@@ -1083,6 +1083,22 @@ const char *cl_error_t_to_string(cl_error_t clerror)

     }

 }

+const char *cl_verdict_t_to_string(cl_verdict_t verdict)

+{

+    switch (verdict) {

+        case CL_VERDICT_NOTHING_FOUND:

+            return "CL_VERDICT_NOTHING_FOUND";

+        case CL_VERDICT_TRUSTED:

+            return "CL_VERDICT_TRUSTED";

+        case CL_VERDICT_STRONG_INDICATOR:

+            return "CL_VERDICT_STRONG_INDICATOR";

+        case CL_VERDICT_POTENTIALLY_UNWANTED:

+            return "CL_VERDICT_POTENTIALLY_UNWANTED";

+        default:

+            return "Unknown verdict value";

+    }

+}

+

 cl_error_t pre_hash_callback(cl_scan_layer_t *layer, void *context)

 {

     cl_error_t status;

@@ -1206,6 +1222,23 @@ static void printBytes(uint64_t bytes)

     }

 }

+int file_props_callback(const char *j_propstr, int rc, void *context)

+{

+    (void)context; // Unused in this example

+

+    printf("\n⭐In FILE_PROPS callback⭐\n");

+

+    if (j_propstr) {

+        printf("%s\n", j_propstr);

+    }

+

+    printf("Metadata JSON Return Code: %s (%d)\n", cl_error_t_to_string((cl_error_t)rc), rc);

+

+    // Pass through the return code so as not to alter the scan return code.

+    // A real application might want to handle this differently.

+    return rc;

+}

+

 /*

  * Exit codes:

  *  0: clean

@@ -1226,6 +1259,9 @@ int main(int argc, char **argv)

     const char *hash_hint       = NULL;

     const char *hash_alg        = NULL;

     const char *file_type_hint  = NULL;

+    bool allmatch               = true;

+    bool gen_json               = false;

+    bool debug_mode             = false;

     script_context_t *script_context = NULL;

@@ -1248,16 +1284,18 @@ int main(int argc, char **argv)

         "Example: %s -d /path/to/clamav.db -f /path/to/file.txt\n"

         "\n"

         "Options:\n"

-        "--help (-h)      : Help message.\n"

-        "--database (-d)  : Path to the ClamAV database.\n"

-        "--file (-f)      : Path to the file to scan.\n"

-        "--hash_hint      : (optional) Hash of file to scan.\n"

-        "--hash_alg       : (optional) Hash algorithm of hash_hint.\n"

-        "                   Will also change the hash algorithm reported at end of scan.\n"

-        "--file_type_hint : (optional) File type hint for the file to scan.\n"

-        "--script         : (optional) Path for non-interactive test script.\n"

-        "                   Script must be a new-line delimited list of integers from 1-to-5\n"

-        "                   Corresponding to the interactive scan options.\n"

+        "--help (-h)                : Help message.\n"

+        "--database (-d) FILE       : Path to the ClamAV database.\n"

+        "--file (-f)     FILE       : Path to the file to scan.\n"

+        "--hash-hint     HASH       : (optional) Hash of file to scan.\n"

+        "--hash-alg      ALGORITHM  : (optional) Hash algorithm of hash-hint.\n"

+        "                             Will also change the hash algorithm reported at end of scan.\n"

+        "--file-type-hint CL_TYPE_* : (optional) File type hint for the file to scan.\n"

+        "--script        FILE       : (optional) Path for non-interactive test script.\n"

+        "                             Script must be a new-line delimited list of integers from 1-to-5\n"

+        "                             Corresponding to the interactive scan options.\n"

+        "--one-match (-1)           : Disable allmatch (stops scans after one match).\n"

+        "--gen-json                 : Generate scan metadata JSON.\n"

         "\n"

         "Scripted scan options are:\n"

         "%s";

@@ -1276,15 +1314,24 @@ int main(int argc, char **argv)

         } else if (strcmp(argv[i], "--script") == 0) {

             script_filepath = argv[++i];

             printf("Script file: %s\n", script_filepath);

-        } else if (strcmp(argv[i], "--hash_hint") == 0) {

+        } else if (strcmp(argv[i], "--hash-hint") == 0) {

             hash_hint = argv[++i];

             printf("Hash hint: %s\n", hash_hint);

-        } else if (strcmp(argv[i], "--hash_alg") == 0) {

+        } else if (strcmp(argv[i], "--hash-alg") == 0) {

             hash_alg = argv[++i];

             printf("Hash algorithm: %s\n", hash_alg);

-        } else if (strcmp(argv[i], "--file_type_hint") == 0) {

+        } else if (strcmp(argv[i], "--file-type-hint") == 0) {

             file_type_hint = argv[++i];

             printf("File type hint: %s\n", file_type_hint);

+        } else if (strcmp(argv[i], "--one-match") == 0 || strcmp(argv[i], "-1") == 0) {

+            allmatch = false;

+            printf("Disabling allmatch (stops scans after one match).\n");

+        } else if (strcmp(argv[i], "--gen-json") == 0) {

+            gen_json = true;

+            printf("Enabling scan metadata JSON feature.\n");

+        } else if (strcmp(argv[i], "--debug") == 0) {

+            debug_mode = true;

+            printf("Enabling debug mode.\n");

         } else {

             printf("Unknown option: %s\n", argv[i]);

             printf(help_string, argv[0], argv[0], command_list);

@@ -1321,6 +1368,10 @@ int main(int argc, char **argv)

         goto done;

     }

+    if (debug_mode) {

+        cl_debug();

+    }

+

     if (!(engine = cl_engine_new())) {

         printf("Can't create new engine\n");

         goto done;

@@ -1352,10 +1403,14 @@ int main(int argc, char **argv)

     /* Enable all parsers plus heuristics, allmatch, and the gen-json metadata feature. */

     memset(&options, 0, sizeof(struct cl_scan_options));

-    options.parse |= ~0;                                 /* enable all parsers */

-    options.general |= CL_SCAN_GENERAL_HEURISTICS;       /* enable heuristic alert options */

-    options.general |= CL_SCAN_GENERAL_ALLMATCHES;       /* run in all-match mode, so it keeps looking for alerts after the first one */

-    options.general |= CL_SCAN_GENERAL_COLLECT_METADATA; /* collect metadata may enable collecting additional filenames (like in zip) */

+    options.parse |= ~0;                           /* enable all parsers */

+    options.general |= CL_SCAN_GENERAL_HEURISTICS; /* enable heuristic alert options */

+    if (allmatch) {

+        options.general |= CL_SCAN_GENERAL_ALLMATCHES; /* run in all-match mode, so it keeps looking for alerts after the first one */

+    }

+    if (gen_json) {

+        options.general |= CL_SCAN_GENERAL_COLLECT_METADATA; /* collect metadata may enable collecting additional filenames (like in zip) */

+    }

     /*

      * Set our callbacks.

@@ -1365,11 +1420,12 @@ int main(int argc, char **argv)

     cl_engine_set_scan_callback(engine, &post_scan_callback, CL_SCAN_CALLBACK_POST_SCAN);

     cl_engine_set_scan_callback(engine, &alert_callback, CL_SCAN_CALLBACK_ALERT);

     cl_engine_set_scan_callback(engine, &file_type_callback, CL_SCAN_CALLBACK_FILE_TYPE);

+    if (gen_json) {

+        cl_engine_set_clcb_file_props(engine, &file_props_callback);

+    }

     printf("Testing scan layer callbacks on: %s (fd: %d)\n", filename, target_fd);

-    // cl_debug();

-

     /*

      * Run the scan.

      * Note that the callbacks will be called during this function.

@@ -1405,22 +1461,9 @@ int main(int argc, char **argv)

     } else {

         printf("No file type provided for this file.\n");

     }

-    switch (verdict) {

-        case CL_VERDICT_NOTHING_FOUND: {

-            printf("Verdict:      Nothing found.\n");

-        } break;

-

-        case CL_VERDICT_TRUSTED: {

-            printf("Verdict:      Trusted.\n");

-        } break;

-

-        case CL_VERDICT_STRONG_INDICATOR: {

-            printf("Verdict:      Found Strong Indicator: %s\n", alert_name);

-        } break;

-

-        case CL_VERDICT_POTENTIALLY_UNWANTED: {

-            printf("Verdict:      Found Potentially Unwanted Indicator: %s\n", alert_name);

-        } break;

+    printf("Verdict:      %s\n", cl_verdict_t_to_string(verdict));

+    if (alert_name) {

+        printf("Alert Name:   %s\n", alert_name);

     }

     printf("Return Code:  %s (%d)\n", cl_error_t_to_string(ret), ret);

@@ -1123,9 +1123,9 @@ extern void cl_engine_set_clcb_pre_scan(struct cl_engine *engine, clcb_pre_scan

  * @param result    The scan result for the file.

  * @param virname   A signature name if there was one or more matches.

  * @param context   Opaque application provided data.

- * @return          Scan result is not overridden.

- * @return          CL_BREAK = Allowed by callback - scan result is set to CL_CLEAN.

- * @return          Blocked by callback - scan result is set to CL_VIRUS.

+ * @return          CL_CLEAN = File is scanned.

+ * @return          CL_BREAK = Allowed by callback - file is skipped and marked as clean.

+ * @return          CL_VIRUS = Blocked by callback - file is skipped and marked as infected.

  */

 typedef cl_error_t (*clcb_post_scan)(int fd, int result, const char *virname, void *context);

 /**

@@ -4302,6 +4302,7 @@ void emax_reached(cli_ctx *ctx)

 static cl_error_t dispatch_file_inspection_callback(clcb_file_inspection cb, cli_ctx *ctx, const char *filetype)

 {

     cl_error_t status = CL_CLEAN;

+    cl_error_t append_ret;

     int fd              = -1;

     uint32_t fmap_index = ctx->recursion_level; /* index of current file */

@@ -4347,18 +4348,24 @@ static cl_error_t dispatch_file_inspection_callback(clcb_file_inspection cb, cli

     switch (status) {

         case CL_BREAK:

-            cli_dbgmsg("dispatch_file_inspection_callback: scan cancelled by callback\n");

-            status = CL_BREAK;

+            cli_dbgmsg("dispatch_file_inspection_callback: file trusted by callback\n");

+

+            // Remove any evidence for this layer and set the verdict to trusted.

+            (void)cli_trust_this_layer(ctx);

+

             break;

         case CL_VIRUS:

             cli_dbgmsg("dispatch_file_inspection_callback: file blocked by callback\n");

-            cli_append_virus(ctx, "Detected.By.Callback.Inspection");

-            status = CL_VIRUS;

+            append_ret = cli_append_virus(ctx, "Detected.By.Callback.Inspection");

+            if (append_ret == CL_VIRUS) {

+                status = CL_VIRUS;

+            }

             break;

-        case CL_CLEAN:

+        case CL_SUCCESS:

+            // No action requested by callback. Keep scanning.

             break;

         default:

-            status = CL_CLEAN;

+            status = CL_SUCCESS;

             cli_warnmsg("dispatch_file_inspection_callback: ignoring bad return code from callback\n");

     }

@@ -4371,6 +4378,7 @@ done:

 static cl_error_t dispatch_prescan_callback(clcb_pre_scan cb, cli_ctx *ctx, const char *filetype)

 {

     cl_error_t status = CL_CLEAN;

+    cl_error_t append_ret;

     if (cb) {

         perf_start(ctx, PERFT_PRECB);

@@ -4388,12 +4396,16 @@ static cl_error_t dispatch_prescan_callback(clcb_pre_scan cb, cli_ctx *ctx, cons

                 break;

             case CL_VIRUS:

                 cli_dbgmsg("dispatch_prescan_callback: file blocked by callback\n");

-                status = cli_append_virus(ctx, "Detected.By.Callback");

+                append_ret = cli_append_virus(ctx, "Detected.By.Callback");

+                if (append_ret == CL_VIRUS) {

+                    status = CL_VIRUS;

+                }

                 break;

-            case CL_CLEAN:

+            case CL_SUCCESS:

+                // No action requested by callback. Keep scanning.

                 break;

             default:

-                status = CL_CLEAN;

+                status = CL_SUCCESS;

                 cli_warnmsg("dispatch_prescan_callback: ignoring bad return code from callback\n");

         }

     }

@@ -4552,38 +4564,40 @@ done:

 cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

 {

-    cl_error_t ret                     = CL_CLEAN;

+    cl_error_t status = CL_SUCCESS;

+    cl_error_t ret;

+

     cl_error_t cache_check_result      = CL_VIRUS;

     cl_verdict_t verdict_at_this_level = CL_VERDICT_NOTHING_FOUND;

     bool cache_enabled              = true;

-    cli_file_t dettype              = 0;

+    cli_file_t dettype              = CL_TYPE_ANY;

     uint8_t typercg                 = 1;

     bitset_t *old_hook_lsig_matches = NULL;

     const char *filetype;

     if (!ctx->engine) {

         cli_errmsg("CRITICAL: engine == NULL\n");

-        ret = CL_ENULLARG;

+        status = CL_ENULLARG;

         goto early_ret;

     }

     if (!(ctx->engine->dboptions & CL_DB_COMPILED)) {

         cli_errmsg("CRITICAL: engine not compiled\n");

-        ret = CL_EMALFDB;

+        status = CL_EMALFDB;

         goto early_ret;

     }

     if (ctx->fmap->len <= 5) {

-        ret = CL_CLEAN;

+        status = CL_SUCCESS;

         cli_dbgmsg("cli_magic_scan: File is too small (%zu bytes), ignoring.\n", ctx->fmap->len);

         goto early_ret;

     }

-    if (cli_updatelimits(ctx, ctx->fmap->len) != CL_CLEAN) {

+    if (cli_updatelimits(ctx, ctx->fmap->len) != CL_SUCCESS) {

         emax_reached(ctx);

-        ret = CL_CLEAN;

-        cli_dbgmsg("cli_magic_scan: returning %d %s (no post, no cache)\n", ret, __AT__);

+        status = CL_SUCCESS;

+        cli_dbgmsg("cli_magic_scan: returning %d %s (no post, no cache)\n", status, __AT__);

         goto early_ret;

     }

@@ -4604,9 +4618,9 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

     }

     perf_stop(ctx, PERFT_FT);

     if (type == CL_TYPE_ERROR) {

-        ret = CL_EREAD;

+        status = CL_EREAD;

         cli_dbgmsg("cli_magic_scan: cli_determine_fmap_type returned CL_TYPE_ERROR\n");

-        cli_dbgmsg("cli_magic_scan: returning %d %s (no post, no cache)\n", ret, __AT__);

+        cli_dbgmsg("cli_magic_scan: returning %d %s (no post, no cache)\n", status, __AT__);

         goto early_ret;

     }

     filetype = cli_ftname(type);

@@ -4615,8 +4629,9 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

     ret = cli_recursion_stack_change_type(ctx, type, true /* ? */);

     if (CL_SUCCESS != ret) {

         cli_dbgmsg("cli_magic_scan: cli_recursion_stack_change_type returned %d\n", ret);

-        cli_dbgmsg("cli_magic_scan: returning %d %s (no post, no cache)\n", ret, __AT__);

-        goto early_ret;

+        // We must go to done here (and not early_ret), because `ret` needs to be tidied up before returning.

+        status = ret;

+        goto done;

     }

     /*

@@ -4624,6 +4639,7 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

      */

     ret = cli_dispatch_scan_callback(ctx, CL_SCAN_CALLBACK_PRE_HASH);

     if (CL_SUCCESS != ret) {

+        status = ret;

         goto done;

     }

@@ -4632,6 +4648,7 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

      */

     ret = dispatch_prescan_callback(ctx->engine->cb_pre_cache, ctx, filetype);

     if (CL_VERIFIED == ret || CL_VIRUS == ret) {

+        status = ret;

         goto done;

     }

@@ -4645,6 +4662,7 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

         } else {

             ret = CL_CLEAN;

         }

+        status = ret;

         goto done;

     }

@@ -4670,6 +4688,7 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

                 ret = fmap_will_need_hash_later(ctx->fmap, hash_type);

                 if (CL_SUCCESS != ret) {

                     cli_dbgmsg("cli_check_fp: Failed to set fmap to need the %s hash later\n", cli_hash_name(hash_type));

+                    status = ret;

                     goto done;

                 }

             }

@@ -4686,7 +4705,7 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

                     cli_dbgmsg("cli_magic_scan: Failed to get a hash for the current fmap.\n");

                     // It may be that the file was truncated between the time we started the scan and the time we got the hash.

                     // Not a reason to print an error message.

-                    ret = CL_SUCCESS;

+                    status = CL_SUCCESS;

                     goto done;

                 }

@@ -4698,8 +4717,9 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

                 ret = cli_jsonstr(ctx->this_layer_metadata_json, cli_hash_name(hash_type), hash_string);

                 if (ret != CL_SUCCESS) {

-                    cli_dbgmsg("cli_magic_scan: returning %d %s (no post, no cache)\n", ret, __AT__);

-                    goto early_ret;

+                    cli_dbgmsg("cli_magic_scan: Failed to store the %s hash in the metadata JSON.\n", cli_hash_name(hash_type));

+                    status = ret;

+                    goto done;

                 }

             }

         }

@@ -4715,8 +4735,10 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

     }

     if (cache_enabled && (cache_check_result != CL_VIRUS)) {

-        ret = CL_SUCCESS;

-        cli_dbgmsg("cli_magic_scan: returning %d %s (no post, no cache)\n", ret, __AT__);

+        status = CL_SUCCESS;

+        cli_dbgmsg("cli_magic_scan: returning %d %s (no post, no cache)\n", status, __AT__);

+        // We can go to early_ret here, because we know status is CL_SUCCESS, and we obviously add to the cache.

+        // This does mean, however, that we do not run the post-scan callback for layers that are cached.

         goto early_ret;

     }

@@ -4729,6 +4751,7 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

      */

     ret = cli_dispatch_scan_callback(ctx, CL_SCAN_CALLBACK_PRE_SCAN);

     if (CL_SUCCESS != ret) {

+        status = ret;

         goto done;

     }

@@ -4737,13 +4760,14 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

      */

     ret = dispatch_prescan_callback(ctx->engine->cb_pre_scan, ctx, filetype);

     if (CL_VERIFIED == ret || CL_VIRUS == ret) {

+        status = ret;

         goto done;

     }

     // If none of the scan options are enabled, then we can skip parsing and just do a raw pattern match.

     // For this check, we don't care if the CL_SCAN_GENERAL_ALLMATCHES option is enabled, hence the `~`.

     if (!((ctx->options->general & ~CL_SCAN_GENERAL_ALLMATCHES) || (ctx->options->parse) || (ctx->options->heuristic) || (ctx->options->mail) || (ctx->options->dev))) {

-        ret = cli_scan_fmap(ctx, CL_TYPE_ANY, false, NULL, AC_SCAN_VIR, NULL);

+        status = cli_scan_fmap(ctx, CL_TYPE_ANY, false, NULL, AC_SCAN_VIR, NULL);

         // It doesn't matter what was returned, always go to the end after this. Raw mode! No parsing files!

         goto done;

     }

@@ -4752,7 +4776,7 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

     // The ctx one is NULL at present.

     ctx->hook_lsig_matches = cli_bitset_init();

     if (NULL == ctx->hook_lsig_matches) {

-        ret = CL_EMEM;

+        status = CL_EMEM;

         goto done;

     }

@@ -4765,7 +4789,7 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

         // Evaluate the result from the scan to see if it end the scan of this layer early,

         // and to decid if we should propagate an error or not.

-        if (result_should_goto_done(ctx, ret, &ret)) {

+        if (result_should_goto_done(ctx, ret, &status)) {

             goto done;

         }

     }

@@ -5196,7 +5220,7 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

     // Evaluate the result from the parsers to see if it end the scan of this layer early,

     // and to decide if we should propagate an error or not.

-    if (result_should_goto_done(ctx, ret, &ret)) {

+    if (result_should_goto_done(ctx, ret, &status)) {

         goto done;

     }

@@ -5228,7 +5252,7 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)

         // Evaluate the result from the scan to see if it end the scan of this layer early,

         // and to decid if we should propagate an error or not.

-        if (result_should_goto_done(ctx, ret, &ret)) {

+        if (result_should_goto_done(ctx, ret, &status)) {

             goto done;

         }

     }

@@ -5350,17 +5374,22 @@ done:

      * Run the post_scan callback.

      */

     ret = cli_dispatch_scan_callback(ctx, CL_SCAN_CALLBACK_POST_SCAN);

+    if (CL_SUCCESS != ret) {

+        cli_dbgmsg("cli_magic_scan: POST_SCAN callback returned %d\n", ret);

+        status = ret;

+    }

     // Filter the result from the parsers so we don't propagate non-fatal errors.

-    // And to convert CL_VERIFIED -> CL_CLEAN

-    (void)result_should_goto_done(ctx, ret, &ret);

+    // And to convert CL_VERIFIED -> CL_SUCCESS

+    (void)result_should_goto_done(ctx, status, &status);

     /*

      * Run the deprecated post-scan callback (if one exists) and provide the verdict for this layer.

      */

-    cli_dbgmsg("cli_magic_scan: returning %d %s\n", ret, __AT__);

+    cli_dbgmsg("cli_magic_scan: returning %d %s\n", status, __AT__);

     if (ctx->engine->cb_post_scan) {

         cl_error_t callback_ret;

+        cl_error_t append_ret;

         const char *virusname = NULL;

         // Get the last signature that matched (if any).

@@ -5375,23 +5404,34 @@ done:

         switch (callback_ret) {

             case CL_BREAK:

                 cli_dbgmsg("cli_magic_scan: file allowed by post_scan callback\n");

-                ret = CL_CLEAN;

+

+                // Remove any evidence for this layer and set the verdict to trusted.

+                (void)cli_trust_this_layer(ctx);

+

+                //status = CL_SUCCESS; // Do override the status here.

+                // If status == CL_VIRUS, we'll fix when we look at the verdict.

                 break;

             case CL_VIRUS:

                 cli_dbgmsg("cli_magic_scan: file blocked by post_scan callback\n");

-                callback_ret = cli_append_virus(ctx, "Detected.By.Callback");

-                if (callback_ret == CL_VIRUS) {

-                    ret = CL_VIRUS;

+                append_ret = cli_append_virus(ctx, "Detected.By.Callback");

+                if (append_ret == CL_VIRUS) {

+                    status = CL_VIRUS;

                 }

                 break;

-            case CL_CLEAN:

+            case CL_SUCCESS:

+                // No action requested by callback. Keep scanning.

                 break;

             default:

-                ret = CL_CLEAN;

+                //status = CL_SUCCESS; // Do override the status here, just log a warning.

                 cli_warnmsg("cli_magic_scan: ignoring bad return code from post_scan callback\n");

         }

     }

+    /*

+     * Check the verdict for this layer.

+     * If the verdict is CL_VERDICT_TRUSTED, remove any evidence for this layer and clear CL_VIRUS status (if set)

+     * Otherwise, we'll update the verdict based on the evidence.

+     */

     if (CL_VERDICT_TRUSTED == ctx->recursion_stack[ctx->recursion_level].verdict) {

         /* Remove any alerts for this layer. */

         if (NULL != ctx->recursion_stack[ctx->recursion_level].evidence) {

@@ -5399,6 +5439,9 @@ done:

             ctx->recursion_stack[ctx->recursion_level].evidence = NULL;

             ctx->this_layer_evidence                            = NULL;

         }

+        if (CL_VIRUS == status) {

+            status = CL_SUCCESS; // If we have a CL_VERDICT_TRUSTED, we should not return CL_VIRUS.

+        }

     } else {

         /*

          * Update the verdict for this layer based on the scan results.

@@ -5437,7 +5480,7 @@ early_ret:

         ctx->hook_lsig_matches = old_hook_lsig_matches;

     }

-    return ret;

+    return status;

 }

 cl_error_t cli_magic_scan_desc_type(int desc, const char *filepath, cli_ctx *ctx, cli_file_t type,

@@ -9,16 +9,18 @@ For reference:

     Example: ./install/bin/ex_scan_callbacks -d /path/to/clamav.db -f /path/to/file.txt

     Options:

-    --help (-h)      : Help message.

-    --database (-d)  : Path to the ClamAV database.

-    --file (-f)      : Path to the file to scan.

-    --hash_hint      : (optional) Hash of file to scan.

-    --hash_alg       : (optional) Hash algorithm of hash_hint.

-                    Will also change the hash algorithm reported at end of scan.

-    --file_type_hint : (optional) File type hint for the file to scan.

-    --script         : (optional) Path for non-interactive test script.

-                    Script must be a new-line delimited list of integers from 1-to-5

-                    Corresponding to the interactive scan options.

+    --help (-h)                : Help message.

+    --database (-d) FILE       : Path to the ClamAV database.

+    --file (-f)     FILE       : Path to the file to scan.

+    --hash-hint     HASH       : (optional) Hash of file to scan.

+    --hash-alg      ALGORITHM  : (optional) Hash algorithm of hash-hint.

+                                 Will also change the hash algorithm reported at end of scan.

+    --file-type-hint CL_TYPE_* : (optional) File type hint for the file to scan.

+    --script        FILE       : (optional) Path for non-interactive test script.

+                                 Script must be a new-line delimited list of integers from 1-to-5

+                                 Corresponding to the interactive scan options.

+    --one-match (-1)           : Disable allmatch (stops scans after one match).

+    --gen-json                 : Generate scan metadata JSON.

     Scripted scan options are:

     1  - Return CL_BREAK to abort scanning. Will still encounter POST_SCAN-callbacks on the way out.

@@ -32,6 +34,7 @@ For reference:

     9  - Get sha1 hash. Does not return from the callback!

     10 - Get sha2-256 hash. Does not return from the callback!

     11 - Print all hashes that have already been calculated. Does not return from the callback!

+

 """

 import os

@@ -176,7 +179,7 @@ class TC(testcase.TestCase):

                 'Data scanned: 948 B',

                 'Hash:         21495c3a579d537dc63b0df710f63e60a0bfbc74d1c2739a313dbd42dd31e1fa',

                 'File Type:    CL_TYPE_ZIP',

-                'Verdict:      Found Strong Indicator',

+                'Verdict:      CL_VERDICT_STRONG_INDICATOR',

                 'Return Code:  CL_SUCCESS (0)',

             ]

@@ -188,7 +191,7 @@ class TC(testcase.TestCase):

         )

         output = self.execute_command(command)

-        # Check for success

+        # Check for CL_SUCCESS return code

         assert output.ec == 0

         # Custom logic to verify the output making sure that all expected results are found in the output in order.

@@ -204,6 +207,125 @@ class TC(testcase.TestCase):

             remaining_output = parts[1]

+    def test_cl_scan_callbacks_clam_zip_basic_one_match(self):

+        self.step_name('Same as basic test with clam.zip that just keeps scanning--but disables allmatch mode.')

+

+        # Notably, the return code at the end should be CL_VIRUS (1) instead of CL_SUCCESS (0).

+        # This is because the reason the scan ended "early" is because of the alert in the clam.exe file.

+

+        path_db = TC.path_source / 'unit_tests' / 'input' / 'clamav.hdb'

+

+        # Build up expected results as we define the test script.

+        expected_results = []

+

+        test_script = TC.path_tmp / 'zip_basic.txt'

+        with open(test_script, 'w') as f:

+            expected_results += [

+                'In FILE_TYPE callback',

+                'Recursion Level:    0',

+                'File Name:          clam.zip',

+                'File Type:          CL_TYPE_ZIP',

+            ]

+            f.write('2\n') # Return CL_SUCCESS to keep scanning

+

+            expected_results += [

+                'In PRE_HASH callback',

+                'Recursion Level:    0',

+                'File Name:          clam.zip',

+                'File Type:          CL_TYPE_ZIP',

+            ]

+            f.write('2\n') # Return CL_SUCCESS to keep scanning

+

+            expected_results += [

+                'In PRE_SCAN callback',

+                'Recursion Level:    0',

+                'File Name:          clam.zip',

+                'File Type:          CL_TYPE_ZIP',

+            ]

+            f.write('2\n') # Return CL_SUCCESS to keep scanning

+

+            expected_results += [

+                'In FILE_TYPE callback',

+                'Recursion Level:    1',

+                'File Name:          clam.exe',

+                'File Type:          CL_TYPE_MSEXE',

+            ]

+            f.write('2\n') # Return CL_SUCCESS to keep scanning

+

+            expected_results += [

+                'In PRE_HASH callback',

+                'Recursion Level:    1',

+                'File Name:          clam.exe',

+                'File Type:          CL_TYPE_MSEXE',

+            ]

+            f.write('2\n') # Return CL_SUCCESS to keep scanning

+

+            expected_results += [

+                'In PRE_SCAN callback',

+                'Recursion Level:    1',

+                'File Name:          clam.exe',

+                'File Type:          CL_TYPE_MSEXE',

+            ]

+            f.write('2\n') # Return CL_SUCCESS to keep scanning

+

+            expected_results += [

+                'In ALERT callback',

+                'Recursion Level:    1',

+                'File Name:          clam.exe',

+                'File Type:          CL_TYPE_MSEXE',

+                'Last Alert:         ClamAV-Test-File.UNOFFICIAL',

+            ]

+            f.write('3\n') # Return CL_VIRUS to keep scanning and accept the alert

+

+            expected_results += [

+                'In POST_SCAN callback',

+                'Recursion Level:    1',

+                'File Name:          clam.exe',

+                'File Type:          CL_TYPE_MSEXE',

+                'Last Alert:         ClamAV-Test-File.UNOFFICIAL',

+            ]

+            f.write('2\n') # Return CL_SUCCESS to keep scanning

+

+            expected_results += [

+                'Recursion Level:    0',

+                'In POST_SCAN callback',

+                'File Name:          clam.zip',

+                'File Type:          CL_TYPE_ZIP'

+            ]

+            f.write('2\n') # Return CL_SUCCESS to keep scanning

+

+            expected_results += [

+                'Data scanned: 544 B',  # Note this is less, because allmatch disabled so stopped after clam.exe matched.

+                'Hash:         21495c3a579d537dc63b0df710f63e60a0bfbc74d1c2739a313dbd42dd31e1fa',

+                'File Type:    CL_TYPE_ZIP',

+                'Verdict:      CL_VERDICT_STRONG_INDICATOR',

+                'Return Code:  CL_VIRUS (1)',

+            ]

+

+        command = '{valgrind} {valgrind_args} {example} -d {database} -f {target} --script {script} --one-match'.format(

+            valgrind=TC.valgrind, valgrind_args=TC.valgrind_args, example=TC.example_program,

+            database=path_db,

+            target=TC.path_build / 'unit_tests' / 'input' / 'clamav_hdb_scanfiles' / 'clam.zip',

+            script=test_script

+        )

+        output = self.execute_command(command)

+

+        # Check for CL_VIRUS return code

+        assert output.ec == 1

+

+        # Custom logic to verify the output making sure that all expected results are found in the output in order.

+        #

+        # This is necessary because the STRICT_ORDER option gets confused when expected results have multiple of the

+        # same string, but in different contexts.

+        remaining_output = output.out

+

+        for expected in expected_results:

+            # find the first occurrence of the expected string in remaining_output, splitting into two parts

+            parts = remaining_output.split(expected, 1)

+            assert len(parts) == 2, f"Expected '{expected}' in output, but it was not found:\n{remaining_output}"

+

+            remaining_output = parts[1]

+

     def test_cl_scan_callbacks_clam_zip_ignore_alert(self):

         self.step_name('Ignore alert in clam.exe (within clam.zip) and keep scanning.')

@@ -301,7 +423,7 @@ class TC(testcase.TestCase):

         )

         output = self.execute_command(command)

-        # Check for success

+        # Check for CL_SUCCESS return code

         assert output.ec == 0

         # Custom logic to verify the output making sure that all expected results are found in the output in order.

@@ -350,7 +472,7 @@ class TC(testcase.TestCase):

         )

         output = self.execute_command(command)

-        # Check for success

+        # Check for CL_SUCCESS return code

         assert output.ec == 0

         # Custom logic to verify the output making sure that all expected results are found in the output in order.

@@ -402,7 +524,7 @@ class TC(testcase.TestCase):

                 'Data scanned: 0 B',

                 'Hash:         21495c3a579d537dc63b0df710f63e60a0bfbc74d1c2739a313dbd42dd31e1fa',

                 'File Type:    CL_TYPE_ZIP',

-                'Verdict:      Found Strong Indicator',

+                'Verdict:      CL_VERDICT_STRONG_INDICATOR',

                 'Return Code:  CL_SUCCESS (0)',

             ]

@@ -414,7 +536,7 @@ class TC(testcase.TestCase):

         )

         output = self.execute_command(command)

-        # Check for success

+        # Check for CL_SUCCESS return code

         assert output.ec == 0

         # Custom logic to verify the output making sure that all expected results are found in the output in order.

@@ -543,7 +665,7 @@ class TC(testcase.TestCase):

         )

         output = self.execute_command(command)

-        # Check for success

+        # Check for CL_SUCCESS return code

         assert output.ec == 0

         # Custom logic to verify the output making sure that all expected results are found in the output in order.