January 26, 2019 | ||
---|---|---|
View c442ca9
Updating and cleaning up copyright notices in 0.101 branch.Micah Snyder authored on 2019/01/26 00:15:50 |
December 6, 2018 | ||
---|---|---|
View 95b2d68
Replacing libclamav/cltypes.h with clamav-types.h.in, which generates a header clamav-types.h that we install alongside clamav.h.Micah Snyder authored on 2018/12/06 10:46:20 |
September 17, 2018 | ||
---|---|---|
View 9dcc0f7
Integrated new PE file unpacking capabilities for versions of Aspack up to 2.42, courtesy of Emmanuel Tacheau.Micah Snyder (micasnyd) authored on 2018/09/17 22:58:33 |
September 15, 2018 | ||
---|---|---|
View 64ecd10
Fix support for authenticode signatures from external .cat files This commit adds back in support for whitelisting files based on signatures from .cat files loaded in via a '-d' flag to clamscan. This also makes it so that a .crb blacklist rule match can't be overruled by a signature in a .cat fileAndrew authored on 2018/09/15 03:39:47 |
September 12, 2018 | ||
---|---|---|
View 4ef79cf
Fix a memory leak that occurs when a PE is whitelisted due to a valid signatureAndrew authored on 2018/09/12 03:17:33 |
September 9, 2018 | ||
---|---|---|
View 20e3cfc
bb12170: Added pointer arithmetic guards to PE MEW unpacking code.Micah Snyder authored on 2018/09/09 23:00:12 |
September 6, 2018 | ||
---|---|---|
View ecae7f1
Fix bug in how ptrs to file data are used for computing Authenticode hash We used to get a pointer to file data without locking and for some samples this pointer would be invalidated by the time we used it. Now, we just store the offset for the sections that should be hashed as part of the Authenticode hash computation and get the file data pointer right before it's needed.Andrew authored on 2018/09/06 07:50:59 |
September 5, 2018 | ||
---|---|---|
View 1094264
Ignore section information when computing Authenticode sig A more reliable way to calculate the authenticode hash appears to be to hash the header (minus the checksum and security table) and then just hash everything between the end of the header and the start of the security section.Andrew authored on 2018/09/05 12:54:32 |
||
View 6c8ca96
Fix actual authenticode hash computation for header overlap case I'm really not sure why my testing earlier didn't catch that the computed hash was not correct, but this seems to fix it in the UPX caseAndrew authored on 2018/09/05 00:28:20 |
September 2, 2018 | ||
---|---|---|
View c714559
Add support for MD5 and SHA256 hash-based validation of the exe code Also refactors the code a bit to consolidate some duplicate functionalityAndrew authored on 2018/09/02 12:29:45 |
August 31, 2018 | ||
---|---|---|
View 50873c8
Replace tabs with spaces in pe.c and crtmgr.c, move debug messageAndrew authored on 2018/08/31 04:17:37 |
August 29, 2018 | ||
---|---|---|
View 5130fdd
Allow signature whitelisting for binaries that violate MS13-098Andrew authored on 2018/08/29 04:43:30 |
||
View e1a08b6
Fix authenticode hash computation regression (must hash data not contained in a section)Andrew authored on 2018/08/29 02:25:28 |
August 28, 2018 | ||
---|---|---|
View 18a813a
Update PE parsing code related to Authenticode verification The following changes were made - The code to calculate the authenticode hash was not properly accounting for the case where a PE had sections that either overlapped with each other or overlapped with the PE header. One common case for this is UPX-packed binaries, where the first section with data on disk starts at offset 0x400, which overlaps with the specified PE header by 0xC00 bytes. - The code didn't wrap accesses to fields in the Security DataDirectory with EC32(), so it seems likely that authenticode parsing always encountered issues on big endian systems. I think I fixed all of the accesses in cli_checkfp_pe, but there might still be issues here. I'll test this further. - We parse the authenticode data header to better ensure that it's PCKS7 we are trying to parse, and not one of the other types - cli_checkfp_pe should now finish faster in the case where there is no authenticode data and we don't want to compute the section hashes. - Fixed a potential memory leak in one cli_checkfp_pe failure caseAndrew authored on 2018/08/28 11:53:23 |
July 31, 2018 | ||
---|---|---|
View d39cb65
Updating libclamunrar from legacy C implementation to modern unrar 5.6.5. API changes and supporting changes included to pass the filepath of the scanned file into libclamav through the cli_ctx structure, required by the unrar library to open archives. The filename argument may be optional for the scandesc scanning variant, but libclamav will make a best effort to identify the filename from the file descriptor if it was not provided. In addition, included the ability to prefix temp file and directory names with file basenames.Micah Snyder authored on 2018/07/31 09:19:28 |