212
179
(unsigned int) metadata->unpack_size, metadata->method,
213
180
metadata->pack_size ? (unsigned int) (metadata->unpack_size / metadata->pack_size) : 0);
216
mdata = ctx->engine->rar_mlist;
218
if(mdata->encrypted != metadata->encrypted)
221
if(mdata->crc32 && (unsigned int) mdata->crc32 != metadata->crc)
224
if(mdata->csize > 0 && (unsigned int) mdata->csize != metadata->pack_size)
227
if(mdata->size >= 0 && (unsigned int) mdata->size != metadata->unpack_size)
230
if(mdata->method >= 0 && mdata->method != metadata->method)
233
if(mdata->fileno && mdata->fileno != files)
236
if(mdata->maxdepth && ctx->recursion > mdata->maxdepth)
239
if(mdata->filename && !cli_matchregex(metadata->filename, mdata->filename))
244
} while((mdata = mdata->next));
247
*ctx->virname = mdata->virname;
248
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
182
if(cli_matchmeta(ctx, metadata->filename, metadata->pack_size, metadata->unpack_size, metadata->encrypted, files, metadata->crc, NULL) == CL_VIRUS)
251
185
if(DETECT_ENCRYPTED && metadata->encrypted) {
252
186
cli_dbgmsg("RAR: Encrypted files found in archive.\n");
253
187
lseek(desc, 0, SEEK_SET);
254
188
ret = cli_scandesc(desc, ctx, 0, 0, NULL, AC_SCAN_VIR);
255
189
if(ret != CL_VIRUS) {
256
*ctx->virname = "Encrypted.RAR";
190
*ctx->virname = "Heuristics.Encrypted.RAR";
465
static int cli_scangzip(int desc, cli_ctx *ctx)
404
static int cli_scangzip_with_zib_from_the_80s(cli_ctx *ctx, unsigned char *buff) {
405
int fd, ret, outsize = 0, bytes;
406
fmap_t *map = *ctx->fmap;
414
lseek(fd, 0, SEEK_SET);
415
if(!(gz = gzdopen(fd, "rb"))) {
420
if((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) {
421
cli_dbgmsg("GZip: Can't generate temporary file.\n");
426
while((bytes = gzread(gz, buff, FILEBUFF)) > 0) {
428
if(cli_checklimits("GZip", ctx, outsize, 0, 0)!=CL_CLEAN)
430
if(cli_writen(fd, buff, bytes) != bytes) {
433
if(cli_unlink(tmpname)) {
444
if((ret = cli_magic_scandesc(fd, ctx)) == CL_VIRUS) {
445
cli_dbgmsg("GZip: Infected with %s\n", *ctx->virname);
447
if(!ctx->engine->keeptmp) {
448
if (cli_unlink(tmpname)) {
457
if(!ctx->engine->keeptmp)
458
if (cli_unlink(tmpname)) ret = CL_EUNLINK;
463
static int cli_scangzip(cli_ctx *ctx)
467
int fd, bytes, ret = CL_CLEAN;
468
unsigned long int size = 0;
465
int fd, ret = CL_CLEAN;
466
unsigned char buff[FILEBUFF];
469
size_t at = 0, outsize = 0;
470
fmap_t *map = *ctx->fmap;
474
472
cli_dbgmsg("in cli_scangzip()\n");
476
if((gd = gzdopen(dup(desc), "rb")) == NULL) {
477
cli_dbgmsg("GZip: Can't open descriptor %d\n", desc);
474
memset(&z, 0, sizeof(z));
475
if((ret = inflateInit2(&z, MAX_WBITS + 16)) != Z_OK) {
476
cli_dbgmsg("GZip: InflateInit failed: %d\n", ret);
477
return cli_scangzip_with_zib_from_the_80s(ctx, buff);
481
if((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd))) {
480
if((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) {
482
481
cli_dbgmsg("GZip: Can't generate temporary file.\n");
487
if(!(buff = (char *) cli_malloc(FILEBUFF))) {
488
cli_dbgmsg("GZip: Unable to malloc %u bytes.\n", FILEBUFF);
491
if(!ctx->engine->keeptmp) {
492
if(cli_unlink(tmpname)) {
500
while((bytes = gzread(gd, buff, FILEBUFF)) > 0) {
503
if(cli_checklimits("GZip", ctx, size + FILEBUFF, 0, 0)!=CL_CLEAN)
506
if(cli_writen(fd, buff, bytes) != bytes) {
507
cli_dbgmsg("GZip: Can't write to file.\n");
486
while (at < map->len) {
487
unsigned int bytes = MIN(map->len - at, map->pgsz);
488
if(!(z.next_in = fmap_need_off_once(map, at, bytes))) {
489
cli_dbgmsg("GZip: Can't read %u bytes @ %lu.\n", bytes, (long unsigned)at);
509
if(!ctx->engine->keeptmp) {
510
if (cli_unlink(tmpname)) {
492
if (cli_unlink(tmpname)) {
503
z.avail_out = sizeof(buff);
505
inf = inflate(&z, Z_NO_FLUSH);
506
if(inf != Z_OK && inf != Z_STREAM_END && inf != Z_BUF_ERROR) {
507
cli_dbgmsg("GZip: Bad stream.\n");
511
if(cli_writen(fd, buff, sizeof(buff) - z.avail_out) < 0) {
514
if (cli_unlink(tmpname)) {
514
516
return CL_EUNLINK;
527
if(ret == CL_VIRUS) {
529
if(!ctx->engine->keeptmp)
530
if (cli_unlink(tmpname)) ret = CL_EUNLINK;
535
lseek(fd, 0, SEEK_SET);
536
if((ret = cli_magic_scandesc(fd, ctx)) == CL_VIRUS ) {
521
outsize += sizeof(buff) - z.avail_out;
522
if(cli_checklimits("GZip", ctx, outsize, 0, 0)!=CL_CLEAN) {
526
if(inf == Z_STREAM_END) {
531
} while (z.avail_out == 0);
536
if((ret = cli_magic_scandesc(fd, ctx)) == CL_VIRUS) {
537
537
cli_dbgmsg("GZip: Infected with %s\n", *ctx->virname);
539
539
if(!ctx->engine->keeptmp) {
975
973
cli_dbgmsg("cli_scanhtml: using tempdir %s\n", tempname);
977
html_normalise_fd(desc, tempname, NULL, ctx->dconf);
978
snprintf(fullname, 1024, "%s/nocomment.html", tempname);
975
html_normalise_map(map, tempname, NULL, ctx->dconf);
976
snprintf(fullname, 1024, "%s"PATHSEP"nocomment.html", tempname);
979
977
fd = open(fullname, O_RDONLY|O_BINARY);
981
979
ret = cli_scandesc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR);
985
if(ret == CL_CLEAN && sb.st_size < 2097152) {
983
if(ret == CL_CLEAN && map->len < 2097152) {
986
984
/* limit to 2 MB, we're not interesting in scanning large files in notags form */
987
985
/* TODO: don't even create notags if file is over 2 MB */
988
snprintf(fullname, 1024, "%s/notags.html", tempname);
986
snprintf(fullname, 1024, "%s"PATHSEP"notags.html", tempname);
989
987
fd = open(fullname, O_RDONLY|O_BINARY);
991
989
ret = cli_scandesc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR);
1063
1055
text_normalize_init(&state, normalized, SCANBUFF + maxpatlen);
1064
1056
ret = CL_CLEAN;
1066
if ((ret = cli_ac_initdata(&tmdata, troot->ac_partsigs, troot->ac_lsigs, CLI_DEFAULT_AC_TRACKLEN)))
1058
if ((ret = cli_ac_initdata(&tmdata, troot->ac_partsigs, troot->ac_lsigs, troot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)))
1069
if ((ret = cli_ac_initdata(&gmdata, groot->ac_partsigs, groot->ac_lsigs, CLI_DEFAULT_AC_TRACKLEN))) {
1061
if ((ret = cli_ac_initdata(&gmdata, groot->ac_partsigs, groot->ac_lsigs, groot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN))) {
1070
1062
cli_ac_freedata(&tmdata);
1073
1065
mdata[0] = &tmdata;
1074
1066
mdata[1] = &gmdata;
1077
nread = cli_readn(desc, buff, sizeof(buff));
1078
if(nread <= 0 || state.out_pos + nread > state.out_len) {
1079
/* flush if error/EOF, or too little buffer space left */
1080
if((ofd != -1) && (write(ofd, state.out, state.out_pos) == -1)) {
1081
cli_errmsg("cli_scanscript: can't write to file %s\n",tmpname);
1084
/* we can continue to scan in memory */
1086
/* when we flush the buffer also scan */
1087
if(cli_scanbuff(state.out, state.out_pos, offset, ctx, CL_TYPE_TEXT_ASCII, mdata) == CL_VIRUS) {
1090
ret = cli_checkfp(ofd, ctx) ? CL_CLEAN : CL_VIRUS;
1094
*ctx->scanned += state.out_pos / CL_COUNT_PRECISION;
1095
offset += state.out_pos;
1096
/* carry over maxpatlen from previous buffer */
1097
if (state.out_pos > maxpatlen)
1098
memmove(state.out, state.out + state.out_pos - maxpatlen, maxpatlen);
1099
text_normalize_reset(&state);
1100
state.out_pos = maxpatlen;
1102
if(nread > 0 && (text_normalize_buffer(&state, buff, nread) != nread)) {
1103
cli_dbgmsg("cli_scanscript: short read during normalizing\n");
1105
/* used a do {}while() here, since we need to flush our buffers at the end,
1106
* and using while(){} loop would mean code duplication */
1107
} while (nread > 0);
1069
size_t len = MIN(map->pgsz, map->len - at);
1070
buff = fmap_need_off_once(map, at, len);
1072
if(!buff || !len || state.out_pos + len > state.out_len) {
1073
/* flush if error/EOF, or too little buffer space left */
1074
if((ofd != -1) && (write(ofd, state.out, state.out_pos) == -1)) {
1075
cli_errmsg("cli_scanscript: can't write to file %s\n",tmpname);
1078
/* we can continue to scan in memory */
1080
/* when we flush the buffer also scan */
1081
if(cli_scanbuff(state.out, state.out_pos, offset, ctx, CL_TYPE_TEXT_ASCII, mdata) == CL_VIRUS) {
1086
*ctx->scanned += state.out_pos / CL_COUNT_PRECISION;
1087
offset += state.out_pos;
1088
/* carry over maxpatlen from previous buffer */
1089
if (state.out_pos > maxpatlen)
1090
memmove(state.out, state.out + state.out_pos - maxpatlen, maxpatlen);
1091
text_normalize_reset(&state);
1092
state.out_pos = maxpatlen;
1095
if(text_normalize_buffer(&state, buff, len) != len) {
1096
cli_dbgmsg("cli_scanscript: short read during normalizing\n");
1109
1099
cli_ac_freedata(&tmdata);
1110
1100
cli_ac_freedata(&gmdata);
1111
1101
if(ctx->engine->keeptmp) {
1757
1725
if(fpt->offset) switch(fpt->type) {
1758
1726
case CL_TYPE_RARSFX:
1759
cli_dbgmsg("RAR/RAR-SFX signature found at %u\n", (unsigned int) fpt->offset);
1760
1727
if(type != CL_TYPE_RAR && have_rar && SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_RAR)) {
1728
ctx->container_type = CL_TYPE_RAR;
1729
ctx->container_size = map->len - fpt->offset; /* not precise */
1761
1730
cli_dbgmsg("RAR/RAR-SFX signature found at %u\n", (unsigned int) fpt->offset);
1762
nret = cli_scanrar(desc, ctx, fpt->offset, &lastrar);
1731
nret = cli_scanrar(map->fd, ctx, fpt->offset, &lastrar);
1766
1735
case CL_TYPE_ZIPSFX:
1767
1736
if(type != CL_TYPE_ZIP && SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP)) {
1737
ctx->container_type = CL_TYPE_ZIP;
1738
ctx->container_size = map->len - fpt->offset; /* not precise */
1768
1739
cli_dbgmsg("ZIP/ZIP-SFX signature found at %u\n", (unsigned int) fpt->offset);
1769
nret = cli_unzip_single(desc, ctx, fpt->offset);
1740
nret = cli_unzip_single(ctx, fpt->offset);
1773
1744
case CL_TYPE_CABSFX:
1774
1745
if(type != CL_TYPE_MSCAB && SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CAB)) {
1746
ctx->container_type = CL_TYPE_MSCAB;
1747
ctx->container_size = map->len - fpt->offset; /* not precise */
1775
1748
cli_dbgmsg("CAB/CAB-SFX signature found at %u\n", (unsigned int) fpt->offset);
1776
nret = cli_scanmscab(desc, ctx, fpt->offset);
1749
nret = cli_scanmscab(map->fd, ctx, fpt->offset);
1779
1752
case CL_TYPE_ARJSFX:
1780
1753
if(type != CL_TYPE_ARJ && SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ARJ)) {
1754
ctx->container_type = CL_TYPE_ARJ;
1755
ctx->container_size = map->len - fpt->offset; /* not precise */
1781
1756
cli_dbgmsg("ARJ-SFX signature found at %u\n", (unsigned int) fpt->offset);
1782
nret = cli_scanarj(desc, ctx, fpt->offset, &lastrar);
1757
nret = cli_scanarj(map->fd, ctx, fpt->offset, &lastrar);
1786
1761
case CL_TYPE_NULSFT:
1787
1762
if(SCAN_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_NSIS) && fpt->offset > 4) {
1763
ctx->container_type = CL_TYPE_NULSFT;
1764
ctx->container_size = map->len - fpt->offset; /* not precise */
1788
1765
cli_dbgmsg("NSIS signature found at %u\n", (unsigned int) fpt->offset-4);
1789
nret = cli_scannulsft(desc, ctx, fpt->offset - 4);
1766
nret = cli_scannulsft(map->fd, ctx, fpt->offset - 4);
1793
1770
case CL_TYPE_AUTOIT:
1794
1771
if(SCAN_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_AUTOIT)) {
1772
ctx->container_type = CL_TYPE_AUTOIT;
1773
ctx->container_size = map->len - fpt->offset; /* not precise */
1795
1774
cli_dbgmsg("AUTOIT signature found at %u\n", (unsigned int) fpt->offset);
1796
nret = cli_scanautoit(desc, ctx, fpt->offset + 23);
1775
nret = cli_scanautoit(map->fd, ctx, fpt->offset + 23);
1779
case CL_TYPE_ISHIELD_MSI:
1780
if(SCAN_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_ISHIELD)) {
1781
ctx->container_type = CL_TYPE_AUTOIT;
1782
ctx->container_size = map->len - fpt->offset; /* not precise */
1783
cli_dbgmsg("ISHIELD-MSI signature found at %u\n", (unsigned int) fpt->offset);
1784
nret = cli_scanishield_msi(ctx, fpt->offset + 14);
1800
1788
case CL_TYPE_PDF:
1801
1789
if(type != CL_TYPE_PDF && SCAN_PDF && (DCONF_DOC & DOC_CONF_PDF)) {
1790
ctx->container_type = CL_TYPE_PDF;
1791
ctx->container_size = map->len - fpt->offset; /* not precise */
1802
1792
cli_dbgmsg("PDF signature found at %u\n", (unsigned int) fpt->offset);
1803
nret = cli_scanpdf(desc, ctx, fpt->offset);
1793
nret = cli_scanpdf(ctx, fpt->offset);
1807
1797
case CL_TYPE_MSEXE:
1808
1798
if(SCAN_PE && (type == CL_TYPE_MSEXE || type == CL_TYPE_ZIP || type == CL_TYPE_MSOLE2) && ctx->dconf->pe) {
1810
if(sb.st_size > 10485760)
1799
if(map->len > 10485760)
1801
ctx->container_type = CL_TYPE_MSEXE; /* PE is a container for another executable here */
1802
ctx->container_size = map->len - fpt->offset; /* not precise */
1812
1803
memset(&peinfo, 0, sizeof(struct cli_exe_info));
1813
1804
peinfo.offset = fpt->offset;
1814
lseek(desc, fpt->offset, SEEK_SET);
1815
if(cli_peheader(desc, &peinfo) == 0) {
1805
lseek(map->fd, fpt->offset, SEEK_SET);
1806
if(cli_peheader(map, &peinfo) == 0) {
1816
1807
cli_dbgmsg("*** Detected embedded PE file at %u ***\n", (unsigned int) fpt->offset);
1817
1808
if(peinfo.section)
1818
1809
free(peinfo.section);
1820
lseek(desc, fpt->offset, SEEK_SET);
1821
nret = cli_scanembpe(desc, ctx);
1811
lseek(map->fd, fpt->offset, SEEK_SET);
1812
nret = cli_scanembpe(map->fd, ctx);
1822
1813
break_loop = 1; /* we can stop here and other
1823
1814
* embedded executables will
1824
1815
* be found recursively
1868
1865
if(ret == CL_VIRUS)
1869
cli_dbgmsg("%s found in descriptor %d\n", *ctx->virname, desc);
1866
cli_dbgmsg("%s found in descriptor %d\n", *ctx->virname, map->fd);
1872
static void emax_reached(cli_ctx *ctx) {
1873
fmap_t **ctx_fmap = ctx->fmap;
1877
fmap_t *map = *ctx_fmap;
1878
map->dont_cache_flag = 1;
1881
cli_dbgmsg("emax_reached: marked parents as non cacheable\n");
1884
#define LINESTR(x) #x
1885
#define LINESTR2(x) LINESTR(x)
1886
#define __AT__ " at line "LINESTR2(__LINE__)
1887
#define ret_from_magicscan(retcode) do { \
1888
cli_dbgmsg("cli_magic_scandesc: returning %d %s\n", retcode, __AT__); \
1874
1892
int cli_magic_scandesc(int desc, cli_ctx *ctx)
1876
1894
int ret = CL_CLEAN;
1877
1895
cli_file_t type, dettype = 0;
1878
1896
struct stat sb;
1879
1897
uint8_t typercg = 1;
1898
cli_file_t current_container_type = ctx->container_type;
1899
size_t current_container_size = ctx->container_size, hashed_size;
1900
unsigned char hash[16];
1901
bitset_t *old_hook_lsig_matches;
1903
cli_dbgmsg("in cli_magic_scandesc (reclevel: %u/%u)\n", ctx->recursion, ctx->engine->maxreclevel);
1881
1904
if(ctx->engine->maxreclevel && ctx->recursion > ctx->engine->maxreclevel) {
1882
1905
cli_dbgmsg("cli_magic_scandesc: Archive recursion limit exceeded (%u, max: %u)\n", ctx->recursion, ctx->engine->maxreclevel);
1907
ret_from_magicscan(CL_CLEAN);
1886
1910
if(fstat(desc, &sb) == -1) {
1887
1911
cli_errmsg("magic_scandesc: Can't fstat descriptor %d\n", desc);
1912
ret_from_magicscan(CL_ESTAT);
1891
1915
if(sb.st_size <= 5) {
1892
1916
cli_dbgmsg("Small data (%u bytes)\n", (unsigned int) sb.st_size);
1917
ret_from_magicscan(CL_CLEAN);
1896
1920
if(!ctx->engine) {
1897
1921
cli_errmsg("CRITICAL: engine == NULL\n");
1922
ret_from_magicscan(CL_ENULLARG);
1901
1925
if(!(ctx->engine->dboptions & CL_DB_COMPILED)) {
1902
1926
cli_errmsg("CRITICAL: engine not compiled\n");
1906
if(cli_updatelimits(ctx, sb.st_size)!=CL_CLEAN)
1927
ret_from_magicscan(CL_EMALFDB);
1930
if(cli_updatelimits(ctx, sb.st_size)!=CL_CLEAN) {
1932
ret_from_magicscan(CL_CLEAN);
1936
if(!(*ctx->fmap = fmap(desc, 0, sb.st_size))) {
1937
cli_errmsg("CRITICAL: fmap() failed\n");
1939
ret_from_magicscan(CL_EMEM);
1942
if(cache_check(hash, ctx) == CL_CLEAN) {
1945
ret_from_magicscan(CL_CLEAN);
1947
hashed_size = (*ctx->fmap)->len;
1948
old_hook_lsig_matches = ctx->hook_lsig_matches;
1949
ctx->hook_lsig_matches = NULL;
1909
1951
if(!ctx->options || (ctx->recursion == ctx->engine->maxreclevel)) { /* raw mode (stdin, etc.) or last level of recursion */
1910
1952
if(ctx->recursion == ctx->engine->maxreclevel)
1911
1953
cli_dbgmsg("cli_magic_scandesc: Hit recursion limit, only scanning raw file\n");
1913
1955
cli_dbgmsg("Raw mode: No support for special files\n");
1914
if((ret = cli_scandesc(desc, ctx, 0, 0, NULL, AC_SCAN_VIR)) == CL_VIRUS)
1957
if((ret = cli_fmap_scandesc(ctx, 0, 0, NULL, AC_SCAN_VIR, hash)) == CL_VIRUS)
1915
1958
cli_dbgmsg("%s found in descriptor %d\n", *ctx->virname, desc);
1959
else if(ret == CL_CLEAN) {
1960
if(ctx->recursion != ctx->engine->maxreclevel)
1961
cache_add(hash, hashed_size, ctx); /* Only cache if limits are not reached */
1966
ctx->hook_lsig_matches = old_hook_lsig_matches;
1969
ret_from_magicscan(ret);
1919
lseek(desc, 0, SEEK_SET);
1920
type = cli_filetype2(desc, ctx->engine);
1972
type = cli_filetype2(*ctx->fmap, ctx->engine); /* FIXMEFMAP: port to fmap */
1921
1973
if(type == CL_TYPE_ERROR) {
1922
1974
cli_dbgmsg("cli_magic_scandesc: cli_filetype2 returned CL_TYPE_ERROR\n");
1925
lseek(desc, 0, SEEK_SET);
1977
ctx->hook_lsig_matches = old_hook_lsig_matches;
1978
ret_from_magicscan(CL_EREAD);
1980
lseek(desc, 0, SEEK_SET); /* FIXMEFMAP: remove ? */
1982
ctx->hook_lsig_matches = cli_bitset_init();
1983
if (!ctx->hook_lsig_matches) {
1984
ctx->hook_lsig_matches = old_hook_lsig_matches;
1985
ret_from_magicscan(CL_EMEM);
1927
1988
if(type != CL_TYPE_IGNORED && ctx->engine->sdb) {
1928
if((ret = cli_scanraw(desc, ctx, type, 0, &dettype)) == CL_VIRUS)
1930
lseek(desc, 0, SEEK_SET);
1989
if((ret = cli_scanraw(ctx, type, 0, &dettype, hash)) == CL_VIRUS) {
1990
ret = cli_checkfp(hash, hashed_size, ctx);
1993
cli_bitset_free(ctx->hook_lsig_matches);
1994
ctx->hook_lsig_matches = old_hook_lsig_matches;
1995
ret_from_magicscan(ret);
1997
lseek(desc, 0, SEEK_SET); /* FIXMEFMAP: remove ? */
1933
2000
ctx->recursion++;
1936
2002
case CL_TYPE_IGNORED:
1939
2005
case CL_TYPE_RAR:
2006
ctx->container_type = CL_TYPE_RAR;
2007
ctx->container_size = sb.st_size;
1940
2008
if(have_rar && SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_RAR))
1941
2009
ret = cli_scanrar(desc, ctx, 0, NULL);
1944
2012
case CL_TYPE_ZIP:
2013
ctx->container_type = CL_TYPE_ZIP;
2014
ctx->container_size = sb.st_size;
1945
2015
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP))
1946
ret = cli_unzip(desc, ctx);
2016
ret = cli_unzip(ctx);
1949
2019
case CL_TYPE_GZ:
1950
2020
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_GZ))
1951
ret = cli_scangzip(desc, ctx);
2021
ret = cli_scangzip(ctx);
1954
2024
case CL_TYPE_BZ:
1955
2025
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_BZ))
1956
2026
ret = cli_scanbzip(desc, ctx);
1958
2029
case CL_TYPE_ARJ:
2030
ctx->container_type = CL_TYPE_ARJ;
2031
ctx->container_size = sb.st_size;
1959
2032
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ARJ))
1960
2033
ret = cli_scanarj(desc, ctx, 0, NULL);
1963
2036
case CL_TYPE_NULSFT:
1964
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_NSIS))
2037
ctx->container_type = CL_TYPE_NULSFT;
2038
ctx->container_size = sb.st_size;
2039
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_NSIS))
1965
2040
ret = cli_scannulsft(desc, ctx, 0);
1968
2043
case CL_TYPE_AUTOIT:
2044
ctx->container_type = CL_TYPE_AUTOIT;
2045
ctx->container_size = sb.st_size;
1969
2046
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_AUTOIT))
1970
2047
ret = cli_scanautoit(desc, ctx, 23);
1978
2055
case CL_TYPE_MSCAB:
2056
ctx->container_type = CL_TYPE_MSCAB;
2057
ctx->container_size = sb.st_size;
1979
2058
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CAB))
1980
2059
ret = cli_scanmscab(desc, ctx, 0);
1983
2062
case CL_TYPE_HTML:
1984
2063
if(SCAN_HTML && (DCONF_DOC & DOC_CONF_HTML))
1985
ret = cli_scanhtml(desc, ctx);
2064
ret = cli_scanhtml(ctx);
1988
2067
case CL_TYPE_HTML_UTF16:
1989
2068
if(SCAN_HTML && (DCONF_DOC & DOC_CONF_HTML))
1990
ret = cli_scanhtml_utf16(desc, ctx);
2069
ret = cli_scanhtml_utf16(ctx);
1993
2072
case CL_TYPE_SCRIPT:
1994
2073
if((DCONF_DOC & DOC_CONF_SCRIPT) && dettype != CL_TYPE_HTML)
1995
ret = cli_scanscript(desc, ctx);
2074
ret = cli_scanscript(ctx);
1998
2077
case CL_TYPE_RTF:
2078
ctx->container_type = CL_TYPE_RTF;
2079
ctx->container_size = sb.st_size;
1999
2080
if(SCAN_ARCHIVE && (DCONF_DOC & DOC_CONF_RTF))
2000
2081
ret = cli_scanrtf(desc, ctx);
2003
2084
case CL_TYPE_MAIL:
2085
ctx->container_type = CL_TYPE_MAIL;
2086
ctx->container_size = sb.st_size;
2004
2087
if(SCAN_MAIL && (DCONF_MAIL & MAIL_CONF_MBOX))
2005
2088
ret = cli_scanmail(desc, ctx);
2013
2096
case CL_TYPE_UUENCODED:
2014
2097
if(DCONF_OTHER & OTHER_CONF_UUENC)
2015
ret = cli_scanuuencoded(desc, ctx);
2098
ret = cli_scanuuencoded(ctx);
2018
2101
case CL_TYPE_MSCHM:
2102
ctx->container_type = CL_TYPE_MSCHM;
2103
ctx->container_size = sb.st_size;
2019
2104
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CHM))
2020
2105
ret = cli_scanmschm(desc, ctx);
2023
2108
case CL_TYPE_MSOLE2:
2109
ctx->container_type = CL_TYPE_MSOLE2;
2110
ctx->container_size = sb.st_size;
2024
2111
if(SCAN_OLE2 && (DCONF_ARCH & ARCH_CONF_OLE2))
2025
ret = cli_scanole2(desc, ctx);
2112
ret = cli_scanole2(ctx);
2116
ctx->container_type = CL_TYPE_7Z;
2117
ctx->container_size = sb.st_size;
2118
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_7Z))
2119
ret = cli_7unz(desc, ctx);
2028
2122
case CL_TYPE_POSIX_TAR:
2123
ctx->container_type = CL_TYPE_POSIX_TAR;
2124
ctx->container_size = sb.st_size;
2029
2125
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_TAR))
2030
2126
ret = cli_scantar(desc, ctx, 1);
2033
2129
case CL_TYPE_OLD_TAR:
2130
ctx->container_type = CL_TYPE_OLD_TAR;
2131
ctx->container_size = sb.st_size;
2034
2132
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_TAR))
2035
2133
ret = cli_scantar(desc, ctx, 0);
2136
case CL_TYPE_CPIO_OLD:
2137
ctx->container_type = CL_TYPE_CPIO_OLD;
2138
ctx->container_size = sb.st_size;
2139
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))
2140
ret = cli_scancpio_old(desc, ctx);
2143
case CL_TYPE_CPIO_ODC:
2144
ctx->container_type = CL_TYPE_CPIO_ODC;
2145
ctx->container_size = sb.st_size;
2146
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))
2147
ret = cli_scancpio_odc(desc, ctx);
2150
case CL_TYPE_CPIO_NEWC:
2151
ctx->container_type = CL_TYPE_CPIO_NEWC;
2152
ctx->container_size = sb.st_size;
2153
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))
2154
ret = cli_scancpio_newc(desc, ctx, 0);
2157
case CL_TYPE_CPIO_CRC:
2158
ctx->container_type = CL_TYPE_CPIO_CRC;
2159
ctx->container_size = sb.st_size;
2160
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))
2161
ret = cli_scancpio_newc(desc, ctx, 1);
2038
2164
case CL_TYPE_BINHEX:
2039
2165
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_BINHEX))
2040
ret = cli_scanbinhex(desc, ctx);
2166
ret = cli_binhex(ctx);
2043
2169
case CL_TYPE_SCRENC:
2106
2254
/* CL_TYPE_HTML: raw HTML files are not scanned, unless safety measure activated via DCONF */
2107
2255
if(type != CL_TYPE_IGNORED && (type != CL_TYPE_HTML || !(DCONF_DOC & DOC_CONF_HTML_SKIPRAW)) && !ctx->engine->sdb) {
2108
if(cli_scanraw(desc, ctx, type, typercg, &dettype) == CL_VIRUS)
2256
if(cli_scanraw(ctx, type, typercg, &dettype, hash) == CL_VIRUS) {
2257
ret = cli_checkfp(hash, hashed_size, ctx);
2260
cli_bitset_free(ctx->hook_lsig_matches);
2261
ctx->hook_lsig_matches = old_hook_lsig_matches;
2262
ret_from_magicscan(ret);
2112
2266
ctx->recursion++;
2113
2267
lseek(desc, 0, SEEK_SET);
2269
/* bytecode hooks triggered by a lsig must be a hook
2270
* called from one of the functions here */
2115
2271
case CL_TYPE_TEXT_ASCII:
2116
2272
case CL_TYPE_TEXT_UTF16BE:
2117
2273
case CL_TYPE_TEXT_UTF16LE:
2118
2274
case CL_TYPE_TEXT_UTF8:
2119
2275
if((DCONF_DOC & DOC_CONF_SCRIPT) && dettype != CL_TYPE_HTML)
2120
ret = cli_scanscript(desc, ctx);
2276
ret = cli_scanscript(ctx);
2277
if(ret != CL_VIRUS && ctx->container_type == CL_TYPE_MAIL) {
2278
lseek(desc, 0, SEEK_SET);
2279
ret = cli_scandesc(desc, ctx, CL_TYPE_MAIL, 0, NULL, AC_SCAN_VIR);
2122
2282
/* Due to performance reasons all executables were first scanned
2123
2283
* in raw mode. Now we will try to unpack them
2125
2285
case CL_TYPE_MSEXE:
2126
2286
if(SCAN_PE && ctx->dconf->pe)
2127
ret = cli_scanpe(desc, ctx);
2287
ret = cli_scanpe(ctx, NULL);
2294
ret = cli_checkfp(hash, hashed_size, ctx);
2133
2295
ctx->recursion--;
2298
cli_bitset_free(ctx->hook_lsig_matches);
2299
ctx->hook_lsig_matches = old_hook_lsig_matches;
2136
2302
case CL_EFORMAT: