't copy

                      * blacklist certs into cmgr and so that if there's a

                      * match, we have a long-lived pointer that we can pass

-                     * back indicating the name of the sig that matched (we

-                     * can't just malloc new space for one, since nothing above

-                     * here knows to free it.) */

+                     * back (via cli_append_virus) indicating the name of the

+                     * sigs that matched (we can't just malloc new space for

+                     * one, since nothing above here knows to free it.) */

                     if (NULL != (crt = crtmgr_blacklist_lookup(&(engine->cmgr), x509))) {

                         ret = CL_VIRUS;

-                        cli_dbgmsg("asn1_parse_mscat: Found Authenticode certificate blacklisted by %s\n", (crt->name ? crt->name : "(no name)"));

-                        if (NULL != certname) {

-                            *certname = crt->name ? crt->name : "(no name)";

+                        cli_dbgmsg("asn1_parse_mscat: Found Authenticode certificate blacklisted by %s\n", crt->name ? crt->name : "(unnamed CRB rule)");

+                        if (NULL != ctx) {

+                            ret = cli_append_virus(ctx, crt->name ? crt->name : "(unnamed CRB rule)");

+                            if ((ret == CL_VIRUS) && !SCAN_ALLMATCHES) {

+                                crtmgr_free(&newcerts);

+                                goto finish;

+                            }

                         }

-                        crtmgr_free(&newcerts);

-                        goto finish;

+                        /* In the case where ctx is NULL, we don't care about

+                         * blacklist matches - we are either using this

+                         * function to parse .cat rules that were loaded in,

+                         * or it's sigtool doing cert printing. */

                     }

                     /* NOTE: Since the 'issuer' cli_crt field is required for

@@ -1634,6 +1640,16 @@ static cl_error_t asn1_parse_mscat(struct cl_engine *engine, fmap_t *map, size_t

                     crtmgr_free(&newcerts);

                     break;

                 }

+

+                /* In the SCAN_ALLMATCHES case, we'd get here with

+                 * ret == CL_VIRUS if a match occurred but we wanted

+                 * to keep looping to look for other matches.  In that

+                 * case, bail here. */

+                if (CL_VIRUS == ret) {

+                    crtmgr_free(&newcerts);

+                    break;

+                }

+

                 x509 = newcerts.crts;

                 /* Now look for cases where embedded certs can be trusted

@@ -1928,13 +1944,13 @@ static cl_error_t asn1_parse_mscat(struct cl_engine *engine, fmap_t *map, size_t

             break;

         }

-        if (NULL == (ctx = get_hash_ctx(hashtype))) {

+        if (NULL == (hash_ctx = get_hash_ctx(hashtype))) {

             break;

         }

-        cl_update_hash(ctx, "\x31", 1);

-        cl_update_hash(ctx, (void *)(attrs + 1), attrs_size - 1);

-        cl_finish_hash(ctx, hash);

+        cl_update_hash(hash_ctx, "\x31", 1);

+        cl_update_hash(hash_ctx, (void *)(attrs + 1), attrs_size - 1);

+        cl_finish_hash(hash_ctx, hash);

         if (!fmap_need_ptr_once(map, asn1.content, asn1.size)) {

             cli_dbgmsg("asn1_parse_mscat: failed to read encryptedDigest\n");

@@ -2267,7 +2283,7 @@ int asn1_load_mscat(fmap_t *map, struct cl_engine *engine)

  *

  * If CL_VIRUS is returned, certname will be set to the certname of blacklist

  * rule that matched (unless certname is NULL). */

-cl_error_t asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsigned int size, struct cli_mapped_region *regions, uint32_t nregions, char **certname)

+cl_error_t asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsigned int size, struct cli_mapped_region *regions, uint32_t nregions, cli_ctx *ctx)

 {

     unsigned int content_size;

     struct cli_asn1 c;

@@ -2277,15 +2293,9 @@ cl_error_t asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset

     const void *content;

     crtmgr certs;

     int ret;

-    void *ctx;

+    void *hash_ctx;

     unsigned int i;

-    // TODO Move these into cli_check_auth_header

-    if (!(engine->dconf->pe & PE_CONF_CERTS))

-        return CL_EVERIFY;

-    if (engine->engine_options & ENGINE_OPTIONS_DISABLE_PE_CERTS)

-        return CL_EVERIFY;

-

     cli_dbgmsg("in asn1_check_mscat (offset: %llu)\n", (long long unsigned)offset);

     crtmgr_init(&certs);

     /* Get a copy of all certs in the trust store, excluding blacklist certs */

@@ -2293,7 +2303,7 @@ cl_error_t asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset

         crtmgr_free(&certs);

         return CL_EVERIFY;

     }

-    ret = asn1_parse_mscat(engine, map, offset, size, &certs, 1, &content, &content_size, certname);

+    ret = asn1_parse_mscat(engine, map, offset, size, &certs, 1, &content, &content_size, ctx);

     crtmgr_free(&certs);

     if (CL_CLEAN != ret)

         return ret;

@@ -2325,7 +2335,7 @@ cl_error_t asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset

         return CL_EPARSE;

     }

-    if (NULL == (ctx = get_hash_ctx(hashtype))) {

+    if (NULL == (hash_ctx = get_hash_ctx(hashtype))) {

         return CL_EPARSE;

     }

@@ -2340,10 +2350,10 @@ cl_error_t asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset

             return CL_EVERIFY;

         }

-        cl_update_hash(ctx, hptr, regions[i].size);

+        cl_update_hash(hash_ctx, hptr, regions[i].size);

     }

-    cl_finish_hash(ctx, hash);

+    cl_finish_hash(hash_ctx, hash);

     if (cli_debug_flag) {

         char hashtxt[MAX_HASH_SIZE * 2 + 1];

@@ -31,6 +31,6 @@ struct cli_mapped_region {

 };

 int asn1_load_mscat(fmap_t *map, struct cl_engine *engine);

-cl_error_t asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsigned int size, struct cli_mapped_region *regions, uint32_t nregions, char **certname);

+cl_error_t asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsigned int size, struct cli_mapped_region *regions, uint32_t nregions, cli_ctx *ctx);

 #endif

@@ -983,12 +983,7 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

      * If we want to add support for more signature parsing in the future

      * (Ex: MachO sigs), do that here too. */

     if (1 == info.status && i == 1) {

-        char *certname = NULL;

-        ret            = cli_check_auth_header(ctx, &(info.exeinfo), &certname);

-

-        if (CL_VIRUS == ret) {

-            ret = cli_append_virus(ctx, certname);

-        }

+        ret = cli_check_auth_header(ctx, &(info.exeinfo));

         if ((ret == CL_VIRUS || ret == CL_VERIFIED) && !SCAN_ALLMATCHES) {

             cli_targetinfo_destroy(&info);

@@ -5510,11 +5510,11 @@ static int sort_sects(const void *first, const void *second)

  * 

  * CL_VERIFIED will be returned if the file was whitelisted based on its

  * signature.  CL_VIRUS will be returned if the file was blacklisted based on

- * its signature.  Otherwise, an cl_error_t error value will be returned.

+ * its signature.  Otherwise, a cl_error_t error value will be returned.

  * 

- * If CL_VIRUS is returned, certname will be set to the certname of blacklist

- * rule that matched (unless certname is NULL). */

-cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo, char **certname)

+ * If CL_VIRUS is returned, cli_append_virus will get called, adding the

+ * name associated with the blacklist CRB rules to the list of found viruses.*/

+cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo)

 {

     size_t at;

     unsigned int i, hlen;

@@ -5530,12 +5530,13 @@ cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo, char

     uint32_t sec_dir_size;

     struct cli_exe_info _peinfo;

-    // If Authenticode parsing has been disabled via DCONF, then don't

-    // continue on.

-    // TODO This should probably be named PE_CONF_AUTHENTICODE instead

-    // of PE_CONF_CATALOG

-    if (!(DCONF & PE_CONF_CATALOG))

-        return CL_EFORMAT;

+    // If Authenticode parsing has been disabled via DCONF or an engine

+    // option, then don't continue on.

+    if (!(DCONF & PE_CONF_CERTS))

+        return CL_EVERIFY;

+

+    if (ctx->engine->engine_options & ENGINE_OPTIONS_DISABLE_PE_CERTS)

+        return CL_EVERIFY;

     // If peinfo is NULL, initialize one.  This makes it so that this function

     // can be used easily by sigtool

@@ -5659,7 +5660,7 @@ cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo, char

         at = sec_dir_offset + sizeof(cert_hdr);

         hlen -= sizeof(cert_hdr);

-        ret = asn1_check_mscat((struct cl_engine *)(ctx->engine), map, at, hlen, regions, nregions, certname);

+        ret = asn1_check_mscat((struct cl_engine *)(ctx->engine), map, at, hlen, regions, nregions, ctx);

         if (CL_VERIFIED == ret) {

             // We validated the embedded signature.  Hooray!

@@ -98,7 +98,7 @@ enum {

 int cli_pe_targetinfo(fmap_t *map, struct cli_exe_info *peinfo);

 int cli_peheader(fmap_t *map, struct cli_exe_info *peinfo, uint32_t opts, cli_ctx *ctx);

-cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo, char **certname);

+cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo);

 int cli_genhash_pe(cli_ctx *ctx, unsigned int class, int type, stats_section_t *hashes);

 uint32_t cli_rawaddr(uint32_t, const struct cli_exe_section *, uint16_t, unsigned int *, size_t, uint32_t);

@@ -2939,6 +2939,16 @@ static int cli_loadcrt(FILE *fs, struct cl_engine *engine, struct cli_dbio *dbio

     char *subject = NULL, *pubkey = NULL, *serial = NULL;

     const uint8_t exp[] = "\x01\x00\x01";

+    if (!(engine->dconf->pe & PE_CONF_CERTS)) {

+        cli_dbgmsg("cli_loadcrt: Ignoring .crb sigs due to DCONF configuration\n");

+        return ret;

+    }

+

+    if (engine->engine_options & ENGINE_OPTIONS_DISABLE_PE_CERTS) {

+        cli_dbgmsg("cli_loadcrt: Ignoring .crb sigs due to engine options\n");

+        return ret;

+    }

+

     cli_crt_init(&ca);

     memset(ca.issuer, 0xca, sizeof(ca.issuer));

@@ -3105,6 +3115,19 @@ static int cli_loadmscat(FILE *fs, const char *dbname, struct cl_engine *engine,

     UNUSEDPARAM(options);

     UNUSEDPARAM(dbio);

+    /* If loading in signatures stored in .cat files is disabled, then skip.

+     * If Authenticoded signature parsing in general is disabled, then also

+     * skip. */

+    if (!(engine->dconf->pe & PE_CONF_CATALOG) || !(engine->dconf->pe & PE_CONF_CERTS)) {

+        cli_dbgmsg("cli_loadmscat: Ignoring .cat sigs due to DCONF configuration\n");

+        return 0;

+    }

+

+    if (engine->engine_options & ENGINE_OPTIONS_DISABLE_PE_CERTS) {

+        cli_dbgmsg("cli_loadmscat: Ignoring .cat sigs due to engine options\n");

+        return 0;

+    }

+

     if (!(map = fmap(fileno(fs), 0, 0))) {

         cli_dbgmsg("Can't map cat: %s\n", dbname);

         return 0;

@@ -3455,7 +3455,7 @@ static int dumpcerts(const struct optstruct *opts)

         return -1;

     }

-    ret = cli_check_auth_header(&ctx, NULL, NULL);

+    ret = cli_check_auth_header(&ctx, NULL);

     switch (ret) {

         case CL_VERIFIED: