clamav

Stowage/clamav

Fork 0

mirror of https://github.com/Cisco-Talos/clamav.git synced 2025-10-19 18:33:16 +00:00

Commit graph

Author	SHA1	Message	Date
Valerie Snyder	ed3e1e55f6	Added additional ex_scan_callbacks test and fixed a couple related bugs Improvements to the ex_scan_callbacks.c program: - Print the verdict enum variant names to be more explicit. - Add the file_props callback (aka metadata JSON) with --gen-json option. - Add a --debug option. - Use '-' in option names instead of '_' to be consistent with other programs. - Add option to disable allmatch, which I named --one-match. :) Tests: Add ex_scan_callbacks test where --allmatch is disabled. Verify that CL_VIRUS is returned when a match occurs. I found a few bugs and inconsistencies from this test and went and fixed them, and improved the clamav.h function comments as well. Largely this resulted in cleanup in `cli_magic_scan()` to make sure we don't accidentally overwrite the return code. But it also meant making sure that callback functions which are supposed to trust a file actually clear the evidence/verdict and don't return CL_VIRUS.	2025-08-14 22:40:47 -04:00
Valerie Snyder	6d9b57eeeb	libclamav: cl_scan*_ex() functions provide verdict separate from errors It is a shortcoming of existing scan APIs that it is not possible to return an error without masking a verdict. We presently work around this limitation by counting up detections at the end and then overriding the error code with `CL_VIRUS`, if necessary. The `cl_scanfile_ex()`, `cl_scandesc_ex()`, and `cl_scanmap_ex()` functions should provide the scan verdict separately from the error code. This introduces a new enum for recording and reporting a verdict: `cl_verdict_t` with options: - `CL_VERDICT_NOTHING_FOUND` - `CL_VERDICT_TRUSTED` - `CL_VERDICT_STRONG_INDICATOR` - `CL_VERDICT_POTENTIALLY_UNWANTED` Notably, the newer scan APIs may set the verdict to `CL_VERDICT_TRUSTED` if there is a (hash-based) FP signature for a file, or in the cause where Authenticode or similar certificate-based verification was performed, or in the case where an application scan callback returned `CL_VERIFIED`. CLAM-763 CLAM-865	2025-08-14 22:40:46 -04:00
Valerie Snyder	e223ddb66a	Example program: demonstrate more features and support scripted inputs Scripted inputs may be used for automated tests. Added automated tests for the example program to verify correct behavior using different callback return codes and also using the new scan layer and fmap API's. Fixed a bug in ClamAV's evidence module (recording strong, PUA, and weak indicators for each layer). Rust HashMaps are unordered so the feature to get the last alert would return a random alert and not specifically the last one. Switching to IndexMap resolves this, and allows us to maintain insertion-order for iterating keys even when removing a key.	2025-08-14 22:40:45 -04:00

Author

SHA1

Message

Date

Valerie Snyder

ed3e1e55f6

Added additional ex_scan_callbacks test and fixed a couple related bugs

Improvements to the ex_scan_callbacks.c program:
- Print the verdict enum variant names to be more explicit.
- Add the file_props callback (aka metadata JSON) with --gen-json option.
- Add a --debug option.
- Use '-' in option names instead of '_' to be consistent with other programs.
- Add option to disable allmatch, which I named --one-match. :)

Tests: Add ex_scan_callbacks test where --allmatch is disabled.
Verify that CL_VIRUS is returned when a match occurs.
I found a few bugs and inconsistencies from this test and went and fixed
them, and improved the clamav.h function comments as well.
Largely this resulted in cleanup in `cli_magic_scan()` to make sure we
don't accidentally overwrite the return code.
But it also meant making sure that callback functions which are supposed
to trust a file actually clear the evidence/verdict and don't return
CL_VIRUS.

2025-08-14 22:40:47 -04:00

Valerie Snyder

6d9b57eeeb

libclamav: cl_scan*_ex() functions provide verdict separate from errors

It is a shortcoming of existing scan APIs that it is not possible
to return an error without masking a verdict.
We presently work around this limitation by counting up detections at
the end and then overriding the error code with `CL_VIRUS`, if necessary.

The `cl_scanfile_ex()`, `cl_scandesc_ex()`, and `cl_scanmap_ex()` functions
should provide the scan verdict separately from the error code.

This introduces a new enum for recording and reporting a verdict:
`cl_verdict_t` with options:

- `CL_VERDICT_NOTHING_FOUND`
- `CL_VERDICT_TRUSTED`
- `CL_VERDICT_STRONG_INDICATOR`
- `CL_VERDICT_POTENTIALLY_UNWANTED`

Notably, the newer scan APIs may set the verdict to `CL_VERDICT_TRUSTED`
if there is a (hash-based) FP signature for a file, or in the cause where
Authenticode or similar certificate-based verification was performed, or
in the case where an application scan callback returned `CL_VERIFIED`.

CLAM-763
CLAM-865

2025-08-14 22:40:46 -04:00

Valerie Snyder

e223ddb66a

Example program: demonstrate more features and support scripted inputs

Scripted inputs may be used for automated tests.

Added automated tests for the example program to verify correct behavior
using different callback return codes and also using the new scan layer and
fmap API's.

Fixed a bug in ClamAV's evidence module (recording strong, PUA, and
weak indicators for each layer). Rust HashMaps are unordered so the
feature to get the last alert would return a random alert and not
specifically the last one. Switching to IndexMap resolves this, and
allows us to maintain insertion-order for iterating keys even when
removing a key.

2025-08-14 22:40:45 -04:00

3 commits