Re: [clamav-users] How can I have clamd reject items that can't be scanned?

Thu, 10 Nov 2011 11:16:24 -0800 

On 11/10/2011 09:02 PM, Jim Preston wrote:
> On 11/09/2011 02:44 PM, Török Edwin wrote:
> [snip]
>>>
>>> Well of course there have to be limits somewhere, and I recall one issue is 
>>> malevalent attachments designed specifically to crash extractors.
>>> A second issue I recall from the past is the sending of password protected 
>>> archives - the scanner is unable to check it, but of course a user taken in 
>>> by the message may well open it. So that's a
>>> separate consideration - whether to allow password protected archives or to 
>>> reject them.
>> There is BlockEncrypted for that purpose.
>>
>>
>> Best regards,
>> --Edwin
> Now the question is, is there a BlockUnscanned (due to whatever reason) or 
> should this be a feature request submitted by the OP?
> 

There isn't. There used to be the Oversized.Zip/Rar detections, but see aCaB's 
reply.

I don't think we want Oversized.* detections back in the official release at 
this time (too many FP reports),
but give this patch a try (untested):

diff --git a/libclamav/scanners.c b/libclamav/scanners.c
index 93cdc71..882d528 100644
--- a/libclamav/scanners.c
+++ b/libclamav/scanners.c
@@ -2122,6 +2122,11 @@ static void emax_reached(cli_ctx *ctx) {
     }


+static int limit(cli_ctx *ctx, const char *name)
+{
+    *ctx->virname = name;
+    return cli_found_possibly_unwanted(ctx);
+}

 static int magic_scandesc(int desc, cli_ctx *ctx, cli_file_t type)
 {
@@ -2582,9 +2587,13 @@ static int magic_scandesc(int desc, cli_ctx *ctx, 
cli_file_t type)

     switch(ret) {
        case CL_EFORMAT:
+           ret_from_magicscan(limit(ctx, "Unscanned.Badformat"));
        case CL_EMAXREC:
+           ret_from_magicscan(limit(ctx, "Unscanned.Oversized.MaxRec"));
        case CL_EMAXSIZE:
+           ret_from_magicscan(limit(ctx, "Unscanned.Oversized.MaxSize"));
        case CL_EMAXFILES:
+           ret_from_magicscan(limit(ctx, "Unscanned.Oversized.MaxFiles"));
            cli_dbgmsg("Descriptor[%d]: %s\n", desc, cl_strerror(ret));
        case CL_CLEAN:
            perf_start(ctx, PERFT_CACHE);

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to