@@ -923,31 +923,83 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

     val = cl_engine_get_num(engine, CL_ENGINE_PCRE_MAX_FILESIZE, NULL);

     logg("Limits: PCREMaxFileSize limit set to %llu.\n", val);

-    if(optget(opts, "ScanArchive")->enabled) {

-	logg("Archive support enabled.\n");

-	options.parse |= CL_SCAN_PARSE_ARCHIVE;

+    if (optget(opts, "ScanArchive")->enabled) {

+        logg("Archive support enabled.\n");

+        options.parse |= CL_SCAN_PARSE_ARCHIVE;

+    } else {

+        logg("Archive support disabled.\n");

+    }

+

+    /* TODO: Remove deprecated option in a future feature release. */

+    if (optget(opts, "ArchiveBlockEncrypted")->enabled) {

+        if (options.parse & CL_SCAN_PARSE_ARCHIVE) {

+            logg(

+              "^Using deprecated option \"ArchiveBlockEncrypted\" to alert on "

+              "encrypted archives _and_ documents. Please update your "

+              "configuration to use replacement options \"AlertEncrypted\", or "

+              "\"AlertEncryptedArchive\" and/or \"AlertEncryptedDoc\".\n");

+            options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE;

+            options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;

+        } else {

+            logg(

+              "^Using deprecated option \"ArchiveBlockEncrypted\" to alert on "

+              "encrypted documents. Please update your configuration to use "

+              "replacement options \"AlertEncrypted\", or "

+              "\"AlertEncryptedArchive\" and/or \"AlertEncryptedDoc\".\n");

+            options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;

+        }

+    }

-	if(optget(opts, "ArchiveBlockEncrypted")->enabled) {

-	    logg("Archive: Blocking encrypted archives.\n");

-	    options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED;

-	}

+    if (optget(opts, "AlertEncrypted")->enabled) {

+        if (options.parse & CL_SCAN_PARSE_ARCHIVE) {

+            logg("Alerting of encrypted archives _and_ documents enabled.\n");

+            options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE;

+            options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;

+        } else {

+            logg("Alerting of encrypted documents enabled.\n");

+            options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;

+        }

+    }

-    } else {

-	logg("Archive support disabled.\n");

+    if (optget(opts, "AlertEncryptedArchive")->enabled) {

+        if (options.parse & CL_SCAN_PARSE_ARCHIVE) {

+            logg("Alerting of encrypted archives _and_ documents enabled.\n");

+            options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE;

+        } else {

+            logg("^Encrypted archive alerting requested, but archive support "

+                 "is disabled!\n");

+        }

+    }

+

+    if (optget(opts, "AlertEncryptedDoc")->enabled) {

+        logg("Alerting of encrypted documents enabled.\n");

+        options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;

     }

+    /* TODO: Remove deprecated option in a future feature release. */

     if (optget(opts, "BlockMax")->enabled) {

-        logg("BlockMax heuristic detection enabled.\n");

+        logg("^Using deprecated option \"BlockMax\" to enable heuristic alerts "

+             "when scans exceed set maximums. Please update your configuration "

+             "to use replacement option \"AlertExceedsMax\".\n");

+        options.heuristic |= CL_SCAN_HEURISTIC_EXCEEDS_MAX;

+    } else if (optget(opts, "AlertExceedsMax")->enabled) {

+        logg("Heuristic alerting enabled for scans that exceed set maximums.\n");

         options.heuristic |= CL_SCAN_HEURISTIC_EXCEEDS_MAX;

     } else {

-        logg("BlockMax heuristic detection disabled.\n");

-    }

-

-    if(optget(opts, "AlgorithmicDetection")->enabled) {

-	logg("Algorithmic detection enabled.\n");

-	options.general |= CL_SCAN_GENERAL_HEURISTICS;

+        logg("AlertExceedsMax heuristic detection disabled.\n");

+    }

+

+    /* TODO: Remove deprecated option in a future feature release. */

+    if (optget(opts, "AlgorithmicDetection")->enabled) {

+        logg("^Using deprecated option \"AlgorithmicDetection\" to enable "

+             "heuristic alerts. Please update your configuration to use "

+             "replacement option \"HeuristicAlerts\".\n");

+        options.heuristic |= CL_SCAN_GENERAL_HEURISTICS;

+    } else if (optget(opts, "HeuristicAlerts")->enabled) {

+        logg("Heuristic alerts enabled.\n");

+        options.general |= CL_SCAN_GENERAL_HEURISTICS;

     } else {

-	logg("Algorithmic detection disabled.\n");

+        logg("Heuristic alerts disabled.\n");

     }

     if(optget(opts, "ScanPE")->enabled) {

@@ -964,11 +1016,13 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

 	logg("ELF support disabled.\n");

     }

-    if(optget(opts, "ScanPE")->enabled || optget(opts, "ScanELF")->enabled) {

-	if(optget(opts, "DetectBrokenExecutables")->enabled) {

-	    logg("Detection of broken executables enabled.\n");

-	    options.heuristic |= CL_SCAN_HEURISTIC_BROKEN;

-	}

+	/* TODO: Remove deprecated option in a future feature release */

+    if (optget(opts, "ScanPE")->enabled || optget(opts, "ScanELF")->enabled) {

+        if ((optget(opts, "DetectBrokenExecutables")->enabled) || 

+			(optget(opts, "AlertBrokenExecutables")->enabled)) {

+            logg("Alerting on broken executables enabled.\n");

+            options.heuristic |= CL_SCAN_HEURISTIC_BROKEN;

+        }

     }

     if(optget(opts, "ScanMail")->enabled) {

@@ -984,15 +1038,18 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

 	logg("Mail files support disabled.\n");

     }

-    if(optget(opts, "ScanOLE2")->enabled) {

-	logg("OLE2 support enabled.\n");

-	options.parse |= CL_SCAN_PARSE_OLE2;

-	if(optget(opts, "OLE2BlockMacros")->enabled) {

-	    logg("OLE2: Blocking all VBA macros.\n");

-	    options.heuristic |= CL_SCAN_HEURISTIC_MACROS;

-	}

+    if (optget(opts, "ScanOLE2")->enabled) {

+        logg("OLE2 support enabled.\n");

+        options.parse |= CL_SCAN_PARSE_OLE2;

+		

+		/* TODO: Remove deprecated option in a future feature release */

+        if ((optget(opts, "OLE2BlockMacros")->enabled) ||

+        	(optget(opts, "AlertOLE2Macros")->enabled)) {

+            logg("OLE2: Alerting on all VBA macros.\n");

+            options.heuristic |= CL_SCAN_HEURISTIC_MACROS;

+        }

     } else {

-	logg("OLE2 support disabled.\n");

+        logg("OLE2 support disabled.\n");

     }

     if(optget(opts, "ScanPDF")->enabled) {

@@ -1030,22 +1087,26 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

 	logg("HWP3 support disabled.\n");

     }

-    if(optget(opts,"PhishingScanURLs")->enabled) {

-

-	if(optget(opts,"PhishingAlwaysBlockCloak")->enabled) {

-	    options.heuristic |= CL_SCAN_HEURISTIC_PHISHING_CLOAK; 

-	    logg("Phishing: Always checking for cloaked urls\n");

-	}

-

-	if(optget(opts,"PhishingAlwaysBlockSSLMismatch")->enabled) {

-	    options.heuristic |= CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH;

-	    logg("Phishing: Always checking for ssl mismatches\n");

-	}

+    if (optget(opts, "PhishingScanURLs")->enabled) {

+		/* TODO: Remove deprecated option in a future feature release */

+        if ((optget(opts, "PhishingAlwaysBlockCloak")->enabled) ||

+            (optget(opts, "AlertPhishingCloak")->enabled)) {

+            options.heuristic |= CL_SCAN_HEURISTIC_PHISHING_CLOAK;

+            logg("Phishing: Always checking for cloaked urls\n");

+        }

+		/* TODO: Remove deprecated option in a future feature release */

+        if ((optget(opts, "PhishingAlwaysBlockSSLMismatch")->enabled) ||

+            (optget(opts, "AlertPhishingSSLMismatch")->enabled)) {

+            options.heuristic |= CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH;

+            logg("Phishing: Always checking for ssl mismatches\n");

+        }

     }

-    if(optget(opts,"PartitionIntersection")->enabled) {

+	/* TODO: Remove deprecated option in a future feature release */

+    if ((optget(opts,"PartitionIntersection")->enabled) ||

+		(optget(opts,"AlertPartitionIntersection")->enabled)) {

         options.heuristic |= CL_SCAN_HEURISTIC_PARTITION_INTXN;

-        logg("Raw DMG: Always checking for partitions intersections\n");

+        logg("Raw DMG: Alert on partitions intersections\n");

     }

     if(optget(opts,"HeuristicScanPrecedence")->enabled) {

@@ -251,13 +251,10 @@ void help(void)

     mprintf("    --structured-ssn-count=N             Min SSN count to generate a detect\n");

     mprintf("    --structured-cc-count=N              Min CC count to generate a detect\n");

     mprintf("    --scan-mail[=yes(*)/no]              Scan mail files\n");

-    mprintf("    --phishing-sigs[=yes(*)/no]          Signature-based phishing detection\n");

-    mprintf("    --phishing-scan-urls[=yes(*)/no]     URL-based phishing detection\n");

+    mprintf("    --phishing-sigs[=yes(*)/no]          Enable email signature-based phishing detection\n");

+    mprintf("    --phishing-scan-urls[=yes(*)/no]     Enable URL signature-based phishing detection\n");

+    mprintf("    --heuristic-alerts[=yes(*)/no]       Heuristic alerts\n");

     mprintf("    --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found\n");

-    mprintf("    --phishing-ssl[=yes/no(*)]           Always block (flag) SSL mismatches in URLs (phishing module)\n");

-    mprintf("    --phishing-cloak[=yes/no(*)]         Always block (flag) cloaked URLs (phishing module)\n");

-    mprintf("    --partition-intersection[=yes/no(*)] Detect partition intersections in raw disk images using heuristics\n");

-    mprintf("    --algorithmic-detection[=yes(*)/no]  Algorithmic detection\n");

     mprintf("    --normalize[=yes(*)/no]              Normalize html, script, and text files. Use normalize=no for yara compatibility\n");

     mprintf("    --scan-pe[=yes(*)/no]                Scan PE files\n");

     mprintf("    --scan-elf[=yes(*)/no]               Scan ELF files\n");

@@ -268,10 +265,15 @@ void help(void)

     mprintf("    --scan-xmldocs[=yes(*)/no]           Scan xml-based document files\n");

     mprintf("    --scan-hwp3[=yes(*)/no]              Scan HWP3 files\n");

     mprintf("    --scan-archive[=yes(*)/no]           Scan archive files (supported by libclamav)\n");

-    mprintf("    --detect-broken[=yes/no(*)]          Try to detect broken executable files\n");

-    mprintf("    --block-encrypted[=yes/no(*)]        Block (flag) encrypted archives\n");

-    mprintf("    --block-macros[=yes/no(*)]           Block (flag) OLE2 files with VBA macros\n");

-    mprintf("    --block-max[=yes/no(*)]              Block (flag) files that exceed max file size, max scan size, or max recursion limit\n");

+    mprintf("    --alert-broken[=yes/no(*)]           Alert on broken executable files (PE & ELF)\n");

+    mprintf("    --alert-encrypted[=yes/no(*)]        Alert on encrypted archives and documents\n");

+    mprintf("    --alert-encrypted-archive[=yes/no(*)] Alert on encrypted archives\n");

+    mprintf("    --alert-encrypted-doc[=yes/no(*)]    Alert on encrypted documents\n");

+    mprintf("    --alert-macros[=yes/no(*)]           Alert on OLE2 files containing VBA macros\n");

+    mprintf("    --alert-exceeds-max[=yes/no(*)]      Alert on files that exceed max file size, max scan size, or max recursion limit\n");

+    mprintf("    --alert-phishing-ssl[=yes/no(*)]     Alert on emails containing SSL mismatches in URLs\n");

+    mprintf("    --alert-phishing-cloak[=yes/no(*)]   Alert on emails containing cloaked URLs\n");

+    mprintf("    --alert-partition-intersection[=yes/no(*)] Alert on raw DMG image files containing partition intersections\n");

     mprintf("    --nocerts                            Disable authenticode certificate chain verification in PE files\n");

     mprintf("    --dumpcerts                          Dump authenticode certificate chain in PE files\n");

     mprintf("\n");

@@ -1017,13 +1017,19 @@ int scanmanager(const struct optstruct *opts)

         options.general |= CL_SCAN_GENERAL_ALLMATCHES;

     }

-    if(optget(opts,"phishing-ssl")->enabled)

+    /* TODO: Remove deprecated option in a future feature release */

+    if ((optget(opts,"phishing-ssl")->enabled) ||

+        (optget(opts,"alert-phishing-ssl")->enabled))

         options.heuristic |= CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH;

-    if(optget(opts,"phishing-cloak")->enabled)

+    /* TODO: Remove deprecated option in a future feature release */

+    if ((optget(opts,"phishing-cloak")->enabled) ||

+        (optget(opts,"alert-phishing-cloak")->enabled))

         options.heuristic |= CL_SCAN_HEURISTIC_PHISHING_CLOAK;

-    if(optget(opts,"partition-intersection")->enabled)

+    /* TODO: Remove deprecated option in a future feature release */

+    if ((optget(opts,"partition-intersection")->enabled) ||

+        (optget(opts,"alert-partition-intersection")->enabled))

         options.heuristic |= CL_SCAN_HEURISTIC_PARTITION_INTXN;

     if(optget(opts,"heuristic-scan-precedence")->enabled)

@@ -1032,14 +1038,30 @@ int scanmanager(const struct optstruct *opts)

     if(optget(opts, "scan-archive")->enabled)

         options.parse |= CL_SCAN_PARSE_ARCHIVE;

-    if(optget(opts, "detect-broken")->enabled)

+    /* TODO: Remove deprecated option in a future feature release */

+    if ((optget(opts, "detect-broken")->enabled) || 

+        (optget(opts, "alert-broken")->enabled)) {

         options.heuristic |= CL_SCAN_HEURISTIC_BROKEN;

+    }

+

+    /* TODO: Remove deprecated option in a future feature release */

+    if ((optget(opts, "block-encrypted")->enabled) ||

+        (optget(opts, "alert-encrypted")->enabled)) {

+        options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE;

+        options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;

+    }

-    if(optget(opts, "block-encrypted")->enabled)

-        options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED;

+    if (optget(opts, "alert-encrypted-archive")->enabled)

+        options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE;

-    if(optget(opts, "block-macros")->enabled)

+    if (optget(opts, "alert-encrypted-doc")->enabled)

+        options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;

+

+    /* TODO: Remove deprecated option in a future feature release */

+    if ((optget(opts, "block-macros")->enabled) ||

+        (optget(opts, "alert-macros")->enabled)) {

         options.heuristic |= CL_SCAN_HEURISTIC_MACROS;

+    }

     if(optget(opts, "scan-pe")->enabled)

         options.parse |= CL_SCAN_PARSE_PE;

@@ -1071,7 +1093,9 @@ int scanmanager(const struct optstruct *opts)

     if(optget(opts, "algorithmic-detection")->enabled)

         options.general |= CL_SCAN_GENERAL_HEURISTICS;

-    if(optget(opts, "block-max")->enabled) {

+    /* TODO: Remove deprecated option in a future feature release */

+    if ((optget(opts, "block-max")->enabled) || 

+        (optget(opts, "alert-exceeds-max")->enabled)) {

         options.heuristic |= CL_SCAN_HEURISTIC_EXCEEDS_MAX;

     }

@@ -316,16 +316,18 @@ Supported flags for each of the fields are as follows:

 - **CL_SCAN_GENERAL_HEURISTIC_PRECEDENCE**

     Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When *disabled*, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported.

-- **CL_SCAN_HEURISTIC_ENCRYPTED**

-    With this flag the library will mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

+- **CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE**

+    With this flag the library will mark encrypted archives as viruses (encrypted .zip, .7zip, .rar).

+- **CL_SCAN_HEURISTIC_ENCRYPTED_DOC**

+    With this flag the library will mark encrypted docuemnts as viruses (encrypted .pdf).

 - **CL_SCAN_HEURISTIC_BROKEN**

     libclamav will try to detect broken executables and mark them as Broken.Executable.

 - **CL_SCAN_HEURISTIC_EXCEEDS_MAX**

     Alert when the scan of any file exceeds maximums such as max filesize, max scansize, max recursion level.

 - **CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH**

-    Heuristic for Phishing module: always block SSL mismatches in URLs.

+    Heuristic for phishing module: alert on SSL mismatches in URLs.

 - **CL_SCAN_HEURISTIC_PHISHING_CLOAK**

-    Phishing module: always block cloaked URLs.

+    Heuristic for phishing module: alert on cloaked URLs.

 - **CL_SCAN_HEURISTIC_MACROS**

     OLE2 containers, which contain VBA macros will be marked infected (Heuristics.OLE2.ContainsMacros).

 - **CL_SCAN_HEURISTIC_PARTITION_INTXN**

@@ -338,10 +338,15 @@ Only include a specific PUA category. This directive can be used multiple times.

 .br

 Default: disabled

 .TP 

-\fBAlgorithmicDetection BOOL\fR

+\fBHeuristicAlerts BOOL\fR

 In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option controls the algorithmic detection.

 .br 

 Default: yes

+.TP

+\fBHeuristicScanPrecedence BOOL\fR

+Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phishing it will stop scanning immediately. Recommended, saves CPU scan-time. When disabled, virus/phishing detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported. Keep this disabled if you intend to handle "*.Heuristics.*" viruses  differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.

+.br

+Default: no

 .TP 

 \fBScanPE BOOL\fR

 PE stands for Portable Executable \- it's an executable file format used in all 32 and 64\-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX.  

@@ -357,11 +362,6 @@ If you turn off this option, the original files will still be scanned, but witho

 .br 

 Default: yes

 .TP 

-\fBDetectBrokenExecutables BOOL\fR

-With this option clamd will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable.

-.br 

-Default: no

-.TP 

 \fBScanMail BOOL\fR

 Enable scanning of mail files. 

 .br

@@ -375,35 +375,15 @@ Scan RFC1341 messages split over many emails. You will need to periodically clea

 Default: no

 .TP

 \fBPhishingSignatures BOOL\fR

-With this option enabled ClamAV will try to detect phishing attempts by using signatures.

+Enable email signature-based phishing detection.

 .br 

 Default: yes

 .TP

 \fBPhishingScanURLs BOOL\fR

-Scan URLs found in mails for phishing attempts using heuristics. This will classify "Possibly Unwanted" phishing emails as Phishing.Heuristics.Email.*

+Enable URL signature-based phishing detection (Phishing.Heuristics.Email.*)

 .br

 Default: yes

 .TP

-\fBPhishingAlwaysBlockCloak BOOL\fR

-Always block cloaked URLs, even if URL isn't in database. This can lead to false positives.

-.br

-Default: no

-.TP

-\fBPhishingAlwaysBlockSSLMismatch BOOL\fR

-Always block SSL mismatches in URLs, even if the URL isn't in the database. This can lead to false positives.

-.br

-Default: no

-.TP

-\fBPartitionIntersection BOOL\fR

-Detect partition intersections in raw disk images using heuristics.

-.br

-Default: no

-.TP

-\fBHeuristicScanPrecedence BOOL\fR

-Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phishing it will stop scanning immediately. Recommended, saves CPU scan-time. When disabled, virus/phishing detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported. Keep this disabled if you intend to handle "*.Heuristics.*" viruses  differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.

-.br

-Default: no

-.TP

 \fBStructuredDataDetection BOOL\fR

 Enable the DLP module.

 .br 

@@ -443,16 +423,6 @@ If you turn off this option, the original files will still be scanned, but witho

 .br 

 Default: yes

 .TP 

-\fBOLE2BlockMacros BOOL\fR

-With this option enabled OLE2 files with VBA macros, which were not detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".

-.br 

-Default: no

-.TP

-\fBBlockMax BOOL\fR

- Flag files with "Heuristics.Limits.Exceeded" when scanning is incomplete due to exceeding a scan or file size limit.

-.br 

-Default: no

-.TP 

 \fBScanPDF BOOL\fR

 This option enables scanning within PDF files.

 .br

@@ -487,9 +457,49 @@ Scan within archives and compressed files.

 If you turn off this option, the original files will still be scanned, but without unpacking and additional processing.

 .br 

 Default: yes

+.TP 

+\fBAlertBrokenExecutables BOOL\fR

+Alert on broken executable files (PE & ELF).

+.br 

+Default: no

+.TP

+\fBAlertEncrypted BOOL\fR

+Alert on encrypted archives and documents (encrypted .zip, .7zip, .rar, .pdf).

+.br

+Default: no

+.TP

+\fBAlertEncryptedArchive BOOL\fR

+Alert on encrypted archives (encrypted .zip, .7zip, .rar).

+.br

+Default: no

+.TP

+\fBAlertEncryptedDoc BOOL\fR

+Alert on encrypted documents (encrypted .pdf).

+.br

+Default: no

+.TP 

+\fBAlertOLE2Macros BOOL\fR

+Alert on OLE2 files containing VBA macros (Heuristics.OLE2.ContainsMacros).

+.br 

+Default: no

+.TP

+\fBAlertExceedsMax BOOL\fR

+Alert on files that exceed max file size, max scan size, or max recursion limit (Heuristics.Limits.Exceeded).

+.br 

+Default: no

+.TP

+\fBAlertPhishingSSLMismatch BOOL\fR

+Alert on emails containing SSL mismatches in URLs (might lead to false positives!).

+.br

+Default: no

+.TP

+\fBAlertPhishingCloak BOOL\fR

+Alert on emails containing cloaked URLs (might lead to some false positives).

+.br

+Default: no

 .TP

-\fBArchiveBlockEncrypted BOOL\fR

-Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

+\fBAlertPartitionIntersection BOOL\fR

+Alert on raw DMG image files containing partition intersections.

 .br

 Default: no

 .TP

@@ -133,26 +133,17 @@ This option sets the lowest number of Credit Card numbers found in a file to gen

 Scan mail files. If you turn off this option, the original files will still be scanned, but without parsing individual messages/attachments.

 .TP 

 \fB\-\-phishing\-sigs[=yes(*)/no]\fR

-Use the signature-based phishing detection.

+Enable email signature-based phishing detection.

 .TP 

 \fB\-\-phishing\-scan\-urls[=yes(*)/no]\fR

-Use the url-based heuristic phishing detection (Phishing.Heuristics.Email.*)

+Enable URL signature-based phishing detection (Phishing.Heuristics.Email.*)

+.TP

+\fB\-\-heuristic\-alerts[=yes(*)/no]\fR

+In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be used to control the algorithmic detection.

 .TP

 \fB\-\-heuristic\-scan\-precedence[=yes/no(*)]\fR

 Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected  virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses  differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first,  the scan is interrupted immediately, regardless of this config option.

 .TP

-\fB\-\-phishing\-ssl[=yes/no(*)]\fR

-Block SSL mismatches in URLs (might lead to false positives!).

-.TP

-\fB\-\-phishing\-cloak[=yes/no(*)]\fR

-Block cloaked URLs (might lead to some false positives).

-.TP

-\fB\-\-partition\-intersection[=yes/no(*)]\fR

-Detect partition intersections in raw disk images using heuristics.

-.TP

-\fB\-\-algorithmic\-detection[=yes(*)/no]\fR

-In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be used to control the algorithmic detection.

-.TP

 \fB\-\-normalize[=yes(*)/no]\fR

 Normalize (compress whitespace, downcase, etc.) html, script, and text files. Use normalize=no for yara compatibility. 

 .TP 

@@ -183,17 +174,32 @@ Scan HWP3 files. If you turn off this option, the original files will still be s

 \fB\-\-scan\-archive[=yes(*)/no]\fR

 Scan archives supported by libclamav. If you turn off this option, the original files will still be scanned, but without unpacking and additional processing.

 .TP 

-\fB\-\-detect\-broken[=yes/no(*)]\fR

-Mark broken executables as viruses (Broken.Executable).

+\fB\-\-alert\-broken[=yes/no(*)]\fR

+Alert on broken executable files (PE & ELF).

+.TP 

+\fB\-\-alert\-encrypted[=yes/no(*)]\fR

+Alert on encrypted archives and documents (encrypted .zip, .7zip, .rar, .pdf).

+.TP 

+\fB\-\-alert\-encrypted-archive[=yes/no(*)]\fR

+Alert on encrypted archives (encrypted .zip, .7zip, .rar, .pdf).

+.TP 

+\fB\-\-alert\-encrypted-doc[=yes/no(*)]\fR

+Alert on encrypted documents (encrypted .zip, .7zip, .rar, .pdf).

 .TP 

-\fB\-\-block\-encrypted[=yes/no(*)]\fR

-Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

+\fB\-\-alert\-macros[=yes/no(*)]\fR

+Alert on OLE2 files containing VBA macros (Heuristics.OLE2.ContainsMacros).

 .TP 

-\fB\-\-block\-macros[=yes/no(*)]\fR

-Mark OLE2 files containing VBA macros as viruses (Heuristics.OLE2.ContainsMacros).

+\fB\-\-alert\-exceeds\-max[=yes/no(*)]\fR

+Alert on files that exceed max file size, max scan size, or max recursion limit (Heuristics.Limits.Exceeded).

 .TP 

-\fB\-\-block\-max[=yes/no(*)]\fR

-Flag files with "Heuristics.Limits.Exceeded" when scanning is incomplete due to exceeding a scan or file size limit.

+\fB\-\-alert\-phishing\-ssl[=yes/no(*)]\fR

+Alert on emails containing SSL mismatches in URLs (might lead to false positives!).

+.TP

+\fB\-\-alert\-phishing\-cloak[=yes/no(*)]\fR

+Alert on emails containing cloaked URLs (might lead to some false positives).

+.TP

+\fB\-\-alert\-partition\-intersection[=yes/no(*)]\fR

+Detect partition intersections in raw disk images using heuristics.

 .TP 

 \fB\-\-max\-filesize=#n\fR

 Extract and scan at most #n bytes from each archive. You may pass the value in kilobytes in format xK or xk, or megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 25 MB, max: <4 GB)

@@ -244,12 +244,6 @@ Example

 #IncludePUA Scanner

 #IncludePUA RAT

-# In some cases (eg. complex malware, exploits in graphic files, and others),

-# ClamAV uses special algorithms to provide accurate detection. This option

-# controls the algorithmic detection.

-# Default: yes

-#AlgorithmicDetection yes

-

 # This option causes memory or nested map scans to dump the content to disk.

 # If you turn on this option, more data is written to disk and is available

 # when the LeaveTemporaryFiles option is enabled.

@@ -262,6 +256,71 @@ Example

 # Default: no

 #DisableCache yes

+# In some cases (eg. complex malware, exploits in graphic files, and others),

+# ClamAV uses special algorithms to detect abnormal patterns and behaviors that

+# may be malicious.  This option enables alerting on such heuristically

+# detected potential threats.

+# Default: yes

+#HeuristicAlerts yes

+

+# Allow heuristic alerts to take precedence.

+# When enabled, if a heuristic scan (such as phishingScan) detects

+# a possible virus/phish it will stop scan immediately. Recommended, saves CPU

+# scan-time.

+# When disabled, virus/phish detected by heuristic scans will be reported only at

+# the end of a scan. If an archive contains both a heuristically detected

+# virus/phish, and a real malware, the real malware will be reported

+#

+# Keep this disabled if you intend to handle "*.Heuristics.*" viruses 

+# differently from "real" malware.

+# If a non-heuristically-detected virus (signature-based) is found first, 

+# the scan is interrupted immediately, regardless of this config option.

+#

+# Default: no

+#HeuristicScanPrecedence yes

+

+

+##

+## Heuristic Alerts

+##

+

+# With this option clamav will try to detect broken executables (both PE and

+# ELF) and alert on them with the Broken.Executable heuristic signature.

+# Default: no

+#AlertBrokenExecutables yes

+

+# Alert on encrypted archives _and_ documents with heuristic signature (encrypted .zip, .7zip, .rar, .pdf).

+# Default: no

+#AlertEncrypted yes

+

+# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, .rar).

+# Default: no

+#AlertEncryptedArchive yes

+

+# Alert on encrypted archives with heuristic signature (encrypted .pdf).

+# Default: no

+#AlertEncryptedDoc yes

+

+# With this option enabled OLE2 files containing VBA macros, which were not

+# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".

+# Default: no

+#AlertOLE2Macros yes

+

+# Alert on SSL mismatches in URLs, even if the URL isn't in the database.

+# This can lead to false positives.

+# Default: no

+#AlertPhishingSSLMismatch yes

+

+# Alert on cloaked URLs, even if URL isn't in database.

+# This can lead to false positives.

+# Default: no

+#AlertPhishingCloak yes

+

+# Alert on raw DMG image files containing partition intersections

+# Default: no

+#AlertPartitionIntersection yes

+

+

 ##

 ## Executable files

 ##

@@ -292,11 +351,6 @@ Example

 # Default: yes

 #ScanELF yes

-# With this option clamav will try to detect broken executables (both PE and

-# ELF) and mark them as Broken.Executable.

-# Default: no

-#DetectBrokenExecutables yes

-

 ##

 ## Documents

@@ -309,11 +363,6 @@ Example

 # Default: yes

 #ScanOLE2 yes

-# With this option enabled OLE2 files with VBA macros, which were not

-# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".

-# Default: no

-#OLE2BlockMacros no

-

 # This option enables scanning within PDF files.

 # If you turn off this option, the original files will still be scanned, but

 # without decoding and additional processing.

@@ -358,45 +407,14 @@ Example

 #ScanPartialMessages yes

 # With this option enabled ClamAV will try to detect phishing attempts by using

-# signatures.

+# HTML.Phishing and Email.Phishing NDB signatures.

 # Default: yes

-#PhishingSignatures yes

+#PhishingSignatures no

-# Scan URLs found in mails for phishing attempts using heuristics.

+# With this option enabled ClamAV will try to detect phishing attempts by

+# analyzing URLs found in emails using WDB and PDB signature databases.

 # Default: yes

-#PhishingScanURLs yes

-

-# Always block SSL mismatches in URLs, even if the URL isn't in the database.

-# This can lead to false positives.

-#

-# Default: no

-#PhishingAlwaysBlockSSLMismatch no

-

-# Always block cloaked URLs, even if URL isn't in database.

-# This can lead to false positives.

-#

-# Default: no

-#PhishingAlwaysBlockCloak no

-

-# Detect partition intersections in raw disk images using heuristics.

-# Default: no

-#PartitionIntersection no

-

-# Allow heuristic match to take precedence.

-# When enabled, if a heuristic scan (such as phishingScan) detects

-# a possible virus/phish it will stop scan immediately. Recommended, saves CPU

-# scan-time.

-# When disabled, virus/phish detected by heuristic scans will be reported

-# only at the end of a scan. If an archive contains both a heuristically

-# detected virus/phish, and a real malware, the real malware will be reported.

-#

-# Keep this disabled if you intend to handle "*.Heuristics.*" viruses 

-# differently from "real" malware.

-# If a non-heuristically-detected virus (signature-based) is found first, 

-# the scan is interrupted immediately, regardless of this config option.

-#

-# Default: no

-#HeuristicScanPrecedence yes

+#PhishingScanURLs no

 ##

@@ -449,10 +467,6 @@ Example

 # Default: yes

 #ScanArchive yes

-# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

-# Default: no

-#ArchiveBlockEncrypted no

-

 ##

 ## Limits

@@ -589,11 +603,12 @@ Example

 # Default: 25M

 #PCREMaxFileSize 100M

-# When BlockMax is set, files exceeding the MaxFileSize, MaxScanSize, or

+# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or

 # MaxRecursion limit will be flagged with the virus

 # "Heuristics.Limits.Exceeded".

 # Default: no

-#BlockMax yes

+#AlertExceedsMax yes

+

 ##

 ## On-access Scan Settings

@@ -106,7 +106,7 @@ int cli_7unz (cli_ctx *ctx, size_t offset) {

     SzArEx_Init(&db);

     res = SzArEx_Open(&db, &lookStream.s, &allocImp, &allocTempImp);

-    if(res == SZ_ERROR_ENCRYPTED && SCAN_HEURISTIC_ENCRYPTED) {

+    if(res == SZ_ERROR_ENCRYPTED && SCAN_HEURISTIC_ENCRYPTED_ARCHIVE) {

 	cli_dbgmsg("cli_7unz: Encrypted header found in archive.\n");

 	found = cli_append_virus(ctx, "Heuristics.Encrypted.7Zip");

     } else if(res == SZ_OK) {

@@ -158,7 +158,7 @@ int cli_7unz (cli_ctx *ctx, size_t offset) {

 	    res = SzArEx_Extract(&db, &lookStream.s, i, &blockIndex, &outBuffer, &outBufferSize, &offset, &outSizeProcessed, &allocImp, &allocTempImp);

 	    if(res == SZ_ERROR_ENCRYPTED) {

 		encrypted = 1;

-		if(SCAN_HEURISTIC_ENCRYPTED) {

+		if(SCAN_HEURISTIC_ENCRYPTED_ARCHIVE) {

 		    cli_dbgmsg("cli_7unz: Encrypted files found in archive.\n");

 		    found = cli_append_virus(ctx, "Heuristics.Encrypted.7Zip");

                     if (found != CL_CLEAN) {

@@ -1319,7 +1319,8 @@ uint32_t cli_bcapi_engine_scan_options(struct cli_bc_ctx *ctx)

         options |= CL_SCAN_PHISHING_BLOCKCLOAK;

     if (cctx->options->heuristic & CL_SCAN_HEURISTIC_MACROS)

         options |= CL_SCAN_BLOCKMACROS;

-    if (cctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED)

+    if ((cctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE) || 

+        (cctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED_DOC))

         options |= CL_SCAN_BLOCKENCRYPTED;

     if (cctx->options->heuristic & CL_SCAN_HEURISTIC_PARTITION_INTXN)

         options |= CL_SCAN_PARTITION_INTXN;

@@ -1429,8 +1430,11 @@ uint32_t cli_bcapi_engine_scan_options_ex(struct cli_bc_ctx *ctx, const uint8_t

         if (cli_memstr(option_name_l, name_len, "macros", sizeof("macros"))) {

             return (cctx->options->heuristic & CL_SCAN_HEURISTIC_MACROS) ? 1 : 0;

         }

-        if (cli_memstr(option_name_l, name_len, "encrypted", sizeof("encrypted"))) {

-            return (cctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED) ? 1 : 0;

+        if (cli_memstr(option_name_l, name_len, "encrypted archive", sizeof("encrypted archive"))) {

+            return (cctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE) ? 1 : 0;

+        }

+        if (cli_memstr(option_name_l, name_len, "encrypted doc", sizeof("encrypted doc"))) {

+            return (cctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED_DOC) ? 1 : 0;

         }

         if (cli_memstr(option_name_l, name_len, "partition intxn", sizeof("partition intxn"))) {

             return (cctx->options->heuristic & CL_SCAN_HEURISTIC_PARTITION_INTXN) ? 1 : 0;

@@ -175,16 +175,17 @@ struct cl_scan_options {

 #define CL_SCAN_PARSE_PE                            0x200

 /* heuristic alerting options */

-#define CL_SCAN_HEURISTIC_BROKEN                    0x2

-#define CL_SCAN_HEURISTIC_EXCEEDS_MAX               0x4

-#define CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH     0x8

-#define CL_SCAN_HEURISTIC_PHISHING_CLOAK            0x10

-#define CL_SCAN_HEURISTIC_MACROS                    0x20

-#define CL_SCAN_HEURISTIC_ENCRYPTED                 0x40

-#define CL_SCAN_HEURISTIC_PARTITION_INTXN           0x80 /* alert if partition table size doesn't make sense */

-#define CL_SCAN_HEURISTIC_STRUCTURED                0x100 /* data loss prevention options, i.e. alert when detecting personal information */

-#define CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL     0x200 /* alert when detecting social security numbers */

-#define CL_SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED   0x400 /* alert when detecting stripped social security numbers */

+#define CL_SCAN_HEURISTIC_BROKEN                    0x2   /* alert on broken PE and broken ELF files */

+#define CL_SCAN_HEURISTIC_EXCEEDS_MAX               0x4   /* alert when files exceed scan limits (filesize, max scansize, or max recursion depth) */

+#define CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH     0x8   /* alert on SSL mismatches */

+#define CL_SCAN_HEURISTIC_PHISHING_CLOAK            0x10  /* alert on cloaked URLs in emails */

+#define CL_SCAN_HEURISTIC_MACROS                    0x20  /* alert on OLE2 files containing macros */

+#define CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE         0x40  /* alert if archive is encrypted (rar, zip, etc) */

+#define CL_SCAN_HEURISTIC_ENCRYPTED_DOC             0x80  /* alert if a document is encrypted (pdf, docx, etc) */

+#define CL_SCAN_HEURISTIC_PARTITION_INTXN           0x100 /* alert if partition table size doesn't make sense */

+#define CL_SCAN_HEURISTIC_STRUCTURED                0x200 /* data loss prevention options, i.e. alert when detecting personal information */

+#define CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL     0x400 /* alert when detecting social security numbers */

+#define CL_SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED   0x800 /* alert when detecting stripped social security numbers */

 /* mail scanning options */

 #define CL_SCAN_MAIL_PARTIAL_MESSAGE                0x1

@@ -511,7 +511,8 @@ extern int have_rar;

 #define SCAN_HEURISTIC_PHISHING_SSL_MISMATCH    (ctx->options->heuristic & CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH)

 #define SCAN_HEURISTIC_PHISHING_CLOAK           (ctx->options->heuristic & CL_SCAN_HEURISTIC_PHISHING_CLOAK)

 #define SCAN_HEURISTIC_MACROS                   (ctx->options->heuristic & CL_SCAN_HEURISTIC_MACROS)

-#define SCAN_HEURISTIC_ENCRYPTED                (ctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED)

+#define SCAN_HEURISTIC_ENCRYPTED_ARCHIVE        (ctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE)

+#define SCAN_HEURISTIC_ENCRYPTED_DOC            (ctx->options->heuristic & CL_SCAN_HEURISTIC_ENCRYPTED_DOC)

 #define SCAN_HEURISTIC_PARTITION_INTXN          (ctx->options->heuristic & CL_SCAN_HEURISTIC_PARTITION_INTXN)

 #define SCAN_HEURISTIC_STRUCTURED               (ctx->options->heuristic & CL_SCAN_HEURISTIC_STRUCTURED)

 #define SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL    (ctx->options->heuristic & CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL)

@@ -3099,7 +3099,7 @@ cl_error_t pdf_find_and_extract_objs(struct pdf_struct *pdf, uint32_t *alerts)

                (pdf->flags & (1 << DECRYPTABLE_PDF)) ?

                "decryptable" : "not decryptable, stream will probably fail to decompress");

-    if (SCAN_HEURISTIC_ENCRYPTED &&

+    if (SCAN_HEURISTIC_ENCRYPTED_DOC &&

        (pdf->flags & (1 << ENCRYPTED_PDF)) &&

        !(pdf->flags & (1 << DECRYPTABLE_PDF)))

     {

@@ -243,7 +243,7 @@ static int cli_unrar_scanmetadata(int desc, unrar_metadata_t *metadata, cli_ctx

         virus_found = 1;

     }

-    if (SCAN_HEURISTIC_ENCRYPTED && metadata->encrypted)

+    if (SCAN_HEURISTIC_ENCRYPTED_ARCHIVE && metadata->encrypted)

     {

         cli_dbgmsg("RAR: Encrypted files found in archive.\n");

         ret = cli_scandesc(desc, ctx, 0, 0, NULL, AC_SCAN_VIR, NULL);

@@ -292,7 +292,7 @@ static int cli_scanrar(int desc, cli_ctx *ctx, off_t sfx_offset, uint32_t *sfx_c

         if (ret == UNRAR_PASSWD)

         {

             cli_dbgmsg("RAR: Encrypted main header\n");

-            if (SCAN_HEURISTIC_ENCRYPTED)

+            if (SCAN_HEURISTIC_ENCRYPTED_ARCHIVE)

             {

                 if (lseek(desc, 0, SEEK_SET) == -1)

                 {

@@ -554,7 +554,7 @@ static unsigned int lhdr(fmap_t *map, uint32_t loff,uint32_t zsize, unsigned int

     return 0;

   }

-  if(detect_encrypted && (LH_flags & F_ENCR) && SCAN_HEURISTIC_ENCRYPTED) {

+  if(detect_encrypted && (LH_flags & F_ENCR) && SCAN_HEURISTIC_ENCRYPTED_ARCHIVE) {

     cli_dbgmsg("cli_unzip: Encrypted files found in archive.\n");

     *ret = cli_append_virus(ctx, "Heuristics.Encrypted.Zip");

     if ((*ret == CL_VIRUS && !SCAN_ALLMATCHES) || *ret != CL_CLEAN) {

@@ -186,7 +186,7 @@ const struct clam_option __clam_options[] = {

     { NULL, "deb", 0, CLOPT_TYPE_STRING, NULL, -1, "foo", 0, OPT_CLAMSCAN | OPT_DEPRECATED, "", "" },

     /* config file/cmdline options */

-    { "BlockMax", "block-max", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "", "" },

+    { "AlertExceedsMax", "alert-exceeds-max", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "", "" },

     { "PreludeEnable", "prelude-enable", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Enable prelude"},

@@ -308,14 +308,10 @@ const struct clam_option __clam_options[] = {

     { "IncludePUA", "include-pua", 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_CLAMSCAN, "Only include a specific PUA category. This directive can be used multiple\ntimes.", "Spy\nScanner\nRAT" },

-    { "AlgorithmicDetection", "algorithmic-detection", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "In some cases (eg. complex malware, exploits in graphic files, and others),\nClamAV uses special algorithms to provide accurate detection. This option\ncontrols the algorithmic detection.", "yes" },

-

     { "ScanPE", "scan-pe", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "PE stands for Portable Executable - it's an executable file format used\nin all 32- and 64-bit versions of Windows operating systems. This option\nallows ClamAV to perform a deeper analysis of executable files and it's also\nrequired for decompression of popular executable packers such as UPX or FSG.\nIf you turn off this option, the original files will still be scanned, but\nwithout additional processing.", "yes" },

     { "ScanELF", "scan-elf", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Executable and Linking Format is a standard format for UN*X executables.\nThis option allows you to control the scanning of ELF files.\nIf you turn off this option, the original files will still be scanned, but\nwithout additional processing.", "yes" },

-    { "DetectBrokenExecutables", "detect-broken", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "With this option enabled clamav will try to detect broken executables\n(both PE and ELF) and mark them as Broken.Executable.", "yes" },

-

     { "ScanMail", "scan-mail", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Enable the built in email scanner.\nIf you turn off this option, the original files will still be scanned, but\nwithout parsing individual messages/attachments.", "yes" },

     { "ScanPartialMessages", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Scan RFC1341 messages split over many emails. You will need to\nperiodically clean up $TemporaryDirectory/clamav-partial directory.\nWARNING: This option may open your system to a DoS attack. Please don't use\nthis feature on highly loaded servers.", "no" },

@@ -324,11 +320,7 @@ const struct clam_option __clam_options[] = {

     { "PhishingScanURLs", "phishing-scan-urls", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Scan URLs found in mails for phishing attempts using heuristics.", "yes" },

-    { "PhishingAlwaysBlockCloak", "phishing-cloak", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Always block cloaked URLs, even if they're not in the database.\nThis feature can lead to false positives.", "no" },

-

-    { "PhishingAlwaysBlockSSLMismatch", "phishing-ssl", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Always block SSL mismatches in URLs, even if they're not in the database.\nThis feature can lead to false positives.", "" },

-

-    { "PartitionIntersection", "partition-intersection", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect partition intersections in raw disk images using heuristics.", "yes" },

+    { "HeuristicAlerts", "heuristic-alerts", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "In some cases (eg. complex malware, exploits in graphic files, and others),\nClamAV uses special algorithms to provide accurate detection. This option\ncontrols the algorithmic detection.", "yes" },

     { "HeuristicScanPrecedence", "heuristic-scan-precedence", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Allow heuristic match to take precedence.\nWhen enabled, if a heuristic scan (such as phishingScan) detects\na possible virus/phish it will stop scan immediately. Recommended, saves CPU\nscan-time.\nWhen disabled, virus/phish detected by heuristic scans will be reported only\nat the end of a scan. If an archive contains both a heuristically detected\nvirus/phish, and a real malware, the real malware will be reported.\nKeep this disabled if you intend to handle \"*.Heuristics.*\" viruses\ndifferently from \"real\" malware.\nIf a non-heuristically-detected virus (signature-based) is found first,\nthe scan is interrupted immediately, regardless of this config option.", "yes" },

@@ -346,7 +338,21 @@ const struct clam_option __clam_options[] = {

     { "ScanOLE2", "scan-ole2", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option enables scanning of OLE2 files, such as Microsoft Office\ndocuments and .msi files.\nIf you turn off this option, the original files will still be scanned, but\nwithout additional processing.", "yes" },

-    { "OLE2BlockMacros", "block-macros", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "With this option enabled OLE2 files with VBA macros, which were not\ndetected by signatures will be marked as \"Heuristics.OLE2.ContainsMacros\".", "no" },

+    { "AlertBrokenExecutables", "alert-broken", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "With this option enabled clamav will try to detect broken executables\n(both PE and ELF) and alert on them with the Broken.Executable heuristic signature.", "yes" },

+