1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!--Converted with LaTeX2HTML 99.2beta8 (1.46)
original version by: Nikos Drakos, CBLU, University of Leeds
* revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>Data scan functions</TITLE>
<META NAME="description" CONTENT="Data scan functions">
<META NAME="keywords" CONTENT="clamdoc">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="LaTeX2HTML v99.2beta8">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
<LINK REL="STYLESHEET" HREF="clamdoc.css">
<LINK REL="next" HREF="node45.html">
<LINK REL="previous" HREF="node43.html">
<LINK REL="up" HREF="node43.html">
<LINK REL="next" HREF="node45.html">
</HEAD>
<BODY >
<!--Navigation Panel-->
<A NAME="tex2html767"
HREF="node45.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
<A NAME="tex2html763"
HREF="node43.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
<A NAME="tex2html757"
HREF="node43.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
<A NAME="tex2html765"
HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>
<BR>
<B> Next:</B> <A NAME="tex2html768"
HREF="node45.html">Memory</A>
<B> Up:</B> <A NAME="tex2html764"
HREF="node43.html">Database reloading</A>
<B> Previous:</B> <A NAME="tex2html758"
HREF="node43.html">Database reloading</A>
  <B> <A NAME="tex2html766"
HREF="node1.html">Contents</A></B>
<BR>
<BR>
<!--End of Navigation Panel-->
<H3><A NAME="SECTION00075100000000000000">
Data scan functions</A>
</H3>
It's possible to scan a file or descriptor using:
<PRE>
int cl_scanfile(const char *filename, const char **virname,
unsigned long int *scanned, const struct cl_engine *engine,
const struct cl_limits *limits, unsigned int options);
int cl_scandesc(int desc, const char **virname, unsigned
long int *scanned, const struct cl_engine *engine, const
struct cl_limits *limits, unsigned int options);
</PRE>
Both functions will save a virus name under the pointer <code>virname</code>,
the virus name is part of the engine structure and must not be released
directly. If the third argument (<code>scanned</code>) is not NULL, the
functions will increase its value with the size of scanned data (in
<code>CL_COUNT_PRECISION</code> units). Both functions have support for archive
limits in order to protect against Denial of Service attacks.
<PRE>
struct cl_limits {
unsigned int maxreclevel; /* maximum recursion level for archives */
unsigned int maxfiles; /* maximum number of files to be scanned
* within a single archive
*/
unsigned int maxmailrec; /* maximum recursion level for mail files */
unsigned int maxratio; /* maximum compression ratio */
unsigned long int maxfilesize;/* compressed files larger than this limit
* will not be scanned
*/
unsigned short archivememlim; /* limit memory usage for some unpackers */
};
</PRE>
The last argument (<code>options</code>) configures the scan engine and supports
the following flags (that can be combined using bit operators):
<UL>
<LI><B>CL_SCAN_STDOPT</B>
<BR>
This is an alias for a recommended set of scan options. You
should use it to make your software ready for new features
in the future versions of libclamav.
</LI>
<LI><B>CL_SCAN_RAW</B>
<BR>
Use it alone if you want to disable support for special files.
</LI>
<LI><B>CL_SCAN_ARCHIVE</B>
<BR>
This flag enables transparent scanning of various archive formats.
</LI>
<LI><B>CL_SCAN_BLOCKENCRYPTED</B>
<BR>
With this flag the library will mark encrypted archives as viruses
(Encrypted.Zip, Encrypted.RAR).
</LI>
<LI><B>CL_SCAN_BLOCKMAX</B>
<BR>
Mark archives as viruses if <code>maxfiles</code>, <code>maxfilesize</code>,
or <code>maxreclevel</code> limit is reached.
</LI>
<LI><B>CL_SCAN_MAIL</B>
<BR>
Enable support for mail files.
</LI>
<LI><B>CL_SCAN_MAILURL</B>
<BR>
The mail scanner will download and scan URLs listed in a mail
body. This flag should not be used on loaded servers. Due to
potential problems please do not enable it by default but make
it optional.
</LI>
<LI><B>CL_SCAN_OLE2</B>
<BR>
Enables support for OLE2 containers (used by MS Office and .msi
files).
</LI>
<LI><B>CL_SCAN_PDF</B>
<BR>
Enables scanning within PDF files.
</LI>
<LI><B>CL_SCAN_PE</B>
<BR>
This flag enables deep scanning of Portable Executable files and
allows libclamav to unpack executables compressed with run-time
unpackers.
</LI>
<LI><B>CL_SCAN_ELF</B>
<BR>
Enable support for ELF files.
</LI>
<LI><B>CL_SCAN_BLOCKBROKEN</B>
<BR>
libclamav will try to detect broken executables and mark them as
Broken.Executable.
</LI>
<LI><B>CL_SCAN_HTML</B>
<BR>
This flag enables HTML normalisation (including ScrEnc
decryption).
</LI>
<LI><B>CL_SCAN_ALGORITHMIC</B>
<BR>
Enable algorithmic detection of viruses.
</LI>
<LI><B>CL_SCAN_PHISHING_DOMAINLIST</B>
<BR>
Phishing module: restrict URL scanning to domains from .pdf
(RECOMMENDED).
</LI>
<LI><B>CL_SCAN_PHISHING_BLOCKSSL</B>
<BR>
Phishing module: always block SSL mismatches in URLs.
</LI>
<LI><B>CL_SCAN_PHISHING_BLOCKCLOAK</B>
<BR>
Phishing module: always block cloaked URLs.
</LI>
</UL>
All functions return 0 (<code>CL_CLEAN</code>) when the file seems clean,
<code>CL_VIRUS</code> when a virus is detected and another value on failure.
<PRE>
...
struct cl_limits limits;
const char *virname;
memset(&limits, 0, sizeof(struct cl_limits));
limits.maxfiles = 1000; /* max files */
limits.maxfilesize = 10 * 1048576; /* maximum size of archived or
* compressed file (files exceeding
* this limit will be ignored)
*/
limits.maxreclevel = 5; /* maximum recursion level for archives */
limits.maxmailrec = 64; /* maximum recursion level for mail files */
limits.maxratio = 200; /* maximum compression ratio */
if((ret = cl_scanfile("/tmp/test.exe", &virname, NULL, engine,
&limits, CL_STDOPT)) == CL_VIRUS) {
printf("Virus detected: %s\n", virname);
} else {
printf("No virus detected.\n");
if(ret != CL_CLEAN)
printf("Error: %s\n", cl_strerror(ret));
}
</PRE>
<P>
<HR>
<!--Navigation Panel-->
<A NAME="tex2html767"
HREF="node45.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
<A NAME="tex2html763"
HREF="node43.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
<A NAME="tex2html757"
HREF="node43.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
<A NAME="tex2html765"
HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>
<BR>
<B> Next:</B> <A NAME="tex2html768"
HREF="node45.html">Memory</A>
<B> Up:</B> <A NAME="tex2html764"
HREF="node43.html">Database reloading</A>
<B> Previous:</B> <A NAME="tex2html758"
HREF="node43.html">Database reloading</A>
  <B> <A NAME="tex2html766"
HREF="node1.html">Contents</A></B>
<!--End of Navigation Panel-->
<ADDRESS>
Tomasz Kojm
2007-03-01
</ADDRESS>
</BODY>
</HTML>
|
