a77a271fb5
When embedded file type recognition finds a possible embedded file, it is being scanned as a new embedded file even if it turns out it was a false positive and parsing fails. My solution is to pre-parse the file headers as little possible to determine if it is valid. If possible, also determine the file size based on the headers. That will make it so we don't have to scan additional data when the embedded file is not at the very end. This commit adds header checks prior to embedded ZIP, ARJ, and CAB scanning. For these types I was also able to use the header checks to determine the object size so as to prevent excessive pattern matching. TODO: Add the same for RAR, EGG, 7Z, NULSFT, AUTOIT, IShield, and PDF. This commit also removes duplicate matching for embedded MSEXE. The embedded MSEXE detection and scanning logic was accidentally creating an extra duplicate layer in between scanning and detection because of the logic within the `cli_scanembpe()` function. That function was effectively doing the header check which this commit adds for ZIP, ARJ, and CAB but minus the size check. Note: It is unfortunately not possible to get an accurage size from PE file headers. The `cli_scanembpe()` function also used to dump to a temp file for no reason since FMAPs were extended to support windows into other FMAPs. So this commit removes the intermediate layer as well as dropping a temp file for each embedded PE file. Further, this commit adds configuration and DCONF safeguards around all embedded file type scanning. Finally, this commit adds a set of tests to validate proper extraction of embedded ZIP, ARJ, CAB, and MSEXE files. CLAM-2862 Co-authored-by: TheRaynMan <draynor@sourcefire.com> |
||
|---|---|---|
| .devcontainer | ||
| .github | ||
| certs | ||
| clamav-milter | ||
| clambc | ||
| clamconf | ||
| clamd | ||
| clamdscan | ||
| clamdtop | ||
| clamonacc | ||
| clamscan | ||
| clamsubmit | ||
| cmake | ||
| common | ||
| COPYING | ||
| docs | ||
| etc | ||
| examples | ||
| freshclam | ||
| fuzz | ||
| libclamav | ||
| libclamav_rust | ||
| libclammspack | ||
| libclamunrar | ||
| libclamunrar_iface | ||
| libfreshclam | ||
| sigtool | ||
| unit_tests | ||
| win32 | ||
| .clang-format | ||
| .dockerignore | ||
| .gitattributes | ||
| .gitignore | ||
| Cargo.lock | ||
| Cargo.toml | ||
| ChangeLog.md | ||
| clam-format | ||
| clamav-config.h.cmake.in | ||
| clamav-config.in | ||
| clamav-types.h.in | ||
| clamav-version.h.in | ||
| CMakeLists.txt | ||
| CMakeOptions.cmake | ||
| CODE_OF_CONDUCT.md | ||
| COPYING.txt | ||
| INSTALL-cross-linux-arm64.md | ||
| INSTALL-cross-windows-arm64.md | ||
| INSTALL.md | ||
| Jenkinsfile | ||
| libclamav.pc.in | ||
| logo.png | ||
| NEWS.md | ||
| platform.h.in | ||
| README.Docker.md | ||
| README.md | ||
| SECURITY.md | ||
| target.h.cmake.in | ||
ClamAV
ClamAV® is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
Documentation & FAQ
ClamAV documentation is hosted at docs.clamav.net. The source archive for each release also includes a copy of the documentation for offline reading.
You can contribute to the documentation by submitting improvements to Cisco-Talos/clamav-documentation
ClamAV News
For information about the features in this and prior releases, read the news.
Catch up on the latest about ClamAV by reading our
blog and follow us on Twitter @clamav.
ClamAV Signatures
Anyone can learn to read and write ClamAV signatures. To get started, see our signature writing manual.
Installation Instructions
Using Docker
ClamAV can be run using Docker. For details, visit to the online manual under "Docker" and check out our images on Docker Hub.
Using a Package Manager
For help installing from a package manager, refer to the online manual under "Packages".
Using an Installer
The following install packages are available for download from clamav.net/downloads:
- Linux - Debian and RPM packages for x86_64 and i686. New in v0.104.
- macOS - PKG installer for x86_64 and arm64 (universal). New in v0.104.
- Windows - MSI installers and portable ZIP packages for win32 and x64.
To learn how to use these packages, refer to the online manual under "Installing".
Build from Source
For step-by-step instructions, refer to the online manual:
The source archive for each release includes a copy of the documentation for offline reading.
A reference with all of the available build options can be found in the INSTALL.md file.
You can find additional advice for developers in the online manual under "For Developers".
Upgrading from a previous version
Visit the FAQ for tips on how to upgrade from a previous version.
Join the ClamAV Community
The best way to get in touch with the ClamAV community is to join our mailing lists.
You can also join the community on our ClamAV Discord chat server.
Want to make a contribution?
The ClamAV development team welcomes code contributions, improvements to our documentation, and also bug reports.
Thanks for joining us!
Licensing
ClamAV is licensed for public/open source use under the GNU General Public License, Version 2 (GPLv2).
See COPYING.txt for a copy of the license.
3rd Party Code
ClamAV contains a number of components that include code copied in part or in whole from 3rd party projects and whose code is not owned by Cisco and which are licensed differently than ClamAV. These include:
- Yara: Apache 2.0 license
- Yara has since switched to the BSD 3-Clause License; Our source is out-of-date and needs to be updated.
- 7z / lzma: public domain
- libclamav's NSIS/NulSoft parser includes:
- zlib: permissive free software license
- bzip2 / libbzip2: BSD-like license
- OpenBSD's libc/regex: BSD license
- file: BSD license
- str.c: Contains BSD licensed modified-implementations of strtol(), stroul() functions, Copyright (c) 1990 The Regents of the University of California.
- pngcheck (png.c): MIT/X11-style license
- getopt.c: MIT license
- Curl: license inspired by MIT/X, but not identical
- libmspack: LGPL license
- UnRAR (libclamunrar): a non-free/restricted open source license
- Note: The UnRAR license is incompatible with GPLv2 because it contains a clause that prohibits reverse engineering a RAR compression algorithm from the UnRAR decompression code. For this reason, libclamunrar/libclamunrar_iface is not linked at all with libclamav. It is instead loaded at run-time. If it fails to load, ClamAV will continue running without RAR support.
See the COPYING directory for a copy of the 3rd party project licenses.
Acknowledgements
Credit for contributions to each release can be found in the News.
ClamAV is brought to you by the ClamAV Team