mirror of
https://github.com/Cisco-Talos/clamav.git
synced 2025-10-19 10:23:17 +00:00
a77a271fb5
When embedded file type recognition finds a possible embedded file, it is being scanned as a new embedded file even if it turns out it was a false positive and parsing fails. My solution is to pre-parse the file headers as little possible to determine if it is valid. If possible, also determine the file size based on the headers. That will make it so we don't have to scan additional data when the embedded file is not at the very end. This commit adds header checks prior to embedded ZIP, ARJ, and CAB scanning. For these types I was also able to use the header checks to determine the object size so as to prevent excessive pattern matching. TODO: Add the same for RAR, EGG, 7Z, NULSFT, AUTOIT, IShield, and PDF. This commit also removes duplicate matching for embedded MSEXE. The embedded MSEXE detection and scanning logic was accidentally creating an extra duplicate layer in between scanning and detection because of the logic within the `cli_scanembpe()` function. That function was effectively doing the header check which this commit adds for ZIP, ARJ, and CAB but minus the size check. Note: It is unfortunately not possible to get an accurage size from PE file headers. The `cli_scanembpe()` function also used to dump to a temp file for no reason since FMAPs were extended to support windows into other FMAPs. So this commit removes the intermediate layer as well as dropping a temp file for each embedded PE file. Further, this commit adds configuration and DCONF safeguards around all embedded file type scanning. Finally, this commit adds a set of tests to validate proper extraction of embedded ZIP, ARJ, CAB, and MSEXE files. CLAM-2862 Co-authored-by: TheRaynMan <draynor@sourcefire.com> |
||
|---|---|---|
| .. | ||
| bytecode_scanfiles | ||
| bytecode_sigs | ||
| clamav_hdb_scanfiles | ||
| embedded_testfiles | ||
| freshclam_testfiles | ||
| htmlnorm_reffiles | ||
| htmlnorm_scanfiles | ||
| other_scanfiles | ||
| other_sigs | ||
| pe_allmatch | ||
| signing | ||
| verify | ||
| clamav.hdb | ||
| CMakeLists.txt | ||
| COPYING | ||
| README | ||
| virusaction-test.sh | ||
| xor_testfile.py | ||
clam.exe is an extremely small (544 bytes!) MZ+PE executable that prints a nice message :-) You can use it to test attachment scanning in your ClamAV based mail scanner. NOTE: upon request the testfiles are not shipped anymore Instead they are dynamically generated at make time.