[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-167-g4319a8f
edwin
edwin at 77e5149b-7576-45b1-b177-96237e5ba77b
Fri Jun 12 19:11:05 UTC 2009
The following commit has been merged in the debian/unstable branch:
commit 783fde377b040a902148a896414fd9fb347ba6a5
Author: edwin <edwin at 77e5149b-7576-45b1-b177-96237e5ba77b>
Date: Fri Apr 10 13:23:13 2009 +0000
Fix some Trojan.Swizzor.Gen false positives (bb #1558).
git-svn-id: http://svn.clamav.net/svn/clamav-devel/trunk@5036 77e5149b-7576-45b1-b177-96237e5ba77b
diff --git a/ChangeLog b/ChangeLog
index 6a75689..1fb6e4d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Fri Apr 10 16:23:00 EEST 2009 (edwin)
+-------------------------------------
+ * libclamav/pe.c, libclamav/special.c, libclamav/special.h: Fix some
+ Trojan.Swizzor.Gen false positives (bb #1558).
+
Fri Apr 10 15:06:43 EEST 2009 (edwin)
-------------------------------------
* shared/output.c: logg flags documentation
diff --git a/libclamav/pe.c b/libclamav/pe.c
index d40da38..e140eb5 100644
--- a/libclamav/pe.c
+++ b/libclamav/pe.c
@@ -357,6 +357,10 @@ static void cli_parseres_special(uint32_t base, uint32_t rva, int srcfd, struct
}*/
for (i=0; i<unnamed; i++, entry += 8) {
uint32_t id, offs;
+ if (stats->errors >= SWIZZ_MAXERRORS) {
+ cli_dbgmsg("cli_parseres_special: resources broken, ignoring\n");
+ return;
+ }
id = cli_readint32(entry)&0x7fffffff;
if(level==0) {
type = 0;
@@ -396,6 +400,7 @@ static void cli_parseres_special(uint32_t base, uint32_t rva, int srcfd, struct
cli_dbgmsg("cli_parseres_special: invalid resource table entry: %lu + %lu\n",
(unsigned long)rawaddr,
(unsigned long)isz);
+ stats->errors++;
continue;
}
str = cli_malloc(isz);
diff --git a/libclamav/special.c b/libclamav/special.c
index 85c4c0d..5f24c1b 100644
--- a/libclamav/special.c
+++ b/libclamav/special.c
@@ -380,6 +380,7 @@ void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_s
uint16_t words = 0;
int ret;
+ stats->entries++;
for(i=0;i<len-1 && j < sizeof(stri)-2;i += 2) {
unsigned char c = str[i];
if (str[i+1] || !c) {
@@ -430,6 +431,7 @@ void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_s
ngram_cnts[i] = (v<<10)/all;
}
ret = swizz_j48(ngram_cnts) ? CL_VIRUS : CL_CLEAN;
+ if (!words) ret = CL_CLEAN;
cli_dbgmsg("cli_detect_swizz_str: %s, %u words\n", ret == CL_VIRUS ? "suspicious" : "ok", words);
if (ret == CL_VIRUS) {
stats->suspicious += j;
@@ -494,11 +496,15 @@ int cli_detect_swizz(struct swizz_stats *stats)
cli_dbgmsg("\ncli_detect_swizz: global: %s\n", global_swizz ? "suspicious" : "clean");
}
+ if (stats->errors > stats->entries || stats->errors >= SWIZZ_MAXERRORS) {
+ cli_dbgmsg("cli_detect_swizz: resources broken, ignoring\n");
+ return CL_CLEAN;
+ }
if (stats->total <= 337)
- return CL_CLEAN;
+ return CL_CLEAN;
if (stats->suspicious<<10 > 20*stats->total)
- return CL_VIRUS;
- if (!stats->suspicious)
- return CL_CLEAN;
+ return CL_VIRUS;
+ if (!stats->suspicious)
+ return CL_CLEAN;
return global_swizz;
}
diff --git a/libclamav/special.h b/libclamav/special.h
index a0d38c4..55d8a51 100644
--- a/libclamav/special.h
+++ b/libclamav/special.h
@@ -22,12 +22,15 @@
#define __SPECIAL_H
#include "others.h"
+#define SWIZZ_MAXERRORS 2000
struct swizz_stats {
uint16_t gngrams[17576];
uint32_t total;
uint32_t suspicious;
int has_version;
int has_manifest;
+ int errors;
+ int entries;
};
int cli_check_mydoom_log(int desc, const char **virname);
--
Debian repository for ClamAV
More information about the Pkg-clamav-commits
mailing list