Sorry, I forgot to respond to the second part of your email. When you are asking about enabling JIT, are you referring to LLVM/bytecode features in ClamAV or are you referring to a JIT compiler for PHP?
To answer question A: ClamAV uses either LLVM or a bytecode interpreter for a small set of malware signatures that are written in bytecode. JIT is not used to improve ClamAV performance, simply to support this type of signature. At this time the set of bytecode signatures is pretty small relative to the rest of the signatures. It is up to you if you want to enable support for these or not. I don’t know how to answer question B. Regards, Micah Micah Snyder Software Engineer Talos Cisco Systems, Inc. On Jan 14, 2018, at 6:07 PM, Jose <[email protected]<mailto:[email protected]>> wrote: contents: 1: an observation and caution regarding the cl_scanfile() return value 2: a question about JIT and SElinux === 1: cl_scanfile() The php function cl_scanfile() returns an int, where 0 means the file is clean, and a nonzero value indicates an infection of some sort. The actual ints are abstracted behind constants such as CL_VIRUS and CL_CLEAN, and the documentation shows the following (edited) example usage (note the == comparison): $retcode = cl_scanfile($file, $virusname); if ($retcode == CL_VIRUS) { // do "infected file" stuff } else { // do "clean file" stuff } However, if cl_scanfile() is refused permission to run at all (such as by a misconfigured SElinux), then the return value is a boolean (FALSE). When compared to the int value CL_VIRUS using a "double equal" operator, the boolean FALSE is converted to an int zero, and the file looks clean rather than unscanned! Always check for boolean FALSE, and consider when to use double and triple equal comparisons with this in mind. Better would be: $retcode = cl_scanfile($file, $virusname); if ($retcode === FALSE) { // do "file wasn't scanned" stuff } elseif ($retcode == CL_VIRUS) { // do "infected file" stuff } elseif ($retcode === CL_CLEAN) { // do "clean file" stuff } else { // you should never get here // do "program has a bug" stuff } ==== 2: Question about JIT and SElinux It appears to me that if I use JIT, and want to scan file uploads from within php then I also have to tell SElinux to allow httpd (Apache) to use exec, something I'd just as soon not do. If I disable JIT and disable Apache's access to exec in SElinux, I can still scan files (presumably with a performance hit, which is why JIT is there in the first place). So my two questions are: A: Considering I'm calling the virus scanner from within a php script already, does JIT make that much of a performance difference? B: And (how) can I set cl_scanfile() to use JIT without letting Apache use exec? Thanks. Jose _______________________________________________ clamav-users mailing list [email protected]<mailto:[email protected]> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
