mirror of
https://github.com/Cisco-Talos/clamav.git
synced 2025-10-19 10:23:17 +00:00
Rename Heuristics.Email.ExceedsMax alerts
Rename Heuristics.Email.ExceedsMax alerts to start with Heuristics.Limits.Exceeded.Email instead, so that all heuristic alerts for exceeded scan limits have the same prefix.
This commit is contained in:
Micah Snyder
Micah Snyder
parent
4470547d06
commit
0a24f70218
6 changed files with 13 additions and 13 deletions
|
|
@ -385,7 +385,7 @@ const struct clam_option __clam_options[] = {
|
|||
|
||||
{"HeuristicAlerts", "heuristic-alerts", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "In some cases (eg. complex malware, exploits in graphic files, and others),\nClamAV uses special algorithms to provide accurate detection. This option\ncontrols the algorithmic detection.", "yes"},
|
||||
|
||||
{"HeuristicScanPrecedence", "heuristic-scan-precedence", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Allow heuristic match to take precedence.\nWhen enabled, if a heuristic scan (such as phishingScan) detects\na possible virus/phish it will stop scan immediately. Recommended, saves CPU\nscan-time.\nWhen disabled, virus/phish detected by heuristic scans will be reported only\nat the end of a scan. If an archive contains both a heuristically detected\nvirus/phish, and a real malware, the real malware will be reported.\nKeep this disabled if you intend to handle \"*.Heuristics.*\" viruses\ndifferently from \"real\" malware.\nIf a non-heuristically-detected virus (signature-based) is found first,\nthe scan is interrupted immediately, regardless of this config option.", "yes"},
|
||||
{"HeuristicScanPrecedence", "heuristic-scan-precedence", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Allow heuristic match to take precedence.\nWhen enabled, if a heuristic scan (such as phishingScan) detects\na possible virus/phish it will stop scan immediately. Recommended, saves CPU\nscan-time.\nWhen disabled, virus/phish detected by heuristic scans will be reported only\nat the end of a scan. If an archive contains both a heuristically detected\nvirus/phish, and a real malware, the real malware will be reported.\nKeep this disabled if you intend to handle \"Heuristics.*\" viruses\ndifferently from \"real\" malware.\nIf a non-heuristically-detected virus (signature-based) is found first,\nthe scan is interrupted immediately, regardless of this config option.", "yes"},
|
||||
|
||||
{"StructuredDataDetection", "detect-structured", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Enable the Data Loss Prevention module.", "no"},
|
||||
|
||||
|
|
|
|||
|
|
@ -398,7 +398,7 @@ Enable email signature-based phishing detection.
|
|||
Default: yes
|
||||
.TP
|
||||
\fBPhishingScanURLs BOOL\fR
|
||||
Enable URL signature-based phishing detection (Phishing.Heuristics.Email.*)
|
||||
Enable URL signature-based phishing detection (Heuristics.Phishing.Email.*)
|
||||
.br
|
||||
Default: yes
|
||||
.TP
|
||||
|
|
@ -512,7 +512,7 @@ Alert on OLE2 files containing VBA macros (Heuristics.OLE2.ContainsMacros).
|
|||
Default: no
|
||||
.TP
|
||||
\fBAlertExceedsMax BOOL\fR
|
||||
Alert on files that exceed max file size, max scan size, or max recursion limit (Heuristics.Limits.Exceeded).
|
||||
When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or MaxRecursion limit will be flagged with the virus name starting with "Heuristics.Limits.Exceeded".
|
||||
.br
|
||||
Default: no
|
||||
.TP
|
||||
|
|
|
|||
|
|
@ -136,13 +136,13 @@ Scan mail files. If you turn off this option, the original files will still be s
|
|||
Enable email signature-based phishing detection.
|
||||
.TP
|
||||
\fB\-\-phishing\-scan\-urls[=yes(*)/no]\fR
|
||||
Enable URL signature-based phishing detection (Phishing.Heuristics.Email.*)
|
||||
Enable URL signature-based phishing detection (Heuristics.Phishing.Email.*)
|
||||
.TP
|
||||
\fB\-\-heuristic\-alerts[=yes(*)/no]\fR
|
||||
In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be used to control the algorithmic detection.
|
||||
.TP
|
||||
\fB\-\-heuristic\-scan\-precedence[=yes/no(*)]\fR
|
||||
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.
|
||||
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.
|
||||
.TP
|
||||
\fB\-\-normalize[=yes(*)/no]\fR
|
||||
Normalize (compress whitespace, downcase, etc.) html, script, and text files. Use normalize=no for yara compatibility.
|
||||
|
|
|
|||
|
|
@ -292,7 +292,7 @@ Example
|
|||
# at the end of a scan. If an archive contains both a heuristically detected
|
||||
# virus/phish, and a real malware, the real malware will be reported
|
||||
#
|
||||
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
|
||||
# Keep this disabled if you intend to handle "Heuristics.*" viruses
|
||||
# differently from "real" malware.
|
||||
# If a non-heuristically-detected virus (signature-based) is found first,
|
||||
# the scan is interrupted immediately, regardless of this config option.
|
||||
|
|
@ -648,7 +648,7 @@ Example
|
|||
#PCREMaxFileSize 100M
|
||||
|
||||
# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
|
||||
# MaxRecursion limit will be flagged with the virus
|
||||
# MaxRecursion limit will be flagged with the virus name starting with
|
||||
# "Heuristics.Limits.Exceeded".
|
||||
# Default: no
|
||||
#AlertExceedsMax yes
|
||||
|
|
|
|||
|
|
@ -752,7 +752,7 @@ hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx, bool *
|
|||
|
||||
if ((*lineFoldCnt) >= HEURISTIC_EMAIL_MAX_LINE_FOLDS_PER_HEADER) {
|
||||
if (SCAN_HEURISTIC_EXCEEDS_MAX) {
|
||||
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxLineFoldCnt");
|
||||
cli_append_virus(ctx, "Heuristics.Limits.Exceeded.EmailLineFoldCnt");
|
||||
*heuristicFound = TRUE;
|
||||
}
|
||||
|
||||
|
|
@ -768,7 +768,7 @@ haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx, bool *heuristicFound)
|
|||
|
||||
if (totalLen > HEURISTIC_EMAIL_MAX_HEADER_BYTES) {
|
||||
if (SCAN_HEURISTIC_EXCEEDS_MAX) {
|
||||
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxHeaderBytes");
|
||||
cli_append_virus(ctx, "Heuristics.Limits.Exceeded.EmailHeaderBytes");
|
||||
*heuristicFound = TRUE;
|
||||
}
|
||||
|
||||
|
|
@ -783,7 +783,7 @@ haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx, bool *heuristicFoun
|
|||
|
||||
if (totalHeaderCnt > HEURISTIC_EMAIL_MAX_HEADERS) {
|
||||
if (SCAN_HEURISTIC_EXCEEDS_MAX) {
|
||||
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxEmailHeaders");
|
||||
cli_append_virus(ctx, "Heuristics.Limits.Exceeded.EmailHeaders");
|
||||
*heuristicFound = TRUE;
|
||||
}
|
||||
|
||||
|
|
@ -798,7 +798,7 @@ haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx, mbox_status *rc
|
|||
|
||||
if (mimePartCnt >= HEURISTIC_EMAIL_MAX_MIME_PARTS_PER_MESSAGE) {
|
||||
if (SCAN_HEURISTIC_EXCEEDS_MAX) {
|
||||
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxMIMEPartsPerMessage");
|
||||
cli_append_virus(ctx, "Heuristics.Limits.Exceeded.EmailMIMEPartsPerMessage");
|
||||
*rc = VIRUS;
|
||||
}
|
||||
|
||||
|
|
@ -813,7 +813,7 @@ haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx, bool *heuristicFound)
|
|||
|
||||
if (argCnt >= HEURISTIC_EMAIL_MAX_ARGUMENTS_PER_HEADER) {
|
||||
if (SCAN_HEURISTIC_EXCEEDS_MAX) {
|
||||
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxMIMEArguments");
|
||||
cli_append_virus(ctx, "Heuristics.Limits.Exceeded.EmailMIMEArguments");
|
||||
*heuristicFound = TRUE;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -621,7 +621,7 @@ TCPAddr localhost
|
|||
#PCREMaxFileSize 100M
|
||||
|
||||
# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
|
||||
# MaxRecursion limit will be flagged with the virus
|
||||
# MaxRecursion limit will be flagged with the virus name starting with
|
||||
# "Heuristics.Limits.Exceeded".
|
||||
# Default: no
|
||||
#AlertExceedsMax yes
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue