419
421
int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx)
428
uint8_t shash1[SHA1_HASH_SIZE*2+1];
429
uint8_t shash256[SHA256_HASH_SIZE*2+1];
430
int have_sha1, have_sha256, do_dsig_check = 1;
425
const char *virname=NULL;
428
uint8_t shash1[SHA1_HASH_SIZE*2+1];
429
uint8_t shash256[SHA256_HASH_SIZE*2+1];
430
int have_sha1, have_sha256, do_dsig_check = 1;
431
stats_section_t sections;
432
433
if(cli_hm_scan(digest, size, &virname, ctx->engine->hm_fp, CLI_HASH_MD5) == CL_VIRUS) {
433
cli_dbgmsg("cli_checkfp(md5): Found false positive detection (fp sig: %s), size: %d\n", virname, (int)size);
434
cli_dbgmsg("cli_checkfp(md5): Found false positive detection (fp sig: %s), size: %d\n", virname, (int)size);
436
437
else if(cli_hm_scan_wild(digest, &virname, ctx->engine->hm_fp, CLI_HASH_MD5) == CL_VIRUS) {
437
cli_dbgmsg("cli_checkfp(md5): Found false positive detection (fp sig: %s), size: *\n", virname);
438
cli_dbgmsg("cli_checkfp(md5): Found false positive detection (fp sig: %s), size: *\n", virname);
441
442
if(cli_debug_flag || ctx->engine->cb_hash) {
442
for(i = 0; i < 16; i++)
443
sprintf(md5 + i * 2, "%02x", digest[i]);
445
cli_dbgmsg("FP SIGNATURE: %s:%u:%s\n", md5, (unsigned int) size,
446
cli_get_last_virus(ctx) ? cli_get_last_virus(ctx) : "Name");
443
for(i = 0; i < 16; i++)
444
sprintf(md5 + i * 2, "%02x", digest[i]);
446
cli_dbgmsg("FP SIGNATURE: %s:%u:%s\n", md5, (unsigned int) size,
447
cli_get_last_virus(ctx) ? cli_get_last_virus(ctx) : "Name");
449
450
if(cli_get_last_virus(ctx))
450
do_dsig_check = strncmp("W32S.", cli_get_last_virus(ctx), 5);
451
do_dsig_check = strncmp("W32S.", cli_get_last_virus(ctx), 5);
452
453
map = *ctx->fmap;
453
454
have_sha1 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, size)
454
|| cli_hm_have_wild(ctx->engine->hm_fp, CLI_HASH_SHA1)
455
|| (cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, 1) && do_dsig_check);
455
|| cli_hm_have_wild(ctx->engine->hm_fp, CLI_HASH_SHA1)
456
|| (cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, 1) && do_dsig_check);
456
457
have_sha256 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA256, size)
457
|| cli_hm_have_wild(ctx->engine->hm_fp, CLI_HASH_SHA256);
458
|| cli_hm_have_wild(ctx->engine->hm_fp, CLI_HASH_SHA256);
458
459
if(have_sha1 || have_sha256) {
459
if((ptr = fmap_need_off_once(map, 0, size))) {
462
SHA1Update(&sha1, ptr, size);
463
SHA1Final(&sha1, &shash1[SHA1_HASH_SIZE]);
464
if(cli_hm_scan(&shash1[SHA1_HASH_SIZE], size, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
465
cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname);
468
if(cli_hm_scan_wild(&shash1[SHA1_HASH_SIZE], &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
469
cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname);
472
if(do_dsig_check && cli_hm_scan(&shash1[SHA1_HASH_SIZE], 1, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
473
cli_dbgmsg("cli_checkfp(sha1): Found false positive detection via catalog file\n");
478
sha256_init(&sha256);
479
sha256_update(&sha256, ptr, size);
480
sha256_final(&sha256, &shash256[SHA256_HASH_SIZE]);
481
if(cli_hm_scan(&shash256[SHA256_HASH_SIZE], size, &virname, ctx->engine->hm_fp, CLI_HASH_SHA256) == CL_VIRUS) {
482
cli_dbgmsg("cli_checkfp(sha256): Found false positive detection (fp sig: %s)\n", virname);
485
if(cli_hm_scan_wild(&shash256[SHA256_HASH_SIZE], &virname, ctx->engine->hm_fp, CLI_HASH_SHA256) == CL_VIRUS) {
486
cli_dbgmsg("cli_checkfp(sha256): Found false positive detection (fp sig: %s)\n", virname);
460
if((ptr = fmap_need_off_once(map, 0, size))) {
462
cl_sha1(ptr, size, &shash1[SHA1_HASH_SIZE], NULL);
464
if(cli_hm_scan(&shash1[SHA1_HASH_SIZE], size, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
465
cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname);
468
if(cli_hm_scan_wild(&shash1[SHA1_HASH_SIZE], &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
469
cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname);
472
if(do_dsig_check && cli_hm_scan(&shash1[SHA1_HASH_SIZE], 1, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
473
cli_dbgmsg("cli_checkfp(sha1): Found false positive detection via catalog file\n");
479
cl_sha256(ptr, size, &shash256[SHA256_HASH_SIZE], NULL);
481
if(cli_hm_scan(&shash256[SHA256_HASH_SIZE], size, &virname, ctx->engine->hm_fp, CLI_HASH_SHA256) == CL_VIRUS) {
482
cli_dbgmsg("cli_checkfp(sha256): Found false positive detection (fp sig: %s)\n", virname);
485
if(cli_hm_scan_wild(&shash256[SHA256_HASH_SIZE], &virname, ctx->engine->hm_fp, CLI_HASH_SHA256) == CL_VIRUS) {
486
cli_dbgmsg("cli_checkfp(sha256): Found false positive detection (fp sig: %s)\n", virname);
493
493
#ifdef HAVE__INTERNAL__SHA_COLLECT
494
494
if((ctx->options & CL_SCAN_INTERNAL_COLLECT_SHA) && ctx->sha_collect>0) {
495
495
if((ptr = fmap_need_off_once(map, 0, size))) {
497
sha256_init(&sha256);
498
sha256_update(&sha256, ptr, size);
499
sha256_final(&sha256, &shash256[SHA256_HASH_SIZE]);
497
cl_sha256(ptr, size, shash256+SHA256_HASH_SIZE, NULL);
501
499
for(i=0; i<SHA256_HASH_SIZE; i++)
502
500
sprintf((char *)shash256+i*2, "%02x", shash256[SHA256_HASH_SIZE+i]);
506
SHA1Update(&sha1, ptr, size);
507
SHA1Final(&sha1, &shash1[SHA1_HASH_SIZE]);
503
cl_sha1(ptr, size, shash1+SHA1_HASH_SIZE);
509
505
for(i=0; i<SHA1_HASH_SIZE; i++)
510
506
sprintf((char *)shash1+i*2, "%02x", shash1[SHA1_HASH_SIZE+i]);
512
cli_errmsg("COLLECT:%s:%s:%u:%s:%s\n", shash256, shash1, size, cli_get_last_virus(ctx), ctx->entry_filename);
508
cli_errmsg("COLLECT:%s:%s:%u:%s:%s\n", shash256, shash1, size, cli_get_last_virus(ctx), ctx->entry_filename);
514
510
cli_errmsg("can't compute sha\n!");
515
512
ctx->sha_collect = -1;
520
switch(cli_checkfp_pe(ctx, shash1)) {
522
cli_dbgmsg("cli_checkfp(pe): PE file whitelisted due to valid embedded digital signature\n");
525
if(cli_hm_scan(shash1, 2, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
526
cli_dbgmsg("cli_checkfp(pe): PE file whitelisted by catalog file\n");
516
memset(§ions, 0x00, sizeof(stats_section_t));
517
if(do_dsig_check || ctx->engine->cb_stats_add_sample) {
518
uint32_t flags = (do_dsig_check ? CL_CHECKFP_PE_FLAG_AUTHENTICODE : 0);
519
if (!(ctx->engine->engine_options & ENGINE_OPTIONS_DISABLE_PE_STATS) && !(ctx->engine->dconf->stats & (DCONF_STATS_DISABLED | DCONF_STATS_PE_SECTION_DISABLED)))
520
flags |= CL_CHECKFP_PE_FLAG_STATS;
522
switch(cli_checkfp_pe(ctx, shash1, §ions, flags)) {
524
cli_dbgmsg("cli_checkfp(pe): PE file whitelisted due to valid embedded digital signature\n");
527
if(cli_hm_scan(shash1, 2, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
528
cli_dbgmsg("cli_checkfp(pe): PE file whitelisted by catalog file\n");
531
535
if (ctx->engine->cb_hash)
532
ctx->engine->cb_hash(fmap_fd(*ctx->fmap), size, md5, cli_get_last_virus(ctx), ctx->cb_ctx);
536
ctx->engine->cb_hash(fmap_fd(*ctx->fmap), size, md5, cli_get_last_virus(ctx), ctx->cb_ctx);
538
if (ctx->engine->cb_stats_add_sample)
539
ctx->engine->cb_stats_add_sample(cli_get_last_virus(ctx), digest, size, §ions, ctx->engine->stats_data);
541
if (sections.sections)
542
free(sections.sections);
537
547
static int matchicon(cli_ctx *ctx, struct cli_exe_info *exeinfo, const char *grp1, const char *grp2)
539
icon_groupset iconset;
549
icon_groupset iconset;
698
711
int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode, struct cli_ac_result **acres, unsigned char *refhash)
700
const unsigned char *buff;
701
int ret = CL_CLEAN, type = CL_CLEAN, bytes, compute_hash[CLI_HASH_AVAIL_TYPES];
702
unsigned int i = 0, bm_offmode = 0;
703
uint32_t maxpatlen, offset = 0;
704
struct cli_ac_data gdata, tdata;
705
struct cli_bm_off toff;
707
SHA256_CTX sha256ctx;
709
unsigned char digest[CLI_HASH_AVAIL_TYPES][32];
710
struct cli_matcher *groot = NULL, *troot = NULL;
711
struct cli_target_info info;
712
fmap_t *map = *ctx->fmap;
713
struct cli_matcher *hdb, *fp;
714
const char *virname = NULL;
715
uint32_t viroffset = 0;
716
uint32_t viruses_found = 0;
713
const unsigned char *buff;
714
int ret = CL_CLEAN, type = CL_CLEAN, bytes, compute_hash[CLI_HASH_AVAIL_TYPES];
715
unsigned int i = 0, j = 0, bm_offmode = 0;
716
uint32_t maxpatlen, offset = 0;
717
struct cli_ac_data gdata, tdata;
718
struct cli_bm_off toff;
719
unsigned char digest[CLI_HASH_AVAIL_TYPES][32];
720
struct cli_matcher *groot = NULL, *troot = NULL;
721
struct cli_target_info info;
722
fmap_t *map = *ctx->fmap;
723
struct cli_matcher *hdb, *fp;
724
const char *virname = NULL;
725
uint32_t viroffset = 0;
726
uint32_t viruses_found = 0;
727
void *md5ctx, *sha1ctx, *sha256ctx;
718
729
if(!ctx->engine) {
719
cli_errmsg("cli_scandesc: engine == NULL\n");
730
cli_errmsg("cli_scandesc: engine == NULL\n");
734
md5ctx = cl_hash_init("md5");
738
sha1ctx = cl_hash_init("sha1");
740
cl_hash_destroy(md5ctx);
744
sha256ctx = cl_hash_init("sha256");
746
cl_hash_destroy(md5ctx);
747
cl_hash_destroy(sha1ctx);
724
groot = ctx->engine->root[0]; /* generic signatures */
752
groot = ctx->engine->root[0]; /* generic signatures */
727
for(i = 1; i < CLI_MTARGETS; i++) {
728
if(cli_mtargets[i].target == ftype) {
729
troot = ctx->engine->root[i];
755
for(i = 1; i < CLI_MTARGETS; i++) {
756
for (j = 0; j < cli_mtargets[i].target_count; ++j) {
757
if(cli_mtargets[i].target[j] == ftype) {
758
troot = ctx->engine->root[i];
768
cl_hash_destroy(md5ctx);
769
cl_hash_destroy(sha1ctx);
770
cl_hash_destroy(sha256ctx);
739
maxpatlen = troot->maxpatlen;
774
maxpatlen = troot->maxpatlen;
742
maxpatlen = MAX(troot->maxpatlen, groot->maxpatlen);
744
maxpatlen = groot->maxpatlen;
747
targetinfo(&info, i, map);
750
if((ret = cli_ac_initdata(&gdata, groot->ac_partsigs, groot->ac_lsigs, groot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)) || (ret = cli_ac_caloff(groot, &gdata, &info))) {
751
if(info.exeinfo.section)
752
free(info.exeinfo.section);
753
cli_hashset_destroy(&info.exeinfo.vinfo);
777
maxpatlen = MAX(troot->maxpatlen, groot->maxpatlen);
779
maxpatlen = groot->maxpatlen;
782
cli_targetinfo(&info, i, map);
785
if((ret = cli_ac_initdata(&gdata, groot->ac_partsigs, groot->ac_lsigs, groot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)) || (ret = cli_ac_caloff(groot, &gdata, &info))) {
786
if(info.exeinfo.section)
787
free(info.exeinfo.section);
789
cli_hashset_destroy(&info.exeinfo.vinfo);
790
cl_hash_destroy(md5ctx);
791
cl_hash_destroy(sha1ctx);
792
cl_hash_destroy(sha256ctx);
758
if((ret = cli_ac_initdata(&tdata, troot->ac_partsigs, troot->ac_lsigs, troot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)) || (ret = cli_ac_caloff(troot, &tdata, &info))) {
760
cli_ac_freedata(&gdata);
761
if(info.exeinfo.section)
762
free(info.exeinfo.section);
763
cli_hashset_destroy(&info.exeinfo.vinfo);
766
if(troot->bm_offmode) {
767
if(map->len >= CLI_DEFAULT_BM_OFFMODE_FSIZE) {
768
if((ret = cli_bm_initoff(troot, &toff, &info))) {
770
cli_ac_freedata(&gdata);
771
cli_ac_freedata(&tdata);
772
if(info.exeinfo.section)
773
free(info.exeinfo.section);
774
cli_hashset_destroy(&info.exeinfo.vinfo);
798
if((ret = cli_ac_initdata(&tdata, troot->ac_partsigs, troot->ac_lsigs, troot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)) || (ret = cli_ac_caloff(troot, &tdata, &info))) {
800
cli_ac_freedata(&gdata);
801
if(info.exeinfo.section)
802
free(info.exeinfo.section);
804
cli_hashset_destroy(&info.exeinfo.vinfo);
805
cl_hash_destroy(md5ctx);
806
cl_hash_destroy(sha1ctx);
807
cl_hash_destroy(sha256ctx);
810
if(troot->bm_offmode) {
811
if(map->len >= CLI_DEFAULT_BM_OFFMODE_FSIZE) {
812
if((ret = cli_bm_initoff(troot, &toff, &info))) {
814
cli_ac_freedata(&gdata);
816
cli_ac_freedata(&tdata);
817
if(info.exeinfo.section)
818
free(info.exeinfo.section);
820
cli_hashset_destroy(&info.exeinfo.vinfo);
821
cl_hash_destroy(md5ctx);
822
cl_hash_destroy(sha1ctx);
823
cl_hash_destroy(sha256ctx);
782
832
hdb = ctx->engine->hm_hdb;
783
833
fp = ctx->engine->hm_fp;
785
835
if(!ftonly && hdb) {
787
if(cli_hm_have_size(hdb, CLI_HASH_MD5, map->len) || cli_hm_have_size(fp, CLI_HASH_MD5, map->len)) {
788
cli_md5_init(&md5ctx);
789
compute_hash[CLI_HASH_MD5] = 1;
791
compute_hash[CLI_HASH_MD5] = 0;
793
compute_hash[CLI_HASH_MD5] = 0;
794
memcpy(digest[CLI_HASH_MD5], refhash, 16);
797
if(cli_hm_have_size(hdb, CLI_HASH_SHA1, map->len) || cli_hm_have_wild(hdb, CLI_HASH_SHA1)
798
|| cli_hm_have_size(fp, CLI_HASH_SHA1, map->len) || cli_hm_have_wild(fp, CLI_HASH_SHA1) ) {
800
compute_hash[CLI_HASH_SHA1] = 1;
802
compute_hash[CLI_HASH_SHA1] = 0;
804
if(cli_hm_have_size(hdb, CLI_HASH_SHA256, map->len) || cli_hm_have_wild(hdb, CLI_HASH_SHA256)
805
|| cli_hm_have_size(fp, CLI_HASH_SHA256, map->len) || cli_hm_have_wild(fp, CLI_HASH_SHA256)) {
806
sha256_init(&sha256ctx);
807
compute_hash[CLI_HASH_SHA256] = 1;
809
compute_hash[CLI_HASH_SHA256] = 0;
837
if(cli_hm_have_size(hdb, CLI_HASH_MD5, map->len) || cli_hm_have_size(fp, CLI_HASH_MD5, map->len)) {
838
compute_hash[CLI_HASH_MD5] = 1;
840
compute_hash[CLI_HASH_MD5] = 0;
843
compute_hash[CLI_HASH_MD5] = 0;
844
memcpy(digest[CLI_HASH_MD5], refhash, 16);
847
if(cli_hm_have_size(hdb, CLI_HASH_SHA1, map->len) || cli_hm_have_wild(hdb, CLI_HASH_SHA1)
848
|| cli_hm_have_size(fp, CLI_HASH_SHA1, map->len) || cli_hm_have_wild(fp, CLI_HASH_SHA1) ) {
849
compute_hash[CLI_HASH_SHA1] = 1;
851
compute_hash[CLI_HASH_SHA1] = 0;
854
if(cli_hm_have_size(hdb, CLI_HASH_SHA256, map->len) || cli_hm_have_wild(hdb, CLI_HASH_SHA256)
855
|| cli_hm_have_size(fp, CLI_HASH_SHA256, map->len) || cli_hm_have_wild(fp, CLI_HASH_SHA256)) {
856
compute_hash[CLI_HASH_SHA256] = 1;
858
compute_hash[CLI_HASH_SHA256] = 0;
812
862
while(offset < map->len) {
813
bytes = MIN(map->len - offset, SCANBUFF);
814
if(!(buff = fmap_need_off_once(map, offset, bytes)))
817
*ctx->scanned += bytes / CL_COUNT_PRECISION;
863
bytes = MIN(map->len - offset, SCANBUFF);
864
if(!(buff = fmap_need_off_once(map, offset, bytes)))
867
*ctx->scanned += bytes / CL_COUNT_PRECISION;
872
ret = matcher_run(troot, buff, bytes, &virname, &tdata, offset, &info, ftype, ftoffset, acmode, acres, map, bm_offmode ? &toff : NULL, &viroffset, ctx);
875
/* virname already appended by matcher_run */
878
if((ret == CL_VIRUS && !SCAN_ALL) || ret == CL_EMEM) {
880
cli_ac_freedata(&gdata);
882
cli_ac_freedata(&tdata);
884
cli_bm_freeoff(&toff);
886
if(info.exeinfo.section)
887
free(info.exeinfo.section);
889
cli_hashset_destroy(&info.exeinfo.vinfo);
890
cl_hash_destroy(md5ctx);
891
cl_hash_destroy(sha1ctx);
892
cl_hash_destroy(sha256ctx);
822
ret = matcher_run(troot, buff, bytes, &virname, &tdata, offset, &info, ftype, ftoffset, acmode, acres, map, bm_offmode ? &toff : NULL, &viroffset, ctx);
825
/* virname already appended by matcher_run */
828
if((ret == CL_VIRUS && !SCAN_ALL) || ret == CL_EMEM) {
830
cli_ac_freedata(&gdata);
831
cli_ac_freedata(&tdata);
833
cli_bm_freeoff(&toff);
834
if(info.exeinfo.section)
835
free(info.exeinfo.section);
836
cli_hashset_destroy(&info.exeinfo.vinfo);
844
ret = matcher_run(groot, buff, bytes, &virname, &gdata, offset, &info, ftype, ftoffset, acmode, acres, map, NULL, &viroffset, ctx);
900
ret = matcher_run(groot, buff, bytes, &virname, &gdata, offset, &info, ftype, ftoffset, acmode, acres, map, NULL, &viroffset, ctx);
847
/* virname already appended by matcher_run */
850
if((ret == CL_VIRUS && !SCAN_ALL) || ret == CL_EMEM) {
851
cli_ac_freedata(&gdata);
853
cli_ac_freedata(&tdata);
855
cli_bm_freeoff(&toff);
857
if(info.exeinfo.section)
858
free(info.exeinfo.section);
859
cli_hashset_destroy(&info.exeinfo.vinfo);
861
} else if((acmode & AC_SCAN_FT) && ret >= CL_TYPENO) {
866
if(hdb && !SCAN_ALL) {
867
const void *data = buff + maxpatlen * (offset!=0);
868
uint32_t data_len = bytes - maxpatlen * (offset!=0);
870
if(compute_hash[CLI_HASH_MD5])
871
cli_md5_update(&md5ctx, data, data_len);
872
if(compute_hash[CLI_HASH_SHA1])
873
SHA1Update(&sha1ctx, data, data_len);
874
if(compute_hash[CLI_HASH_SHA256])
875
sha256_update(&sha256ctx, data, data_len);
879
if(SCAN_ALL && viroffset) {
883
if(bytes < SCANBUFF) break;
884
offset += bytes - maxpatlen;
903
/* virname already appended by matcher_run */
906
if((ret == CL_VIRUS && !SCAN_ALL) || ret == CL_EMEM) {
907
cli_ac_freedata(&gdata);
909
cli_ac_freedata(&tdata);
911
cli_bm_freeoff(&toff);
914
if(info.exeinfo.section)
915
free(info.exeinfo.section);
917
cli_hashset_destroy(&info.exeinfo.vinfo);
919
} else if((acmode & AC_SCAN_FT) && ret >= CL_TYPENO) {
924
if(hdb && !SCAN_ALL) {
925
const void *data = buff + maxpatlen * (offset!=0);
926
uint32_t data_len = bytes - maxpatlen * (offset!=0);
928
if(compute_hash[CLI_HASH_MD5])
929
cl_update_hash(md5ctx, data, data_len);
930
if(compute_hash[CLI_HASH_SHA1])
931
cl_update_hash(sha1ctx, data, data_len);
932
if(compute_hash[CLI_HASH_SHA256])
933
cl_update_hash(sha256ctx, data, data_len);
937
if(SCAN_ALL && viroffset) {
945
offset += bytes - maxpatlen;
887
948
if(!ftonly && hdb) {
888
enum CLI_HASH_TYPE hashtype, hashtype2;
890
if(compute_hash[CLI_HASH_MD5])
891
cli_md5_final(digest[CLI_HASH_MD5], &md5ctx);
893
compute_hash[CLI_HASH_MD5] = 1;
894
if(compute_hash[CLI_HASH_SHA1])
895
SHA1Final(&sha1ctx, digest[CLI_HASH_SHA1]);
896
if(compute_hash[CLI_HASH_SHA256])
897
sha256_final(&sha256ctx, digest[CLI_HASH_SHA256]);
900
for(hashtype = CLI_HASH_MD5; hashtype < CLI_HASH_AVAIL_TYPES; hashtype++) {
901
const char * virname_w = NULL;
904
/* If no hash, skip to next type */
905
if(!compute_hash[hashtype])
909
if((ret = cli_hm_scan(digest[hashtype], map->len, &virname, hdb, hashtype)) == CL_VIRUS) {
912
if(!found || SCAN_ALL) {
913
if ((ret = cli_hm_scan_wild(digest[hashtype], &virname_w, hdb, hashtype)) == CL_VIRUS)
917
/* If found, do immediate hash-only FP check */
919
for(hashtype2 = CLI_HASH_MD5; hashtype2 < CLI_HASH_AVAIL_TYPES; hashtype2++) {
920
if(!compute_hash[hashtype2])
922
if(cli_hm_scan(digest[hashtype2], map->len, NULL, fp, hashtype2) == CL_VIRUS) {
927
else if(cli_hm_scan_wild(digest[hashtype2], NULL, fp, hashtype2) == CL_VIRUS) {
935
/* If matched size-based hash ... */
938
cli_append_virus(ctx, virname);
943
/* If matched size-agnostic hash ... */
946
cli_append_virus(ctx, virname_w);
949
enum CLI_HASH_TYPE hashtype, hashtype2;
951
if(compute_hash[CLI_HASH_MD5]) {
952
cl_finish_hash(md5ctx, digest[CLI_HASH_MD5]);
956
compute_hash[CLI_HASH_MD5] = 1;
957
if(compute_hash[CLI_HASH_SHA1]) {
958
cl_finish_hash(sha1ctx, digest[CLI_HASH_SHA1]);
961
if(compute_hash[CLI_HASH_SHA256]) {
962
cl_finish_hash(sha256ctx, digest[CLI_HASH_SHA256]);
967
for(hashtype = CLI_HASH_MD5; hashtype < CLI_HASH_AVAIL_TYPES; hashtype++) {
968
const char * virname_w = NULL;
971
/* If no hash, skip to next type */
972
if(!compute_hash[hashtype])
976
if((ret = cli_hm_scan(digest[hashtype], map->len, &virname, hdb, hashtype)) == CL_VIRUS) {
979
if(!found || SCAN_ALL) {
980
if ((ret = cli_hm_scan_wild(digest[hashtype], &virname_w, hdb, hashtype)) == CL_VIRUS)
984
/* If found, do immediate hash-only FP check */
986
for(hashtype2 = CLI_HASH_MD5; hashtype2 < CLI_HASH_AVAIL_TYPES; hashtype2++) {
987
if(!compute_hash[hashtype2])
989
if(cli_hm_scan(digest[hashtype2], map->len, NULL, fp, hashtype2) == CL_VIRUS) {
994
else if(cli_hm_scan_wild(digest[hashtype2], NULL, fp, hashtype2) == CL_VIRUS) {
1002
/* If matched size-based hash ... */
1005
cli_append_virus(ctx, virname);
1010
/* If matched size-agnostic hash ... */
1013
cli_append_virus(ctx, virname_w);
1021
cl_hash_destroy(md5ctx);
1022
cl_hash_destroy(sha1ctx);
1023
cl_hash_destroy(sha256ctx);
954
if(ret != CL_VIRUS || SCAN_ALL)
955
ret = cli_lsig_eval(ctx, troot, &tdata, &info, refhash);
958
cli_ac_freedata(&tdata);
960
cli_bm_freeoff(&toff);
1026
if(ret != CL_VIRUS || SCAN_ALL)
1027
ret = cli_lsig_eval(ctx, troot, &tdata, &info, refhash);
1028
if (ret == CL_VIRUS)
1031
cli_ac_freedata(&tdata);
1033
cli_bm_freeoff(&toff);
964
if(ret != CL_VIRUS || SCAN_ALL)
965
ret = cli_lsig_eval(ctx, groot, &gdata, &info, refhash);
966
cli_ac_freedata(&gdata);
1037
if(ret != CL_VIRUS || SCAN_ALL)
1038
ret = cli_lsig_eval(ctx, groot, &gdata, &info, refhash);
1039
cli_ac_freedata(&gdata);
969
1042
if(info.exeinfo.section)
970
free(info.exeinfo.section);
1043
free(info.exeinfo.section);
971
1045
cli_hashset_destroy(&info.exeinfo.vinfo);
973
1047
if (SCAN_ALL && viruses_found)
975
1049
if(ret == CL_VIRUS)
978
1052
return (acmode & AC_SCAN_FT) ? type : CL_CLEAN;