75
if((ret = cli_ac_initdata(&mdata, troot->ac_partsigs, troot->ac_lsigs, AC_DEFAULT_TRACKLEN)))
78
if(troot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, troot, 0, ftype, -1)) != CL_VIRUS)
79
ret = cli_ac_scanbuff(buffer, length, virname, NULL, NULL, troot, &mdata, 0, ftype, -1, NULL, AC_SCAN_VIR, NULL);
76
if(!acdata && (ret = cli_ac_initdata(&mdata, troot->ac_partsigs, troot->ac_lsigs, CLI_DEFAULT_AC_TRACKLEN)))
79
if(troot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, NULL, troot, offset, ftype, -1)) != CL_VIRUS)
80
ret = cli_ac_scanbuff(buffer, length, virname, NULL, NULL, troot, acdata ? (acdata[0]) : (&mdata), offset, ftype, -1, NULL, AC_SCAN_VIR, NULL);
83
cli_ac_freedata(&mdata);
89
if(!acdata && (ret = cli_ac_initdata(&mdata, groot->ac_partsigs, groot->ac_lsigs, CLI_DEFAULT_AC_TRACKLEN)))
92
if(groot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, NULL, groot, offset, ftype, -1)) != CL_VIRUS)
93
ret = cli_ac_scanbuff(buffer, length, virname, NULL, NULL, groot, acdata ? (acdata[1]) : (&mdata), offset, ftype, -1, NULL, AC_SCAN_VIR, NULL);
81
96
cli_ac_freedata(&mdata);
87
if((ret = cli_ac_initdata(&mdata, groot->ac_partsigs, groot->ac_lsigs, AC_DEFAULT_TRACKLEN)))
90
if(groot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, groot, 0, ftype, -1)) != CL_VIRUS)
91
ret = cli_ac_scanbuff(buffer, length, virname, NULL, NULL, groot, &mdata, 0, ftype, -1, NULL, AC_SCAN_VIR, NULL);
93
cli_ac_freedata(&mdata);
140
if((pt = strchr(offstr, ',')))
141
*maxshift = atoi(++pt);
143
if(isdigit(offstr[0])) {
146
} else if(info->status == 1 && (!strncmp(offstr, "EP+", 3) || !strncmp(offstr, "EP-", 3))) {
154
if(info->status == 1 && (!strncmp(offstr, "EP+", 3) || !strncmp(offstr, "EP-", 3))) {
148
156
if(offstr[2] == '+')
149
157
return info->exeinfo.ep + atoi(offstr + 3);
199
static int cli_checkfp(int fd, const struct cl_engine *engine)
207
int cli_checkfp(int fd, cli_ctx *ctx)
201
209
unsigned char *digest;
202
212
const char *virname;
215
const struct cli_bm_patt *patt = NULL;
218
if((pos = lseek(fd, 0, SEEK_CUR)) == -1) {
219
cli_errmsg("cli_checkfp(): lseek() failed\n");
223
lseek(fd, 0, SEEK_SET);
225
if(ctx->engine->md5_fp) {
226
if(fstat(fd, &sb) == -1) {
227
cli_errmsg("cli_checkfp(): fstat(%d) failed\n", fd);
228
lseek(fd, pos, SEEK_SET);
206
232
if(!(digest = cli_md5digest(fd))) {
207
233
cli_errmsg("cli_checkfp(): Can't generate MD5 checksum\n");
234
lseek(fd, pos, SEEK_SET);
211
if(cli_bm_scanbuff(digest, 16, &virname, engine->md5_fp, 0, 0, -1) == CL_VIRUS) {
212
cli_dbgmsg("Eliminated false positive match (fp sig: %s)\n", virname);
238
if(cli_bm_scanbuff(digest, 16, &virname, &patt, ctx->engine->md5_fp, 0, 0, -1) == CL_VIRUS && patt->filesize == sb.st_size) {
239
cli_dbgmsg("cli_checkfp(): Found false positive detection (fp sig: %s)\n", virname);
241
lseek(fd, pos, SEEK_SET);
244
for(i = 0; i < 16; i++)
245
sprintf(md5 + i * 2, "%02x", digest[i]);
247
cli_dbgmsg("FP SIGNATURE: %s:%u:%s\n", md5, (unsigned int) sb.st_size, *ctx->virname ? *ctx->virname : "Name");
251
lseek(fd, pos, SEEK_SET);
226
259
unsigned int maxshift = 0;
229
if(offstr && desc != -1) {
230
263
offset = cli_caloff(offstr, info, desc, ftype, &ret, &maxshift);
233
cli_dbgmsg("cli_validatesig: Can't calculate offset for signature %s\n", virname);
238
269
if((fileoff < offset) || (fileoff > offset + (off_t) maxshift)) {
300
if(!ftonly && (ret = cli_ac_initdata(&gdata, groot->ac_partsigs, groot->ac_lsigs, AC_DEFAULT_TRACKLEN)))
331
if(!ftonly && (ret = cli_ac_initdata(&gdata, groot->ac_partsigs, groot->ac_lsigs, CLI_DEFAULT_AC_TRACKLEN)))
304
if((ret = cli_ac_initdata(&tdata, troot->ac_partsigs, troot->ac_lsigs, AC_DEFAULT_TRACKLEN)))
335
if((ret = cli_ac_initdata(&tdata, troot->ac_partsigs, troot->ac_lsigs, CLI_DEFAULT_AC_TRACKLEN)))
325
356
length += maxpatlen;
328
if(troot->ac_only || (ret = cli_bm_scanbuff(upt, length, ctx->virname, troot, offset, ftype, desc)) != CL_VIRUS)
359
if(troot->ac_only || (ret = cli_bm_scanbuff(upt, length, ctx->virname, NULL, troot, offset, ftype, desc)) != CL_VIRUS)
329
360
ret = cli_ac_scanbuff(upt, length, ctx->virname, NULL, NULL, troot, &tdata, offset, ftype, desc, ftoffset, acmode, NULL);
331
362
if(ret == CL_VIRUS) {
346
if(groot->ac_only || (ret = cli_bm_scanbuff(upt, length, ctx->virname, groot, offset, ftype, desc)) != CL_VIRUS)
376
if(groot->ac_only || (ret = cli_bm_scanbuff(upt, length, ctx->virname, NULL, groot, offset, ftype, desc)) != CL_VIRUS)
347
377
ret = cli_ac_scanbuff(upt, length, ctx->virname, NULL, NULL, groot, &gdata, offset, ftype, desc, ftoffset, acmode, NULL);
349
379
if(ret == CL_VIRUS) {
415
444
if(ret == CL_VIRUS) {
416
445
lseek(desc, 0, SEEK_SET);
417
if(cli_checkfp(desc, ctx->engine))
446
if(cli_checkfp(desc, ctx))
423
452
if(!ftonly && ctx->engine->md5_hdb) {
453
const struct cli_bm_patt *patt;
424
455
cli_md5_final(digest, &md5ctx);
425
if(cli_bm_scanbuff(digest, 16, ctx->virname, ctx->engine->md5_hdb, 0, 0, -1) == CL_VIRUS && (cli_bm_scanbuff(digest, 16, NULL, ctx->engine->md5_fp, 0, 0, -1) != CL_VIRUS))
457
if(cli_bm_scanbuff(digest, 16, ctx->virname, &patt, ctx->engine->md5_hdb, 0, 0, -1) == CL_VIRUS && patt->filesize == sb.st_size && (cli_bm_scanbuff(digest, 16, NULL, &patt, ctx->engine->md5_fp, 0, 0, -1) != CL_VIRUS || patt->filesize != sb.st_size))