2003-07-29 15:48:06 +00:00
|
|
|
/*
|
2020-01-03 15:44:07 -05:00
|
|
|
* Copyright (C) 2013-2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
2013-10-14 17:07:40 -04:00
|
|
|
* Copyright (C) 2007-2013 Sourcefire, Inc.
|
2009-02-13 10:55:45 +00:00
|
|
|
*
|
|
|
|
|
* Authors: Tomasz Kojm
|
2003-07-29 15:48:06 +00:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
2007-03-31 20:31:04 +00:00
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
2003-07-29 15:48:06 +00:00
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
2006-04-09 19:59:28 +00:00
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
|
|
|
* MA 02110-1301, USA.
|
2003-07-29 15:48:06 +00:00
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
|
2004-02-13 21:36:32 +00:00
|
|
|
#if HAVE_CONFIG_H
|
|
|
|
|
#include "clamav-config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
2003-07-29 15:48:06 +00:00
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <ctype.h>
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <sys/types.h>
|
2010-12-28 18:24:51 +01:00
|
|
|
#ifdef HAVE_PWD_H
|
|
|
|
|
#include <pwd.h>
|
|
|
|
|
#endif
|
2009-09-24 19:23:21 +02:00
|
|
|
#include <dirent.h>
|
|
|
|
|
#ifndef _WIN32
|
2003-07-29 15:48:06 +00:00
|
|
|
#include <sys/wait.h>
|
2004-11-23 22:27:24 +00:00
|
|
|
#include <utime.h>
|
2008-07-30 15:20:30 +00:00
|
|
|
#include <sys/time.h>
|
|
|
|
|
#include <sys/resource.h>
|
2007-02-25 02:54:38 +00:00
|
|
|
#endif
|
2003-07-29 15:48:06 +00:00
|
|
|
#include <fcntl.h>
|
2018-12-03 12:40:13 -05:00
|
|
|
#ifdef HAVE_UNISTD_H
|
2003-07-29 15:48:06 +00:00
|
|
|
#include <unistd.h>
|
2007-02-25 02:54:38 +00:00
|
|
|
#endif
|
2003-07-29 15:48:06 +00:00
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <signal.h>
|
|
|
|
|
#include <errno.h>
|
2010-12-28 18:24:51 +01:00
|
|
|
#include <target.h>
|
2003-07-29 15:48:06 +00:00
|
|
|
|
Add CMake build tooling
This patch adds experimental-quality CMake build tooling.
The libmspack build required a modification to use "" instead of <> for
header #includes. This will hopefully be included in the libmspack
upstream project when adding CMake build tooling to libmspack.
Removed use of libltdl when using CMake.
Flex & Bison are now required to build.
If -DMAINTAINER_MODE, then GPERF is also required, though it currently
doesn't actually do anything. TODO!
I found that the autotools build system was generating the lexer output
but not actually compiling it, instead using previously generated (and
manually renamed) lexer c source. As a consequence, changes to the .l
and .y files weren't making it into the build. To resolve this, I
removed generated flex/bison files and fixed the tooling to use the
freshly generated files. Flex and bison are now required build tools.
On Windows, this adds a dependency on the winflexbison package,
which can be obtained using Chocolatey or may be manually installed.
CMake tooling only has partial support for building with external LLVM
library, and no support for the internal LLVM (to be removed in the
future). I.e. The CMake build currently only supports the bytecode
interpreter.
Many files used include paths relative to the top source directory or
relative to the current project, rather than relative to each build
target. Modern CMake support requires including internal dependency
headers the same way you would external dependency headers (albeit
with "" instead of <>). This meant correcting all header includes to
be relative to the build targets and not relative to the workspace.
For example, ...
```c
include "../libclamav/clamav.h"
include "clamd/clamd_others.h"
```
... becomes:
```c
// libclamav
include "clamav.h"
// clamd
include "clamd_others.h"
```
Fixes header name conflicts by renaming a few of the files.
Converted the "shared" code into a static library, which depends on
libclamav. The ironically named "shared" static library provides
features common to the ClamAV apps which are not required in
libclamav itself and are not intended for use by downstream projects.
This change was required for correct modern CMake practices but was
also required to use the automake "subdir-objects" option.
This eliminates warnings when running autoreconf which, in the next
version of autoconf & automake are likely to break the build.
libclamav used to build in multiple stages where an earlier stage is
a static library containing utils required by the "shared" code.
Linking clamdscan and clamdtop with this libclamav utils static lib
allowed these two apps to function without libclamav. While this is
nice in theory, the practical gains are minimal and it complicates
the build system. As such, the autotools and CMake tooling was
simplified for improved maintainability and this feature was thrown
out. clamdtop and clamdscan now require libclamav to function.
Removed the nopthreads version of the autotools
libclamav_internal_utils static library and added pthread linking to
a couple apps that may have issues building on some platforms without
it, with the intention of removing needless complexity from the
source. Kept the regular version of libclamav_internal_utils.la
though it is no longer used anywhere but in libclamav.
Added an experimental doxygen build option which attempts to build
clamav.h and libfreshclam doxygen html docs.
The CMake build tooling also may build the example program(s), which
isn't a feature in the Autotools build system.
Changed C standard to C90+ due to inline linking issues with socket.h
when linking libfreshclam.so on Linux.
Generate common.rc for win32.
Fix tabs/spaces in shared Makefile.am, and remove vestigial ifndef
from misc.c.
Add CMake files to the automake dist, so users can try the new
CMake tooling w/out having to build from a git clone.
clamonacc changes:
- Renamed FANOTIFY macro to HAVE_SYS_FANOTIFY_H to better match other
similar macros.
- Added a new clamav-clamonacc.service systemd unit file, based on
the work of ChadDevOps & Aaron Brighton.
- Added missing clamonacc man page.
Updates to clamdscan man page, add missing options.
Remove vestigial CL_NOLIBCLAMAV definitions (all apps now use
libclamav).
Rename Windows mspack.dll to libmspack.dll so all ClamAV-built
libraries have the lib-prefix with Visual Studio as with CMake.
2020-08-13 00:25:34 -07:00
|
|
|
// libclamav
|
|
|
|
|
#include "clamav.h"
|
|
|
|
|
#include "others.h"
|
|
|
|
|
#include "matcher-ac.h"
|
|
|
|
|
#include "matcher-pcre.h"
|
|
|
|
|
#include "str.h"
|
|
|
|
|
#include "readdb.h"
|
|
|
|
|
|
|
|
|
|
// shared
|
|
|
|
|
#include "optparser.h"
|
|
|
|
|
#include "actions.h"
|
|
|
|
|
#include "output.h"
|
|
|
|
|
#include "misc.h"
|
|
|
|
|
|
2003-07-29 15:48:06 +00:00
|
|
|
#include "manager.h"
|
2007-01-30 21:11:32 +00:00
|
|
|
#include "global.h"
|
|
|
|
|
|
2003-07-29 15:48:06 +00:00
|
|
|
#ifdef C_LINUX
|
|
|
|
|
dev_t procdev;
|
|
|
|
|
#endif
|
|
|
|
|
|
2010-12-28 18:24:51 +01:00
|
|
|
#ifdef _WIN32
|
|
|
|
|
/* FIXME: If possible, handle users correctly */
|
|
|
|
|
static int checkaccess(const char *path, const char *username, int mode)
|
|
|
|
|
{
|
2011-04-17 13:08:11 +02:00
|
|
|
return !access(path, mode);
|
2010-12-28 18:24:51 +01:00
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
static int checkaccess(const char *path, const char *username, int mode)
|
|
|
|
|
{
|
2014-09-11 14:15:36 -04:00
|
|
|
struct passwd *user;
|
|
|
|
|
int ret = 0, status;
|
2010-12-28 18:24:51 +01:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!geteuid()) {
|
|
|
|
|
if ((user = getpwnam(username)) == NULL) {
|
2014-09-11 14:15:36 -04:00
|
|
|
return -1;
|
|
|
|
|
}
|
2010-12-28 18:24:51 +01:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
switch (fork()) {
|
|
|
|
|
case -1:
|
|
|
|
|
return -2;
|
|
|
|
|
case 0:
|
|
|
|
|
if (setgid(user->pw_gid)) {
|
|
|
|
|
fprintf(stderr, "ERROR: setgid(%d) failed.\n", (int)user->pw_gid);
|
|
|
|
|
exit(0);
|
|
|
|
|
}
|
2010-12-28 18:24:51 +01:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (setuid(user->pw_uid)) {
|
|
|
|
|
fprintf(stderr, "ERROR: setuid(%d) failed.\n", (int)user->pw_uid);
|
|
|
|
|
exit(0);
|
|
|
|
|
}
|
2010-12-28 18:24:51 +01:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (access(path, mode))
|
|
|
|
|
exit(0);
|
|
|
|
|
else
|
|
|
|
|
exit(1);
|
|
|
|
|
default:
|
|
|
|
|
wait(&status);
|
|
|
|
|
if (WIFEXITED(status) && WEXITSTATUS(status) == 1)
|
|
|
|
|
ret = 1;
|
2014-09-11 14:15:36 -04:00
|
|
|
}
|
2010-12-28 18:24:51 +01:00
|
|
|
} else {
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!access(path, mode))
|
2014-09-11 14:15:36 -04:00
|
|
|
ret = 1;
|
2010-12-28 18:24:51 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2011-08-22 16:58:48 +03:00
|
|
|
struct metachain {
|
|
|
|
|
char **chains;
|
2014-11-06 14:51:26 -05:00
|
|
|
size_t lastadd;
|
|
|
|
|
size_t lastvir;
|
|
|
|
|
size_t level;
|
|
|
|
|
size_t nchains;
|
2011-08-22 16:58:48 +03:00
|
|
|
};
|
|
|
|
|
|
2015-10-01 17:47:37 -04:00
|
|
|
struct clamscan_cb_data {
|
2018-12-03 12:40:13 -05:00
|
|
|
struct metachain *chain;
|
|
|
|
|
const char *filename;
|
2015-10-01 17:47:37 -04:00
|
|
|
};
|
|
|
|
|
|
2011-08-22 16:58:48 +03:00
|
|
|
static cl_error_t pre(int fd, const char *type, void *context)
|
|
|
|
|
{
|
2014-11-06 14:51:26 -05:00
|
|
|
struct metachain *c;
|
2015-10-01 17:47:37 -04:00
|
|
|
struct clamscan_cb_data *d;
|
2014-11-06 14:51:26 -05:00
|
|
|
|
2014-07-11 09:30:58 -04:00
|
|
|
UNUSEDPARAM(fd);
|
2014-07-11 09:42:42 -04:00
|
|
|
UNUSEDPARAM(type);
|
2014-07-11 09:30:58 -04:00
|
|
|
|
2014-11-06 14:51:26 -05:00
|
|
|
if (!(context))
|
|
|
|
|
return CL_CLEAN;
|
2015-10-01 17:47:37 -04:00
|
|
|
d = (struct clamscan_cb_data *)context;
|
|
|
|
|
c = d->chain;
|
|
|
|
|
if (c == NULL)
|
|
|
|
|
return CL_CLEAN;
|
2014-11-06 14:51:26 -05:00
|
|
|
|
|
|
|
|
c->level++;
|
|
|
|
|
|
2011-08-22 16:58:48 +03:00
|
|
|
return CL_CLEAN;
|
|
|
|
|
}
|
|
|
|
|
|
2014-11-06 14:51:26 -05:00
|
|
|
static int print_chain(struct metachain *c, char *str, size_t len)
|
2011-08-22 16:58:48 +03:00
|
|
|
{
|
2014-11-06 14:51:26 -05:00
|
|
|
size_t i;
|
|
|
|
|
size_t na = 0;
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
for (i = 0; i < c->nchains - 1; i++) {
|
2014-11-06 14:51:26 -05:00
|
|
|
size_t n = strlen(c->chains[i]);
|
2014-09-11 14:15:36 -04:00
|
|
|
|
|
|
|
|
if (na)
|
|
|
|
|
str[na++] = '!';
|
|
|
|
|
|
|
|
|
|
if (n + na + 2 > len)
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
memcpy(str + na, c->chains[i], n);
|
|
|
|
|
na += n;
|
2011-08-22 16:58:48 +03:00
|
|
|
}
|
2014-09-11 14:15:36 -04:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
str[na] = '\0';
|
|
|
|
|
str[len - 1] = '\0';
|
2014-09-11 14:15:36 -04:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
return i == c->nchains - 1 ? 0 : 1;
|
2011-08-22 16:58:48 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static cl_error_t post(int fd, int result, const char *virname, void *context)
|
|
|
|
|
{
|
2015-10-01 17:47:37 -04:00
|
|
|
struct clamscan_cb_data *d = context;
|
2018-12-03 12:40:13 -05:00
|
|
|
struct metachain *c = NULL;
|
2014-11-06 14:51:26 -05:00
|
|
|
char str[128];
|
2014-09-11 14:15:36 -04:00
|
|
|
|
2014-07-11 09:30:58 -04:00
|
|
|
UNUSEDPARAM(fd);
|
|
|
|
|
UNUSEDPARAM(result);
|
2014-09-11 14:15:36 -04:00
|
|
|
|
2015-10-01 17:47:37 -04:00
|
|
|
if (d != NULL)
|
|
|
|
|
c = d->chain;
|
|
|
|
|
|
2014-11-06 14:51:26 -05:00
|
|
|
if (c && c->nchains) {
|
2014-09-11 14:15:36 -04:00
|
|
|
print_chain(c, str, sizeof(str));
|
2014-11-06 14:51:26 -05:00
|
|
|
|
2014-09-11 14:15:36 -04:00
|
|
|
if (c->level == c->lastadd && !virname)
|
2014-11-06 14:51:26 -05:00
|
|
|
free(c->chains[--c->nchains]);
|
|
|
|
|
|
2014-09-11 14:15:36 -04:00
|
|
|
if (virname && !c->lastvir)
|
|
|
|
|
c->lastvir = c->level;
|
2011-08-22 16:58:48 +03:00
|
|
|
}
|
2014-09-11 14:15:36 -04:00
|
|
|
|
2011-08-22 16:58:48 +03:00
|
|
|
if (c)
|
2014-09-11 14:15:36 -04:00
|
|
|
c->level--;
|
|
|
|
|
|
2011-08-22 16:58:48 +03:00
|
|
|
return CL_CLEAN;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
static cl_error_t meta(const char *container_type, unsigned long fsize_container, const char *filename,
|
|
|
|
|
unsigned long fsize_real, int is_encrypted, unsigned int filepos_container, void *context)
|
2011-08-22 16:58:48 +03:00
|
|
|
{
|
|
|
|
|
char prev[128];
|
2014-11-06 14:51:26 -05:00
|
|
|
struct metachain *c;
|
2015-10-01 17:47:37 -04:00
|
|
|
struct clamscan_cb_data *d;
|
2014-11-06 14:51:26 -05:00
|
|
|
const char *type;
|
|
|
|
|
size_t n;
|
2011-08-22 16:58:48 +03:00
|
|
|
char *chain;
|
|
|
|
|
char **chains;
|
|
|
|
|
int toolong;
|
|
|
|
|
|
2014-07-11 09:30:58 -04:00
|
|
|
UNUSEDPARAM(fsize_container);
|
|
|
|
|
UNUSEDPARAM(fsize_real);
|
|
|
|
|
UNUSEDPARAM(is_encrypted);
|
|
|
|
|
UNUSEDPARAM(filepos_container);
|
|
|
|
|
|
2015-10-01 17:47:37 -04:00
|
|
|
if (!(context))
|
|
|
|
|
return CL_CLEAN;
|
|
|
|
|
d = (struct clamscan_cb_data *)context;
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
c = d->chain;
|
2014-11-06 14:51:26 -05:00
|
|
|
type = (strncmp(container_type, "CL_TYPE_", 8) == 0 ? container_type + 8 : container_type);
|
2018-12-03 12:40:13 -05:00
|
|
|
n = strlen(type) + strlen(filename) + 2;
|
2014-11-06 14:51:26 -05:00
|
|
|
|
2011-08-22 16:58:48 +03:00
|
|
|
if (!c)
|
2014-09-11 14:15:36 -04:00
|
|
|
return CL_CLEAN;
|
|
|
|
|
|
2011-08-22 16:58:48 +03:00
|
|
|
chain = malloc(n);
|
2014-09-11 14:15:36 -04:00
|
|
|
|
2011-08-22 16:58:48 +03:00
|
|
|
if (!chain)
|
2014-09-11 14:15:36 -04:00
|
|
|
return CL_CLEAN;
|
2014-11-06 14:51:26 -05:00
|
|
|
|
2011-08-22 16:58:48 +03:00
|
|
|
if (!strcmp(type, "ANY"))
|
2018-12-03 12:40:13 -05:00
|
|
|
snprintf(chain, n, "%s", filename);
|
2011-08-22 16:58:48 +03:00
|
|
|
else
|
2018-12-03 12:40:13 -05:00
|
|
|
snprintf(chain, n, "%s:%s", type, filename);
|
2014-09-11 14:15:36 -04:00
|
|
|
|
2011-08-22 16:58:48 +03:00
|
|
|
if (c->lastadd != c->level) {
|
2014-11-06 14:51:26 -05:00
|
|
|
n = c->nchains + 1;
|
2014-09-11 14:15:36 -04:00
|
|
|
|
|
|
|
|
chains = realloc(c->chains, n * sizeof(*chains));
|
|
|
|
|
if (!chains) {
|
|
|
|
|
free(chain);
|
|
|
|
|
return CL_CLEAN;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
c->chains = chains;
|
2014-11-06 14:51:26 -05:00
|
|
|
c->nchains = n;
|
2014-09-11 14:15:36 -04:00
|
|
|
c->lastadd = c->level;
|
2011-08-22 16:58:48 +03:00
|
|
|
} else {
|
2014-11-06 14:51:26 -05:00
|
|
|
if (c->nchains > 0)
|
2018-12-03 12:40:13 -05:00
|
|
|
free(c->chains[c->nchains - 1]);
|
2011-08-22 16:58:48 +03:00
|
|
|
}
|
2014-09-11 14:15:36 -04:00
|
|
|
|
2014-11-06 14:51:26 -05:00
|
|
|
if (c->nchains > 0) {
|
2018-12-03 12:40:13 -05:00
|
|
|
c->chains[c->nchains - 1] = chain;
|
|
|
|
|
toolong = print_chain(c, prev, sizeof(prev));
|
|
|
|
|
logg("*Scanning %s%s!%s\n", prev, toolong ? "..." : "", chain);
|
2014-11-06 14:51:26 -05:00
|
|
|
} else {
|
|
|
|
|
free(chain);
|
|
|
|
|
}
|
2014-09-11 14:15:36 -04:00
|
|
|
|
2011-08-22 16:58:48 +03:00
|
|
|
return CL_CLEAN;
|
|
|
|
|
}
|
|
|
|
|
|
2015-10-01 17:47:37 -04:00
|
|
|
static void clamscan_virus_found_cb(int fd, const char *virname, void *context)
|
|
|
|
|
{
|
|
|
|
|
struct clamscan_cb_data *data = (struct clamscan_cb_data *)context;
|
2018-12-03 12:40:13 -05:00
|
|
|
const char *filename;
|
2015-10-01 17:47:37 -04:00
|
|
|
|
2019-02-27 00:47:38 -05:00
|
|
|
UNUSEDPARAM(fd);
|
|
|
|
|
|
2015-10-01 17:47:37 -04:00
|
|
|
if (data == NULL)
|
|
|
|
|
return;
|
|
|
|
|
if (data->filename != NULL)
|
|
|
|
|
filename = data->filename;
|
|
|
|
|
else
|
|
|
|
|
filename = "(filename not set)";
|
|
|
|
|
logg("~%s: %s FOUND\n", filename, virname);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-20 22:28:48 -04:00
|
|
|
static void scanfile(const char *filename, struct cl_engine *engine, const struct optstruct *opts, struct cl_scan_options *options)
|
2007-01-30 21:11:32 +00:00
|
|
|
{
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
cl_error_t ret = CL_SUCCESS;
|
|
|
|
|
int fd, included;
|
2014-09-11 14:15:36 -04:00
|
|
|
unsigned i;
|
|
|
|
|
const struct optstruct *opt;
|
2018-07-31 17:09:49 -04:00
|
|
|
const char *virname = NULL;
|
2014-09-11 14:15:36 -04:00
|
|
|
STATBUF sb;
|
|
|
|
|
struct metachain chain;
|
2015-10-01 17:47:37 -04:00
|
|
|
struct clamscan_cb_data data;
|
2008-06-10 16:59:19 +00:00
|
|
|
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
char *real_filename = NULL;
|
|
|
|
|
|
|
|
|
|
if (NULL == filename || NULL == engine || NULL == opts || NULL == options) {
|
|
|
|
|
logg("scanfile: Invalid args.\n");
|
|
|
|
|
ret = CL_EARG;
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-24 08:32:47 -07:00
|
|
|
ret = cli_realpath((const char *)filename, &real_filename);
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
if (CL_SUCCESS != ret) {
|
2021-01-12 12:01:27 -08:00
|
|
|
logg("*Failed to determine real filename of %s.\n", filename);
|
|
|
|
|
logg("*Quarantine of the file may fail if file path contains symlinks.\n");
|
|
|
|
|
} else {
|
|
|
|
|
filename = real_filename;
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "exclude"))->enabled) {
|
|
|
|
|
while (opt) {
|
|
|
|
|
if (match_regex(filename, opt->strarg) == 1) {
|
|
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("~%s: Excluded\n", filename);
|
|
|
|
|
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
goto done;
|
2014-09-11 14:15:36 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
opt = opt->nextarg;
|
|
|
|
|
}
|
2008-06-10 16:59:19 +00:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "include"))->enabled) {
|
2014-09-11 14:15:36 -04:00
|
|
|
included = 0;
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
while (opt) {
|
|
|
|
|
if (match_regex(filename, opt->strarg) == 1) {
|
2014-09-11 14:15:36 -04:00
|
|
|
included = 1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
opt = opt->nextarg;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!included) {
|
|
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("~%s: Excluded\n", filename);
|
|
|
|
|
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
goto done;
|
2014-09-11 14:15:36 -04:00
|
|
|
}
|
2008-06-10 16:59:19 +00:00
|
|
|
}
|
|
|
|
|
|
2010-12-28 18:24:51 +01:00
|
|
|
/* argh, don't scan /proc files */
|
2018-12-03 12:40:13 -05:00
|
|
|
if (CLAMSTAT(filename, &sb) != -1) {
|
2010-12-28 18:24:51 +01:00
|
|
|
#ifdef C_LINUX
|
2018-12-03 12:40:13 -05:00
|
|
|
if (procdev && sb.st_dev == procdev) {
|
|
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("~%s: Excluded (/proc)\n", filename);
|
|
|
|
|
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
goto done;
|
2014-09-11 14:15:36 -04:00
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
#endif
|
|
|
|
|
if (!sb.st_size) {
|
|
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("~%s: Empty file\n", filename);
|
|
|
|
|
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
goto done;
|
2014-09-11 14:15:36 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
info.rblocks += sb.st_size / CL_COUNT_PRECISION;
|
2008-06-10 16:59:19 +00:00
|
|
|
}
|
2010-12-28 18:24:51 +01:00
|
|
|
|
2009-09-24 16:08:52 +02:00
|
|
|
#ifndef _WIN32
|
2018-12-03 12:40:13 -05:00
|
|
|
if (geteuid()) {
|
|
|
|
|
if (checkaccess(filename, NULL, R_OK) != 1) {
|
|
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("~%s: Access denied\n", filename);
|
|
|
|
|
|
|
|
|
|
info.errors++;
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
goto done;
|
2014-09-11 14:15:36 -04:00
|
|
|
}
|
|
|
|
|
}
|
2008-06-10 16:59:19 +00:00
|
|
|
#endif
|
|
|
|
|
|
2011-08-22 16:58:48 +03:00
|
|
|
memset(&chain, 0, sizeof(chain));
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "archive-verbose")->enabled) {
|
2014-11-06 14:51:26 -05:00
|
|
|
chain.chains = malloc(sizeof(char **));
|
2014-09-11 14:15:36 -04:00
|
|
|
if (chain.chains) {
|
|
|
|
|
chain.chains[0] = strdup(filename);
|
2016-03-11 16:02:22 -05:00
|
|
|
if (!chain.chains[0]) {
|
|
|
|
|
free(chain.chains);
|
|
|
|
|
logg("Unable to allocate memory in scanfile()\n");
|
|
|
|
|
info.errors++;
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
goto done;
|
2016-03-11 16:02:22 -05:00
|
|
|
}
|
2014-11-06 14:51:26 -05:00
|
|
|
chain.nchains = 1;
|
2014-09-11 14:15:36 -04:00
|
|
|
}
|
2011-08-22 16:58:48 +03:00
|
|
|
}
|
2014-09-11 14:15:36 -04:00
|
|
|
|
2008-06-10 16:59:19 +00:00
|
|
|
logg("*Scanning %s\n", filename);
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((fd = safe_open(filename, O_RDONLY | O_BINARY)) == -1) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("^Can't open file %s: %s\n", filename, strerror(errno));
|
|
|
|
|
info.errors++;
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
goto done;
|
2008-06-10 16:59:19 +00:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
data.chain = &chain;
|
2015-10-01 17:47:37 -04:00
|
|
|
data.filename = filename;
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((ret = cl_scandesc_callback(fd, filename, &virname, &info.blocks, engine, options, &data)) == CL_VIRUS) {
|
|
|
|
|
if (optget(opts, "archive-verbose")->enabled) {
|
2014-11-06 14:51:26 -05:00
|
|
|
if (chain.nchains > 1) {
|
2014-09-11 14:15:36 -04:00
|
|
|
char str[128];
|
|
|
|
|
int toolong = print_chain(&chain, str, sizeof(str));
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
logg("~%s%s!(%llu)%s: %s FOUND\n", str, toolong ? "..." : "", (long long unsigned)(chain.lastvir - 1), chain.chains[chain.nchains - 1], virname);
|
2014-09-11 14:15:36 -04:00
|
|
|
} else if (chain.lastvir) {
|
2018-12-03 12:40:13 -05:00
|
|
|
logg("~%s!(%llu): %s FOUND\n", filename, (long long unsigned)(chain.lastvir - 1), virname);
|
2014-09-11 14:15:36 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
info.files++;
|
|
|
|
|
info.ifiles++;
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (bell)
|
2014-09-11 14:15:36 -04:00
|
|
|
fprintf(stderr, "\007");
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (ret == CL_CLEAN) {
|
|
|
|
|
if (!printinfected && printclean)
|
2014-09-11 14:15:36 -04:00
|
|
|
mprintf("~%s: OK\n", filename);
|
|
|
|
|
|
|
|
|
|
info.files++;
|
2010-02-04 21:33:03 +01:00
|
|
|
} else {
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("~%s: %s ERROR\n", filename, cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
info.errors++;
|
2010-02-04 21:33:03 +01:00
|
|
|
}
|
2008-06-10 16:59:19 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
for (i = 0; i < chain.nchains; i++)
|
2014-09-11 14:15:36 -04:00
|
|
|
free(chain.chains[i]);
|
|
|
|
|
|
2011-08-22 16:58:48 +03:00
|
|
|
free(chain.chains);
|
2008-06-10 16:59:19 +00:00
|
|
|
close(fd);
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (ret == CL_VIRUS && action)
|
2014-09-11 14:15:36 -04:00
|
|
|
action(filename);
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
if (NULL != real_filename) {
|
|
|
|
|
free(real_filename);
|
|
|
|
|
}
|
|
|
|
|
return;
|
2008-06-10 16:59:19 +00:00
|
|
|
}
|
|
|
|
|
|
2018-07-20 22:28:48 -04:00
|
|
|
static void scandirs(const char *dirname, struct cl_engine *engine, const struct optstruct *opts, struct cl_scan_options *options, unsigned int depth, dev_t dev)
|
2008-06-10 16:59:19 +00:00
|
|
|
{
|
2014-09-11 14:15:36 -04:00
|
|
|
DIR *dd;
|
|
|
|
|
struct dirent *dent;
|
|
|
|
|
STATBUF sb;
|
|
|
|
|
char *fname;
|
|
|
|
|
int included;
|
|
|
|
|
const struct optstruct *opt;
|
|
|
|
|
unsigned int dirlnk, filelnk;
|
2008-06-10 16:59:19 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "exclude-dir"))->enabled) {
|
|
|
|
|
while (opt) {
|
|
|
|
|
if (match_regex(dirname, opt->strarg) == 1) {
|
|
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("~%s: Excluded\n", dirname);
|
|
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
opt = opt->nextarg;
|
|
|
|
|
}
|
2008-06-10 16:59:19 +00:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "include-dir"))->enabled) {
|
2014-09-11 14:15:36 -04:00
|
|
|
included = 0;
|
2018-12-03 12:40:13 -05:00
|
|
|
while (opt) {
|
|
|
|
|
if (match_regex(dirname, opt->strarg) == 1) {
|
2014-09-11 14:15:36 -04:00
|
|
|
included = 1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
opt = opt->nextarg;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!included) {
|
|
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("~%s: Excluded\n", dirname);
|
|
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
}
|
2008-06-10 16:59:19 +00:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (depth > (unsigned int)optget(opts, "max-dir-recursion")->numarg)
|
2014-09-11 14:15:36 -04:00
|
|
|
return;
|
2008-06-10 16:59:19 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
dirlnk = optget(opts, "follow-dir-symlinks")->numarg;
|
2010-12-28 18:24:51 +01:00
|
|
|
filelnk = optget(opts, "follow-file-symlinks")->numarg;
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((dd = opendir(dirname)) != NULL) {
|
2014-09-11 14:15:36 -04:00
|
|
|
info.dirs++;
|
|
|
|
|
depth++;
|
2018-12-03 12:40:13 -05:00
|
|
|
while ((dent = readdir(dd))) {
|
|
|
|
|
if (dent->d_ino) {
|
|
|
|
|
if (strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) {
|
2014-09-11 14:15:36 -04:00
|
|
|
/* build the full name */
|
|
|
|
|
fname = malloc(strlen(dirname) + strlen(dent->d_name) + 2);
|
|
|
|
|
if (fname == NULL) { /* oops, malloc() failed, print warning and return */
|
|
|
|
|
logg("!scandirs: Memory allocation failed for fname\n");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!strcmp(dirname, PATHSEP))
|
|
|
|
|
sprintf(fname, PATHSEP "%s", dent->d_name);
|
2014-09-11 14:15:36 -04:00
|
|
|
else
|
2018-12-03 12:40:13 -05:00
|
|
|
sprintf(fname, "%s" PATHSEP "%s", dirname, dent->d_name);
|
2014-09-11 14:15:36 -04:00
|
|
|
|
|
|
|
|
/* stat the file */
|
2018-12-03 12:40:13 -05:00
|
|
|
if (LSTAT(fname, &sb) != -1) {
|
|
|
|
|
if (!optget(opts, "cross-fs")->enabled) {
|
|
|
|
|
if (sb.st_dev != dev) {
|
|
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("~%s: Excluded\n", fname);
|
|
|
|
|
|
|
|
|
|
free(fname);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
if (S_ISLNK(sb.st_mode)) {
|
|
|
|
|
if (dirlnk != 2 && filelnk != 2) {
|
|
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("%s: Symbolic link\n", fname);
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (CLAMSTAT(fname, &sb) != -1) {
|
|
|
|
|
if (S_ISREG(sb.st_mode) && filelnk == 2) {
|
2014-09-11 14:15:36 -04:00
|
|
|
scanfile(fname, engine, opts, options);
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (S_ISDIR(sb.st_mode) && dirlnk == 2) {
|
|
|
|
|
if (recursion)
|
2014-09-11 14:15:36 -04:00
|
|
|
scandirs(fname, engine, opts, options, depth, dev);
|
|
|
|
|
} else {
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("%s: Symbolic link\n", fname);
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (S_ISREG(sb.st_mode)) {
|
2014-09-11 14:15:36 -04:00
|
|
|
scanfile(fname, engine, opts, options);
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (S_ISDIR(sb.st_mode) && recursion) {
|
2014-09-11 14:15:36 -04:00
|
|
|
scandirs(fname, engine, opts, options, depth, dev);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
free(fname);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
closedir(dd);
|
2008-06-10 16:59:19 +00:00
|
|
|
} else {
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("~%s: Can't open directory.\n", dirname);
|
|
|
|
|
|
|
|
|
|
info.errors++;
|
2008-06-10 16:59:19 +00:00
|
|
|
}
|
2007-01-30 21:11:32 +00:00
|
|
|
}
|
|
|
|
|
|
2019-05-23 22:50:04 -04:00
|
|
|
static int scanstdin(const struct cl_engine *engine, struct cl_scan_options *options)
|
2007-01-30 21:11:32 +00:00
|
|
|
{
|
2014-09-11 14:15:36 -04:00
|
|
|
int ret;
|
2019-05-23 22:50:04 -04:00
|
|
|
unsigned int fsize = 0;
|
|
|
|
|
const char *virname = NULL;
|
|
|
|
|
const char *tmpdir = NULL;
|
2014-09-11 14:15:36 -04:00
|
|
|
char *file, buff[FILEBUFF];
|
|
|
|
|
size_t bread;
|
|
|
|
|
FILE *fs;
|
2015-10-01 17:47:37 -04:00
|
|
|
struct clamscan_cb_data data;
|
2007-01-30 21:11:32 +00:00
|
|
|
|
2019-05-23 22:50:04 -04:00
|
|
|
tmpdir = cl_engine_get_str(engine, CL_ENGINE_TMPDIR, NULL);
|
|
|
|
|
if (NULL == tmpdir) {
|
2014-09-11 14:15:36 -04:00
|
|
|
tmpdir = cli_gettmpdir();
|
|
|
|
|
}
|
2007-01-30 21:11:32 +00:00
|
|
|
|
2019-06-26 14:51:40 -07:00
|
|
|
if (access(tmpdir, R_OK | W_OK) == -1) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!Can't write to temporary directory\n");
|
|
|
|
|
return 2;
|
2007-01-30 21:11:32 +00:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!(file = cli_gentemp(tmpdir))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!Can't generate tempfile name\n");
|
|
|
|
|
return 2;
|
2012-07-05 12:45:07 -04:00
|
|
|
}
|
2007-01-30 21:11:32 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!(fs = fopen(file, "wb"))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!Can't open %s for writing\n", file);
|
|
|
|
|
free(file);
|
|
|
|
|
return 2;
|
2007-01-30 21:11:32 +00:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
while ((bread = fread(buff, 1, FILEBUFF, stdin))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
fsize += bread;
|
2018-12-03 12:40:13 -05:00
|
|
|
if (fwrite(buff, 1, bread, fs) < bread) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!Can't write to %s\n", file);
|
|
|
|
|
free(file);
|
|
|
|
|
fclose(fs);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2009-03-07 18:16:20 +00:00
|
|
|
}
|
2014-09-11 14:15:36 -04:00
|
|
|
|
2007-01-30 21:11:32 +00:00
|
|
|
fclose(fs);
|
|
|
|
|
|
|
|
|
|
logg("*Checking %s\n", file);
|
2014-09-11 14:15:36 -04:00
|
|
|
|
2007-01-30 21:11:32 +00:00
|
|
|
info.files++;
|
2009-03-07 18:16:20 +00:00
|
|
|
info.rblocks += fsize / CL_COUNT_PRECISION;
|
2007-01-30 21:11:32 +00:00
|
|
|
|
2015-10-01 17:47:37 -04:00
|
|
|
data.filename = "stdin";
|
2018-12-03 12:40:13 -05:00
|
|
|
data.chain = NULL;
|
|
|
|
|
if ((ret = cl_scanfile_callback(file, &virname, &info.blocks, engine, options, &data)) == CL_VIRUS) {
|
2014-09-11 14:15:36 -04:00
|
|
|
info.ifiles++;
|
2007-01-30 21:11:32 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (bell)
|
2014-09-11 14:15:36 -04:00
|
|
|
fprintf(stderr, "\007");
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (ret == CL_CLEAN) {
|
|
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
mprintf("stdin: OK\n");
|
2010-10-08 15:39:55 +02:00
|
|
|
} else {
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("stdin: %s ERROR\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
info.errors++;
|
2010-10-08 15:39:55 +02:00
|
|
|
}
|
2007-01-30 21:11:32 +00:00
|
|
|
|
|
|
|
|
unlink(file);
|
|
|
|
|
free(file);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2004-07-19 17:54:40 +00:00
|
|
|
|
2008-12-30 10:33:43 +00:00
|
|
|
int scanmanager(const struct optstruct *opts)
|
2003-07-29 15:48:06 +00:00
|
|
|
{
|
2014-09-11 14:15:36 -04:00
|
|
|
int ret = 0, i;
|
2018-07-20 22:28:48 -04:00
|
|
|
struct cl_scan_options options;
|
|
|
|
|
unsigned int dboptions = 0, dirlnk = 1, filelnk = 1;
|
2014-09-11 14:15:36 -04:00
|
|
|
struct cl_engine *engine;
|
|
|
|
|
STATBUF sb;
|
|
|
|
|
char *file, cwd[1024], *pua_cats = NULL;
|
|
|
|
|
const char *filename;
|
|
|
|
|
const struct optstruct *opt;
|
2009-09-24 19:23:21 +02:00
|
|
|
#ifndef _WIN32
|
2014-09-11 14:15:36 -04:00
|
|
|
struct rlimit rlim;
|
2008-07-30 15:20:30 +00:00
|
|
|
#endif
|
2003-07-29 15:48:06 +00:00
|
|
|
|
2018-07-20 22:28:48 -04:00
|
|
|
/* Initalize scan options struct */
|
|
|
|
|
memset(&options, 0, sizeof(struct cl_scan_options));
|
|
|
|
|
|
2010-12-28 18:24:51 +01:00
|
|
|
dirlnk = optget(opts, "follow-dir-symlinks")->numarg;
|
2018-12-03 12:40:13 -05:00
|
|
|
if (dirlnk > 2) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!--follow-dir-symlinks: Invalid argument\n");
|
|
|
|
|
return 2;
|
2010-12-28 18:24:51 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
filelnk = optget(opts, "follow-file-symlinks")->numarg;
|
2018-12-03 12:40:13 -05:00
|
|
|
if (filelnk > 2) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!--follow-file-symlinks: Invalid argument\n");
|
|
|
|
|
return 2;
|
2010-12-28 18:24:51 +01:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "yara-rules")->enabled) {
|
|
|
|
|
char *p = optget(opts, "yara-rules")->strarg;
|
|
|
|
|
if (strcmp(p, "yes")) {
|
|
|
|
|
if (!strcmp(p, "only"))
|
|
|
|
|
dboptions |= CL_DB_YARA_ONLY;
|
|
|
|
|
else if (!strcmp(p, "no"))
|
|
|
|
|
dboptions |= CL_DB_YARA_EXCLUDE;
|
|
|
|
|
}
|
2015-07-23 15:36:16 -04:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "phishing-sigs")->enabled)
|
2014-09-11 14:15:36 -04:00
|
|
|
dboptions |= CL_DB_PHISHING;
|
2003-07-29 15:48:06 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "official-db-only")->enabled)
|
2014-09-11 14:15:36 -04:00
|
|
|
dboptions |= CL_DB_OFFICIAL_ONLY;
|
2009-11-10 19:30:33 +01:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "phishing-scan-urls")->enabled)
|
2014-09-11 14:15:36 -04:00
|
|
|
dboptions |= CL_DB_PHISHING_URLS;
|
2006-09-14 17:40:20 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "bytecode")->enabled)
|
2014-09-11 14:15:36 -04:00
|
|
|
dboptions |= CL_DB_BYTECODE;
|
2009-09-21 19:24:16 +03:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((ret = cl_init(CL_INIT_DEFAULT))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!Can't initialize libclamav: %s\n", cl_strerror(ret));
|
|
|
|
|
return 2;
|
2008-11-12 16:19:43 +00:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!(engine = cl_engine_new())) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!Can't initialize antivirus engine\n");
|
|
|
|
|
return 2;
|
2008-11-12 16:19:43 +00:00
|
|
|
}
|
|
|
|
|
|
2016-08-24 17:39:20 -04:00
|
|
|
cl_engine_set_clcb_virus_found(engine, clamscan_virus_found_cb);
|
2018-12-03 12:40:13 -05:00
|
|
|
|
2013-11-15 19:15:20 +00:00
|
|
|
if (optget(opts, "disable-cache")->enabled)
|
|
|
|
|
cl_engine_set_num(engine, CL_ENGINE_DISABLE_CACHE, 1);
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "detect-pua")->enabled) {
|
2014-09-11 14:15:36 -04:00
|
|
|
dboptions |= CL_DB_PUA;
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "exclude-pua"))->enabled) {
|
2014-09-11 14:15:36 -04:00
|
|
|
dboptions |= CL_DB_PUA_EXCLUDE;
|
|
|
|
|
i = 0;
|
2018-12-03 12:40:13 -05:00
|
|
|
while (opt) {
|
|
|
|
|
if (!(pua_cats = realloc(pua_cats, i + strlen(opt->strarg) + 3))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!Can't allocate memory for pua_cats\n");
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sprintf(pua_cats + i, ".%s", opt->strarg);
|
|
|
|
|
i += strlen(opt->strarg) + 1;
|
|
|
|
|
pua_cats[i] = 0;
|
|
|
|
|
|
|
|
|
|
opt = opt->nextarg;
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
pua_cats[i] = '.';
|
2014-09-11 14:15:36 -04:00
|
|
|
pua_cats[i + 1] = 0;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "include-pua"))->enabled) {
|
|
|
|
|
if (pua_cats) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!--exclude-pua and --include-pua cannot be used at the same time\n");
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
free(pua_cats);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dboptions |= CL_DB_PUA_INCLUDE;
|
|
|
|
|
i = 0;
|
2018-12-03 12:40:13 -05:00
|
|
|
while (opt) {
|
|
|
|
|
if (!(pua_cats = realloc(pua_cats, i + strlen(opt->strarg) + 3))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!Can't allocate memory for pua_cats\n");
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sprintf(pua_cats + i, ".%s", opt->strarg);
|
|
|
|
|
i += strlen(opt->strarg) + 1;
|
|
|
|
|
pua_cats[i] = 0;
|
|
|
|
|
|
|
|
|
|
opt = opt->nextarg;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
pua_cats[i] = '.';
|
2014-09-11 14:15:36 -04:00
|
|
|
pua_cats[i + 1] = 0;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (pua_cats) {
|
|
|
|
|
if ((ret = cl_engine_set_str(engine, CL_ENGINE_PUA_CATEGORIES, pua_cats))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_str(CL_ENGINE_PUA_CATEGORIES) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
free(pua_cats);
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
free(pua_cats);
|
|
|
|
|
}
|
2008-07-31 16:26:50 +00:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "dev-ac-only")->enabled)
|
2014-09-11 14:15:36 -04:00
|
|
|
cl_engine_set_num(engine, CL_ENGINE_AC_ONLY, 1);
|
2008-11-13 19:06:42 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "dev-ac-depth")->enabled)
|
2014-09-11 14:15:36 -04:00
|
|
|
cl_engine_set_num(engine, CL_ENGINE_AC_MAXDEPTH, optget(opts, "dev-ac-depth")->numarg);
|
2008-11-13 19:06:42 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "leave-temps")->enabled)
|
2014-09-11 14:15:36 -04:00
|
|
|
cl_engine_set_num(engine, CL_ENGINE_KEEPTMP, 1);
|
2008-11-14 22:23:39 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "force-to-disk")->enabled)
|
2014-09-11 14:15:36 -04:00
|
|
|
cl_engine_set_num(engine, CL_ENGINE_FORCETODISK, 1);
|
2013-11-08 17:10:43 -05:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "bytecode-unsigned")->enabled)
|
2014-09-11 14:15:36 -04:00
|
|
|
dboptions |= CL_DB_BYTECODE_UNSIGNED;
|
2011-02-17 19:17:35 +01:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "bytecode-timeout"))->enabled)
|
2014-09-11 14:15:36 -04:00
|
|
|
cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg);
|
|
|
|
|
|
2016-03-16 15:42:35 -04:00
|
|
|
if (optget(opts, "nocerts")->enabled)
|
|
|
|
|
cl_engine_set_num(engine, CL_ENGINE_DISABLE_PE_CERTS, 1);
|
|
|
|
|
|
|
|
|
|
if (optget(opts, "dumpcerts")->enabled)
|
|
|
|
|
cl_engine_set_num(engine, CL_ENGINE_PE_DUMPCERTS, 1);
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "bytecode-mode"))->enabled) {
|
2014-09-11 14:15:36 -04:00
|
|
|
enum bytecode_mode mode;
|
|
|
|
|
|
|
|
|
|
if (!strcmp(opt->strarg, "ForceJIT"))
|
|
|
|
|
mode = CL_BYTECODE_MODE_JIT;
|
2018-12-03 12:40:13 -05:00
|
|
|
else if (!strcmp(opt->strarg, "ForceInterpreter"))
|
2014-09-11 14:15:36 -04:00
|
|
|
mode = CL_BYTECODE_MODE_INTERPRETER;
|
2018-12-03 12:40:13 -05:00
|
|
|
else if (!strcmp(opt->strarg, "Test"))
|
2014-09-11 14:15:36 -04:00
|
|
|
mode = CL_BYTECODE_MODE_TEST;
|
|
|
|
|
else
|
|
|
|
|
mode = CL_BYTECODE_MODE_AUTO;
|
|
|
|
|
|
|
|
|
|
cl_engine_set_num(engine, CL_ENGINE_BYTECODE_MODE, mode);
|
2010-07-29 13:46:16 +03:00
|
|
|
}
|
2010-03-12 13:13:08 +02:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "statistics"))->enabled) {
|
|
|
|
|
while (opt) {
|
|
|
|
|
if (!strcasecmp(opt->strarg, "bytecode")) {
|
|
|
|
|
dboptions |= CL_DB_BYTECODE_STATS;
|
|
|
|
|
} else if (!strcasecmp(opt->strarg, "pcre")) {
|
|
|
|
|
dboptions |= CL_DB_PCRE_STATS;
|
|
|
|
|
}
|
|
|
|
|
opt = opt->nextarg;
|
2014-09-16 14:44:50 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-02-26 13:41:32 -05:00
|
|
|
/* JSON check to prevent engine loading if specified without libjson-c */
|
|
|
|
|
#if HAVE_JSON
|
|
|
|
|
if (optget(opts, "gen-json")->enabled)
|
2018-07-20 22:28:48 -04:00
|
|
|
options.general |= CL_SCAN_GENERAL_COLLECT_METADATA;
|
2018-02-26 13:41:32 -05:00
|
|
|
#else
|
|
|
|
|
if (optget(opts, "gen-json")->enabled) {
|
2018-03-01 14:38:05 -05:00
|
|
|
logg("!Can't generate json (gen-json). libjson-c dev library was missing or misconfigured when ClamAV was built.\n");
|
2018-02-26 13:41:32 -05:00
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "tempdir"))->enabled) {
|
|
|
|
|
if ((ret = cl_engine_set_str(engine, CL_ENGINE_TMPDIR, opt->strarg))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_str(CL_ENGINE_TMPDIR) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2008-11-14 22:23:39 +00:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "database"))->active) {
|
|
|
|
|
while (opt) {
|
|
|
|
|
if ((ret = cl_load(opt->strarg, engine, &info.sigs, dboptions))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!%s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
opt = opt->nextarg;
|
|
|
|
|
}
|
2003-07-29 15:48:06 +00:00
|
|
|
} else {
|
2014-09-11 14:15:36 -04:00
|
|
|
char *dbdir = freshdbdir();
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((ret = cl_load(dbdir, engine, &info.sigs, dboptions))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!%s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
free(dbdir);
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
free(dbdir);
|
2003-07-29 15:48:06 +00:00
|
|
|
}
|
|
|
|
|
|
2016-02-08 15:24:30 -05:00
|
|
|
/* pcre engine limits - required for cl_engine_compile */
|
|
|
|
|
if ((opt = optget(opts, "pcre-match-limit"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_PCRE_MATCH_LIMIT, opt->numarg))) {
|
|
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_PCRE_MATCH_LIMIT) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ((opt = optget(opts, "pcre-recmatch-limit"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_PCRE_RECMATCH_LIMIT, opt->numarg))) {
|
|
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_PCRE_RECMATCH_LIMIT) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((ret = cl_engine_compile(engine)) != 0) {
|
2018-12-03 12:37:58 -05:00
|
|
|
logg("!Database initialization error: %s\n", cl_strerror(ret));
|
2014-09-11 14:15:36 -04:00
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
2003-12-02 22:48:56 +00:00
|
|
|
}
|
2003-07-29 15:48:06 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "archive-verbose")->enabled) {
|
2014-09-11 14:15:36 -04:00
|
|
|
cl_engine_set_clcb_meta(engine, meta);
|
|
|
|
|
cl_engine_set_clcb_pre_cache(engine, pre);
|
|
|
|
|
cl_engine_set_clcb_post_scan(engine, post);
|
2011-08-22 16:58:48 +03:00
|
|
|
}
|
|
|
|
|
|
2007-01-30 21:11:32 +00:00
|
|
|
/* set limits */
|
2003-07-29 15:48:06 +00:00
|
|
|
|
2019-08-16 17:18:59 -07:00
|
|
|
/* TODO: Remove deprecated option in a future feature release */
|
|
|
|
|
if ((opt = optget(opts, "timelimit"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, opt->numarg))) {
|
|
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MAX_SCANTIME) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if ((opt = optget(opts, "max-scantime"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, opt->numarg))) {
|
|
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MAX_SCANTIME) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "max-scansize"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANSIZE, opt->numarg))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MAX_SCANSIZE) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2008-11-12 16:19:43 +00:00
|
|
|
}
|
2008-02-07 02:00:21 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "max-filesize"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, opt->numarg))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MAX_FILESIZE) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2008-11-12 16:19:43 +00:00
|
|
|
}
|
2003-07-29 15:48:06 +00:00
|
|
|
|
2009-09-24 19:23:21 +02:00
|
|
|
#ifndef _WIN32
|
2018-12-03 12:40:13 -05:00
|
|
|
if (getrlimit(RLIMIT_FSIZE, &rlim) == 0) {
|
|
|
|
|
if (rlim.rlim_cur < (rlim_t)cl_engine_get_num(engine, CL_ENGINE_MAX_FILESIZE, NULL))
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("^System limit for file size is lower than engine->maxfilesize\n");
|
2018-12-03 12:40:13 -05:00
|
|
|
if (rlim.rlim_cur < (rlim_t)cl_engine_get_num(engine, CL_ENGINE_MAX_SCANSIZE, NULL))
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("^System limit for file size is lower than engine->maxscansize\n");
|
2008-07-30 15:20:30 +00:00
|
|
|
} else {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("^Cannot obtain resource limits for file size\n");
|
2008-07-30 15:20:30 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "max-files"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_FILES, opt->numarg))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MAX_FILES) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2008-11-12 16:19:43 +00:00
|
|
|
}
|
2003-07-29 15:48:06 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "max-recursion"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_RECURSION, opt->numarg))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MAX_RECURSION) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2008-11-12 16:19:43 +00:00
|
|
|
}
|
2003-07-29 15:48:06 +00:00
|
|
|
|
2012-11-27 17:15:02 -05:00
|
|
|
/* Engine max sizes */
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "max-embeddedpe"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_EMBEDDEDPE, opt->numarg))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MAX_EMBEDDEDPE) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2012-11-27 17:15:02 -05:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "max-htmlnormalize"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_HTMLNORMALIZE, opt->numarg))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MAX_HTMLNORMALIZE) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2012-11-27 17:15:02 -05:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "max-htmlnotags"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_HTMLNOTAGS, opt->numarg))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MAX_HTMLNOTAGS) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2012-11-27 17:15:02 -05:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "max-scriptnormalize"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCRIPTNORMALIZE, opt->numarg))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MAX_SCRIPTNORMALIZE) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2012-11-27 17:15:02 -05:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "max-ziptypercg"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_ZIPTYPERCG, opt->numarg))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MAX_ZIPTYPERCG) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2012-11-27 17:15:02 -05:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "max-partitions"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_PARTITIONS, opt->numarg))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MAX_PARTITIONS) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2014-02-06 18:55:40 -05:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "max-iconspe"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_ICONSPE, opt->numarg))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MAX_ICONSPE) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
2014-03-06 18:19:11 -05:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "max-rechwp3"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_RECHWP3, opt->numarg))) {
|
2016-01-19 14:25:55 -05:00
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MAX_RECHWP3) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-19 02:39:52 -04:00
|
|
|
if ((opt = optget(opts, "pcre-max-filesize"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_PCRE_MAX_FILESIZE, opt->numarg))) {
|
|
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_PCRE_MAX_FILESIZE) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-30 10:33:43 +00:00
|
|
|
/* set scan options */
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "allmatch")->enabled) {
|
2018-07-20 22:28:48 -04:00
|
|
|
options.general |= CL_SCAN_GENERAL_ALLMATCHES;
|
2015-10-01 17:47:37 -04:00
|
|
|
}
|
2012-10-18 14:12:58 -07:00
|
|
|
|
2018-10-10 06:02:28 -07:00
|
|
|
/* TODO: Remove deprecated option in a future feature release */
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((optget(opts, "phishing-ssl")->enabled) ||
|
|
|
|
|
(optget(opts, "alert-phishing-ssl")->enabled))
|
2018-07-20 22:28:48 -04:00
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH;
|
2004-09-04 21:09:20 +00:00
|
|
|
|
2018-10-10 06:02:28 -07:00
|
|
|
/* TODO: Remove deprecated option in a future feature release */
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((optget(opts, "phishing-cloak")->enabled) ||
|
|
|
|
|
(optget(opts, "alert-phishing-cloak")->enabled))
|
2018-07-20 22:28:48 -04:00
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_PHISHING_CLOAK;
|
2008-12-30 10:33:43 +00:00
|
|
|
|
2018-10-10 06:02:28 -07:00
|
|
|
/* TODO: Remove deprecated option in a future feature release */
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((optget(opts, "partition-intersection")->enabled) ||
|
|
|
|
|
(optget(opts, "alert-partition-intersection")->enabled))
|
2018-07-20 22:28:48 -04:00
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_PARTITION_INTXN;
|
2014-02-06 18:55:40 -05:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "heuristic-scan-precedence")->enabled)
|
2018-07-20 22:28:48 -04:00
|
|
|
options.general |= CL_SCAN_GENERAL_HEURISTIC_PRECEDENCE;
|
2008-12-30 10:33:43 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "scan-archive")->enabled)
|
2018-07-20 22:28:48 -04:00
|
|
|
options.parse |= CL_SCAN_PARSE_ARCHIVE;
|
2004-09-04 21:09:20 +00:00
|
|
|
|
2018-10-10 06:02:28 -07:00
|
|
|
/* TODO: Remove deprecated option in a future feature release */
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((optget(opts, "detect-broken")->enabled) ||
|
2018-10-10 06:02:28 -07:00
|
|
|
(optget(opts, "alert-broken")->enabled)) {
|
2018-07-20 22:28:48 -04:00
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_BROKEN;
|
2018-10-10 06:02:28 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* TODO: Remove deprecated option in a future feature release */
|
|
|
|
|
if ((optget(opts, "block-encrypted")->enabled) ||
|
|
|
|
|
(optget(opts, "alert-encrypted")->enabled)) {
|
|
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE;
|
|
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;
|
|
|
|
|
}
|
2004-09-04 21:09:20 +00:00
|
|
|
|
2018-10-10 06:02:28 -07:00
|
|
|
if (optget(opts, "alert-encrypted-archive")->enabled)
|
|
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE;
|
2004-09-04 21:09:20 +00:00
|
|
|
|
2018-10-10 06:02:28 -07:00
|
|
|
if (optget(opts, "alert-encrypted-doc")->enabled)
|
|
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_ENCRYPTED_DOC;
|
|
|
|
|
|
|
|
|
|
/* TODO: Remove deprecated option in a future feature release */
|
|
|
|
|
if ((optget(opts, "block-macros")->enabled) ||
|
|
|
|
|
(optget(opts, "alert-macros")->enabled)) {
|
2018-07-20 22:28:48 -04:00
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_MACROS;
|
2018-10-10 06:02:28 -07:00
|
|
|
}
|
2016-03-10 18:26:33 -05:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "scan-pe")->enabled)
|
2018-07-20 22:28:48 -04:00
|
|
|
options.parse |= CL_SCAN_PARSE_PE;
|
2004-09-04 21:09:20 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "scan-elf")->enabled)
|
2018-07-20 22:28:48 -04:00
|
|
|
options.parse |= CL_SCAN_PARSE_ELF;
|
2006-10-28 22:01:51 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "scan-ole2")->enabled)
|
2018-07-20 22:28:48 -04:00
|
|
|
options.parse |= CL_SCAN_PARSE_OLE2;
|
2004-09-04 21:09:20 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "scan-pdf")->enabled)
|
2018-07-20 22:28:48 -04:00
|
|
|
options.parse |= CL_SCAN_PARSE_PDF;
|
2007-02-22 17:49:57 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "scan-swf")->enabled)
|
2018-07-20 22:28:48 -04:00
|
|
|
options.parse |= CL_SCAN_PARSE_SWF;
|
2013-02-05 19:46:56 -05:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "scan-html")->enabled && optget(opts, "normalize")->enabled)
|
2018-07-20 22:28:48 -04:00
|
|
|
options.parse |= CL_SCAN_PARSE_HTML;
|
2004-09-04 21:09:20 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "scan-mail")->enabled)
|
2018-07-20 22:28:48 -04:00
|
|
|
options.parse |= CL_SCAN_PARSE_MAIL;
|
2004-09-04 21:09:20 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "scan-xmldocs")->enabled)
|
2018-07-20 22:28:48 -04:00
|
|
|
options.parse |= CL_SCAN_PARSE_XMLDOCS;
|
2016-02-02 14:23:13 -05:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "scan-hwp3")->enabled)
|
2018-07-20 22:28:48 -04:00
|
|
|
options.parse |= CL_SCAN_PARSE_HWP3;
|
2016-02-02 14:23:13 -05:00
|
|
|
|
2018-10-23 13:20:12 -07:00
|
|
|
/* TODO: Remove deprecated option in a future feature release */
|
|
|
|
|
if ((optget(opts, "algorithmic-detection")->enabled) && /* && used due to default-yes for both options */
|
|
|
|
|
(optget(opts, "heuristic-alerts")->enabled)) {
|
2018-07-20 22:28:48 -04:00
|
|
|
options.general |= CL_SCAN_GENERAL_HEURISTICS;
|
2018-10-23 13:20:12 -07:00
|
|
|
}
|
2005-12-12 18:44:37 +00:00
|
|
|
|
2018-10-10 06:02:28 -07:00
|
|
|
/* TODO: Remove deprecated option in a future feature release */
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((optget(opts, "block-max")->enabled) ||
|
2018-10-10 06:02:28 -07:00
|
|
|
(optget(opts, "alert-exceeds-max")->enabled)) {
|
2018-07-20 22:28:48 -04:00
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_EXCEEDS_MAX;
|
2016-08-24 17:39:20 -04:00
|
|
|
}
|
|
|
|
|
|
2010-05-07 23:33:26 +02:00
|
|
|
#ifdef HAVE__INTERNAL__SHA_COLLECT
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "dev-collect-hashes")->enabled)
|
2018-07-20 22:28:48 -04:00
|
|
|
options.dev |= CL_SCAN_DEV_COLLECT_SHA;
|
2010-05-07 23:33:26 +02:00
|
|
|
#endif
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "dev-performance")->enabled)
|
2018-10-19 20:43:19 -07:00
|
|
|
options.dev |= CL_SCAN_DEV_COLLECT_PERFORMANCE_INFO;
|
2011-02-14 19:19:20 +02:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (optget(opts, "detect-structured")->enabled) {
|
2018-07-20 22:28:48 -04:00
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_STRUCTURED;
|
2014-09-11 14:15:36 -04:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "structured-ssn-format"))->enabled) {
|
|
|
|
|
switch (opt->numarg) {
|
|
|
|
|
case 0:
|
|
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL;
|
|
|
|
|
break;
|
|
|
|
|
case 1:
|
|
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED;
|
|
|
|
|
break;
|
|
|
|
|
case 2:
|
|
|
|
|
options.heuristic |= (CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL | CL_SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
logg("!Invalid argument for --structured-ssn-format\n");
|
|
|
|
|
return 2;
|
2014-09-11 14:15:36 -04:00
|
|
|
}
|
|
|
|
|
} else {
|
2018-07-20 22:28:48 -04:00
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL;
|
2014-09-11 14:15:36 -04:00
|
|
|
}
|
2008-05-07 10:51:23 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "structured-ssn-count"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MIN_SSN_COUNT, opt->numarg))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MIN_SSN_COUNT) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "structured-cc-count"))->active) {
|
|
|
|
|
if ((ret = cl_engine_set_num(engine, CL_ENGINE_MIN_CC_COUNT, opt->numarg))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!cli_engine_set_num(CL_ENGINE_MIN_CC_COUNT) failed: %s\n", cl_strerror(ret));
|
|
|
|
|
cl_engine_free(engine);
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-04-21 12:13:57 -04:00
|
|
|
|
2019-08-27 17:33:22 -04:00
|
|
|
if ((opt = optget(opts, "structured-cc-mode"))->active) {
|
|
|
|
|
switch (opt->numarg) {
|
2016-04-21 12:13:57 -04:00
|
|
|
case 0:
|
|
|
|
|
break;
|
|
|
|
|
case 1:
|
|
|
|
|
options.heuristic |= CL_SCAN_HEURISTIC_STRUCTURED_CC;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
logg("!Invalid argument for --structured-cc-mode\n");
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
}
|
2008-12-30 10:33:43 +00:00
|
|
|
} else {
|
2018-07-20 22:28:48 -04:00
|
|
|
options.heuristic &= ~CL_SCAN_HEURISTIC_STRUCTURED;
|
2008-12-30 10:33:43 +00:00
|
|
|
}
|
2008-04-16 18:47:42 +00:00
|
|
|
|
2003-07-29 15:48:06 +00:00
|
|
|
#ifdef C_LINUX
|
2018-12-03 12:40:13 -05:00
|
|
|
procdev = (dev_t)0;
|
|
|
|
|
if (CLAMSTAT("/proc", &sb) != -1 && !sb.st_size)
|
2014-09-11 14:15:36 -04:00
|
|
|
procdev = sb.st_dev;
|
2003-07-29 15:48:06 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* check filetype */
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!opts->filename && !optget(opts, "file-list")->enabled) {
|
2014-09-11 14:15:36 -04:00
|
|
|
/* we need full path for some reasons (eg. archive handling) */
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!getcwd(cwd, sizeof(cwd))) {
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("!Can't get absolute pathname of current working directory\n");
|
|
|
|
|
ret = 2;
|
|
|
|
|
} else {
|
|
|
|
|
CLAMSTAT(cwd, &sb);
|
2018-07-20 22:28:48 -04:00
|
|
|
scandirs(cwd, engine, opts, &options, 1, sb.st_dev);
|
2014-09-11 14:15:36 -04:00
|
|
|
}
|
2003-12-02 22:48:56 +00:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (opts->filename && !optget(opts, "file-list")->enabled && !strcmp(opts->filename[0], "-")) { /* read data from stdin */
|
2019-05-23 22:50:04 -04:00
|
|
|
ret = scanstdin(engine, &options);
|
2003-07-29 15:48:06 +00:00
|
|
|
} else {
|
2018-12-03 12:40:13 -05:00
|
|
|
if (opts->filename && optget(opts, "file-list")->enabled)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("^Only scanning files from --file-list (files passed at cmdline are ignored)\n");
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
while ((filename = filelist(opts, &ret)) && (file = strdup(filename))) {
|
|
|
|
|
if (LSTAT(file, &sb) == -1) {
|
2014-09-11 14:15:36 -04:00
|
|
|
perror(file);
|
|
|
|
|
logg("^%s: Can't access file\n", file);
|
|
|
|
|
ret = 2;
|
|
|
|
|
} else {
|
2018-12-03 12:40:13 -05:00
|
|
|
for (i = strlen(file) - 1; i > 0; i--) {
|
|
|
|
|
if (file[i] == *PATHSEP)
|
2014-09-11 14:15:36 -04:00
|
|
|
file[i] = 0;
|
|
|
|
|
else
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (S_ISLNK(sb.st_mode)) {
|
|
|
|
|
if (dirlnk == 0 && filelnk == 0) {
|
|
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("%s: Symbolic link\n", file);
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (CLAMSTAT(file, &sb) != -1) {
|
|
|
|
|
if (S_ISREG(sb.st_mode) && filelnk) {
|
2018-07-20 22:28:48 -04:00
|
|
|
scanfile(file, engine, opts, &options);
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (S_ISDIR(sb.st_mode) && dirlnk) {
|
2018-07-20 22:28:48 -04:00
|
|
|
scandirs(file, engine, opts, &options, 1, sb.st_dev);
|
2014-09-11 14:15:36 -04:00
|
|
|
} else {
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!printinfected)
|
2014-09-11 14:15:36 -04:00
|
|
|
logg("%s: Symbolic link\n", file);
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (S_ISREG(sb.st_mode)) {
|
2018-07-20 22:28:48 -04:00
|
|
|
scanfile(file, engine, opts, &options);
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (S_ISDIR(sb.st_mode)) {
|
2018-07-20 22:28:48 -04:00
|
|
|
scandirs(file, engine, opts, &options, 1, sb.st_dev);
|
2014-09-11 14:15:36 -04:00
|
|
|
} else {
|
|
|
|
|
logg("^%s: Not supported file type\n", file);
|
|
|
|
|
ret = 2;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
free(file);
|
|
|
|
|
}
|
2003-07-29 15:48:06 +00:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((opt = optget(opts, "statistics"))->enabled) {
|
|
|
|
|
while (opt) {
|
|
|
|
|
if (!strcasecmp(opt->strarg, "bytecode")) {
|
|
|
|
|
cli_sigperf_print();
|
|
|
|
|
cli_sigperf_events_destroy();
|
|
|
|
|
}
|
2014-09-16 15:56:56 -04:00
|
|
|
#if HAVE_PCRE
|
2018-12-03 12:40:13 -05:00
|
|
|
else if (!strcasecmp(opt->strarg, "pcre")) {
|
|
|
|
|
cli_pcre_perf_print();
|
|
|
|
|
cli_pcre_perf_events_destroy();
|
|
|
|
|
}
|
2014-09-16 15:56:56 -04:00
|
|
|
#endif
|
2018-12-03 12:40:13 -05:00
|
|
|
opt = opt->nextarg;
|
2014-09-16 14:44:50 -04:00
|
|
|
}
|
2012-12-05 15:48:52 -08:00
|
|
|
}
|
|
|
|
|
|
2007-01-30 21:11:32 +00:00
|
|
|
/* free the engine */
|
2008-11-12 16:19:43 +00:00
|
|
|
cl_engine_free(engine);
|
2003-07-29 15:48:06 +00:00
|
|
|
|
2010-02-04 21:33:03 +01:00
|
|
|
/* overwrite return code - infection takes priority */
|
2018-12-03 12:40:13 -05:00
|
|
|
if (info.ifiles)
|
2014-09-11 14:15:36 -04:00
|
|
|
ret = 1;
|
2018-12-03 12:40:13 -05:00
|
|
|
else if (info.errors)
|
2014-09-11 14:15:36 -04:00
|
|
|
ret = 2;
|
2003-07-29 15:48:06 +00:00
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|