[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-6156-g094ec9b
Tomasz Kojm
tkojm at clamav.net
Sun Apr 4 01:19:13 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit 4a01b4efe9f51bc8adbb43703b655ed7f5daab55
Author: Tomasz Kojm <tkojm at clamav.net>
Date: Mon Feb 8 19:19:31 2010 +0100
libclamav: prefix all engine detections with "Heuristics." (bb#1808)
(also change Phishing.Heuristics.* -> Heuristics.Phishing.*)
diff --git a/ChangeLog b/ChangeLog
index 2a1575c..cd72171 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Mon Feb 8 19:17:14 CET 2010 (tk)
+---------------------------------
+ * libclamav: prefix all engine detections with "Heuristics." (bb#1808)
+ (also change Phishing.Heuristics.* -> Heuristics.Phishing.*)
+
Mon Feb 8 13:40:06 CET 2010 (acab)
----------------------------------
* libclamav: drop support for type 8 signatures. disasm matching is now
diff --git a/libclamav/elf.c b/libclamav/elf.c
index 3a978c8..e54ac4f 100644
--- a/libclamav/elf.c
+++ b/libclamav/elf.c
@@ -215,7 +215,7 @@ int cli_scanelf(cli_ctx *ctx)
cli_dbgmsg("ELF: Suspicious number of program headers\n");
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_EFORMAT;
@@ -228,7 +228,7 @@ int cli_scanelf(cli_ctx *ctx)
cli_dbgmsg("ELF: phentsize != sizeof(struct elf_program_hdr32)\n");
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_EFORMAT;
@@ -275,7 +275,7 @@ int cli_scanelf(cli_ctx *ctx)
free(program_hdr);
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
@@ -296,7 +296,7 @@ int cli_scanelf(cli_ctx *ctx)
cli_dbgmsg("ELF: Can't calculate file offset of entry point\n");
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_EFORMAT;
@@ -313,7 +313,7 @@ int cli_scanelf(cli_ctx *ctx)
cli_dbgmsg("ELF: Suspicious number of sections\n");
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_EFORMAT;
@@ -324,7 +324,7 @@ int cli_scanelf(cli_ctx *ctx)
cli_dbgmsg("ELF: shentsize != sizeof(struct elf_section_hdr32)\n");
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_EFORMAT;
@@ -373,7 +373,7 @@ int cli_scanelf(cli_ctx *ctx)
free(section_hdr);
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
diff --git a/libclamav/macho.c b/libclamav/macho.c
index 5a1e43d..937d9b0 100644
--- a/libclamav/macho.c
+++ b/libclamav/macho.c
@@ -175,7 +175,7 @@ struct macho_fat_arch
return -1; \
if(DETECT_BROKEN) { \
if(ctx->virname) \
- *ctx->virname = "Broken.Executable"; \
+ *ctx->virname = "Heuristics.Broken.Executable"; \
return CL_VIRUS; \
} \
return CL_EFORMAT
diff --git a/libclamav/mbox.c b/libclamav/mbox.c
index 65b511b..c2f95e2 100644
--- a/libclamav/mbox.c
+++ b/libclamav/mbox.c
@@ -545,7 +545,7 @@ cli_parse_mbox(const char *dir, int desc, cli_ctx *ctx)
}
if((retcode == CL_CLEAN) && ctx->found_possibly_unwanted && (*ctx->virname == NULL)) {
- *ctx->virname = "Phishing.Heuristics.Email";
+ *ctx->virname = "Heuristics.Phishing.Email";
ctx->found_possibly_unwanted = 0;
retcode = CL_VIRUS;
}
diff --git a/libclamav/pe.c b/libclamav/pe.c
index 0ac5b84..899c6af 100644
--- a/libclamav/pe.c
+++ b/libclamav/pe.c
@@ -539,7 +539,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
/* truncated header? */
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
@@ -669,7 +669,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
if(nsections < 1 || nsections > 96) {
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
if(nsections)
@@ -689,7 +689,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
cli_dbgmsg("SizeOfOptionalHeader too small\n");
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
@@ -700,7 +700,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
cli_dbgmsg("Can't read optional file header\n");
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
@@ -714,7 +714,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
cli_dbgmsg("Incorrect SizeOfOptionalHeader for PE32+\n");
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
@@ -730,7 +730,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
cli_warnmsg("Incorrect magic number in optional header\n");
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
cli_dbgmsg("9x compatibility mode\n");
@@ -772,7 +772,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
cli_dbgmsg("Can't read optional file header\n");
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
@@ -853,14 +853,14 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
if (DETECT_BROKEN && !native && (!(pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment)) || (pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment))%0x1000)) {
cli_dbgmsg("Bad virtual alignemnt\n");
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
if (DETECT_BROKEN && !native && (!(pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment)) || (pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment))%0x200)) {
cli_dbgmsg("Bad file alignemnt\n");
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
@@ -891,7 +891,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
free(exe_sections);
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
@@ -959,7 +959,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
if (DETECT_BROKEN && (!valign || (exe_sections[i].urva % valign))) { /* Bad virtual alignment */
cli_dbgmsg("VirtualAddress is misaligned\n");
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
free(section_hdr);
free(exe_sections);
return CL_VIRUS;
@@ -972,7 +972,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
free(exe_sections);
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN; /* no ninjas to see here! move along! */
@@ -1007,7 +1007,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
free(exe_sections);
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
@@ -1017,7 +1017,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
if (DETECT_BROKEN && exe_sections[i].urva!=hdr_size) { /* Bad first section RVA */
cli_dbgmsg("First section is in the wrong place\n");
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
free(section_hdr);
free(exe_sections);
return CL_VIRUS;
@@ -1028,7 +1028,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
if (DETECT_BROKEN && exe_sections[i].urva - exe_sections[i-1].urva != exe_sections[i-1].vsz) { /* No holes, no overlapping, no virtual disorder */
cli_dbgmsg("Virtually misplaced section (wrong order, overlapping, non contiguous)\n");
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
free(section_hdr);
free(exe_sections);
return CL_VIRUS;
@@ -1050,7 +1050,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
free(exe_sections);
if(DETECT_BROKEN) {
if(ctx->virname)
- *ctx->virname = "Broken.Executable";
+ *ctx->virname = "Heuristics.Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
@@ -1107,7 +1107,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
if(pt) {
pt += 15;
if((((uint32_t)cli_readint32(pt) ^ (uint32_t)cli_readint32(pt + 4)) == 0x505a4f) && (((uint32_t)cli_readint32(pt + 8) ^ (uint32_t)cli_readint32(pt + 12)) == 0xffffb) && (((uint32_t)cli_readint32(pt + 16) ^ (uint32_t)cli_readint32(pt + 20)) == 0xb8)) {
- *ctx->virname = "W32.Parite.B";
+ *ctx->virname = "Heuristics.W32.Parite.B";
free(exe_sections);
return CL_VIRUS;
}
@@ -1190,7 +1190,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
break;
case KZSLOOP:
if (op==kzdsize+0x48 && *kzcode==0x75 && kzlen-(int8_t)kzcode[1]-3<=kzinitlen && kzlen-(int8_t)kzcode[1]>=kzxorlen) {
- *ctx->virname = "W32.Kriz";
+ *ctx->virname = "Heuristics.W32.Kriz";
free(exe_sections);
return CL_VIRUS;
}
@@ -1217,7 +1217,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
if((tbuff = fmap_need_off_once(map, exe_sections[nsections - 1].raw + rsize - bw, 4096))) {
if(cli_memstr(tbuff, 4091, "\xe8\x2c\x61\x00\x00", 5)) {
- *ctx->virname = dam ? "W32.Magistr.A.dam" : "W32.Magistr.A";
+ *ctx->virname = dam ? "Heuristics.W32.Magistr.A.dam" : "Heuristics.W32.Magistr.A";
free(exe_sections);
return CL_VIRUS;
}
@@ -1229,7 +1229,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
if((tbuff = fmap_need_off_once(map, exe_sections[nsections - 1].raw + rsize - bw, 4096))) {
if(cli_memstr(tbuff, 4091, "\xe8\x04\x72\x00\x00", 5)) {
- *ctx->virname = dam ? "W32.Magistr.B.dam" : "W32.Magistr.B";
+ *ctx->virname = dam ? "Heuristics.W32.Magistr.B.dam" : "Heuristics.W32.Magistr.B";
free(exe_sections);
return CL_VIRUS;
}
@@ -1277,7 +1277,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
for(i=0;i<xsjs;i++) {
if(!(code = fmap_need_off_once(map, jumps[i], 9))) continue;
if((jump=cli_readint32(code))==0x60ec8b55 || (code[4]==0x0ec && ((jump==0x83ec8b55 && code[6]==0x60) || (jump==0x81ec8b55 && !code[7] && !code[8])))) {
- *ctx->virname = "W32.Polipos.A";
+ *ctx->virname = "Heuristics.W32.Polipos.A";
free(jumps);
free(exe_sections);
return CL_VIRUS;
@@ -1299,7 +1299,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
else {
cli_parseres_special(EC32(dirs[2].VirtualAddress), EC32(dirs[2].VirtualAddress), map, exe_sections, nsections, fsize, hdr_size, 0, 0, &m, stats);
if ((ret = cli_detect_swizz(stats)) == CL_VIRUS) {
- *ctx->virname = "Trojan.Swizzor.Gen";
+ *ctx->virname = "Heuristics.Trojan.Swizzor.Gen";
}
free(stats);
}
diff --git a/libclamav/phishcheck.c b/libclamav/phishcheck.c
index 74bda9d..583d743 100644
--- a/libclamav/phishcheck.c
+++ b/libclamav/phishcheck.c
@@ -810,29 +810,29 @@ int phishingScan(cli_ctx* ctx,tag_arguments_t* hrefs)
case CL_PHISH_CLEAN:
continue;
case CL_PHISH_NUMERIC_IP:
- *ctx->virname="Phishing.Heuristics.Email.Cloaked.NumericIP";
+ *ctx->virname="Heuristics.Phishing.Email.Cloaked.NumericIP";
break;
case CL_PHISH_CLOAKED_NULL:
- *ctx->virname="Phishing.Heuristics.Email.Cloaked.Null";/*fakesite%01%00 at fake.example.com*/
+ *ctx->virname="Heuristics.Phishing.Email.Cloaked.Null";/*fakesite%01%00 at fake.example.com*/
break;
case CL_PHISH_SSL_SPOOF:
- *ctx->virname="Phishing.Heuristics.Email.SSL-Spoof";
+ *ctx->virname="Heuristics.Phishing.Email.SSL-Spoof";
break;
case CL_PHISH_CLOAKED_UIU:
- *ctx->virname="Phishing.Heuristics.Email.Cloaked.Username";/*http://banksite@fake.example.com*/
+ *ctx->virname="Heuristics.Phishing.Email.Cloaked.Username";/*http://banksite@fake.example.com*/
break;
case CL_PHISH_HASH0:
- *ctx->virname="Safebrowsing.Suspected-malware_safebrowsing.clamav.net";
+ *ctx->virname="Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net";
break;
case CL_PHISH_HASH1:
- *ctx->virname="Phishing.URL.Blacklisted";
+ *ctx->virname="Heuristics.Phishing.URL.Blacklisted";
break;
case CL_PHISH_HASH2:
- *ctx->virname="Safebrowsing.Suspected-phishing_safebrowsing.clamav.net";
+ *ctx->virname="Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net";
break;
case CL_PHISH_NOMATCH:
default:
- *ctx->virname="Phishing.Heuristics.Email.SpoofedDomain";
+ *ctx->virname="Heuristics.Phishing.Email.SpoofedDomain";
break;
}
return cli_found_possibly_unwanted(ctx);
diff --git a/libclamav/scanners.c b/libclamav/scanners.c
index 1cdc134..bbc0509 100644
--- a/libclamav/scanners.c
+++ b/libclamav/scanners.c
@@ -187,7 +187,7 @@ static int cli_unrar_scanmetadata(int desc, unrar_metadata_t *metadata, cli_ctx
lseek(desc, 0, SEEK_SET);
ret = cli_scandesc(desc, ctx, 0, 0, NULL, AC_SCAN_VIR);
if(ret != CL_VIRUS) {
- *ctx->virname = "Encrypted.RAR";
+ *ctx->virname = "Heuristics.Encrypted.RAR";
return CL_VIRUS;
}
}
@@ -229,7 +229,7 @@ static int cli_scanrar(int desc, cli_ctx *ctx, off_t sfx_offset, uint32_t *sfx_c
lseek(desc, 0, SEEK_SET);
ret = cli_scandesc(desc, ctx, 0, 0, NULL, AC_SCAN_VIR);
if(ret != CL_VIRUS)
- *ctx->virname = "Encrypted.RAR";
+ *ctx->virname = "Heuristics.Encrypted.RAR";
return CL_VIRUS;
}
return CL_CLEAN;
@@ -1298,7 +1298,7 @@ static int cli_scanriff(int desc, cli_ctx *ctx)
if(cli_check_riff_exploit(desc) == 2) {
ret = CL_VIRUS;
- *ctx->virname = "Exploit.W32.MS05-002";
+ *ctx->virname = "Heuristics.Exploit.W32.MS05-002";
}
return ret;
@@ -1310,7 +1310,7 @@ static int cli_scanjpeg(int desc, cli_ctx *ctx)
if(cli_check_jpeg_exploit(desc, ctx) == 1) {
ret = CL_VIRUS;
- *ctx->virname = "Exploit.W32.MS04-028";
+ *ctx->virname = "Heuristics.Exploit.W32.MS04-028";
}
return ret;
@@ -1569,13 +1569,13 @@ static int cli_scan_structured(int desc, cli_ctx *ctx)
if(cc_count != 0 && cc_count >= ctx->engine->min_cc_count) {
cli_dbgmsg("cli_scan_structured: %u credit card numbers detected\n", cc_count);
- *ctx->virname = "Structured.CreditCardNumber";
+ *ctx->virname = "Heuristics.Structured.CreditCardNumber";
return CL_VIRUS;
}
if(ssn_count != 0 && ssn_count >= ctx->engine->min_ssn_count) {
cli_dbgmsg("cli_scan_structured: %u social security numbers detected\n", ssn_count);
- *ctx->virname = "Structured.SSN";
+ *ctx->virname = "Heuristics.Structured.SSN";
return CL_VIRUS;
}
diff --git a/libclamav/special.c b/libclamav/special.c
index 954f215..14298dc 100644
--- a/libclamav/special.c
+++ b/libclamav/special.c
@@ -77,7 +77,7 @@ int cli_check_mydoom_log(int desc, cli_ctx *ctx)
if (j < 2) {
retval = CL_CLEAN;
} else if (retval==CL_VIRUS) {
- *ctx->virname = "Worm.Mydoom.M.log";
+ *ctx->virname = "Heuristics.Worm.Mydoom.M.log";
}
return retval;
diff --git a/libclamav/unzip.c b/libclamav/unzip.c
index ad15362..da40fcc 100644
--- a/libclamav/unzip.c
+++ b/libclamav/unzip.c
@@ -350,7 +350,7 @@ static unsigned int lhdr(fmap_t *map, uint32_t loff,uint32_t zsize, unsigned int
if(detect_encrypted && (LH_flags & F_ENCR) && DETECT_ENCRYPTED) {
cli_dbgmsg("cli_unzip: Encrypted files found in archive.\n");
- *ctx->virname = "Encrypted.Zip";
+ *ctx->virname = "Heuristics.Encrypted.Zip";
*ret = CL_VIRUS;
fmap_unneed_off(map, loff, SIZEOF_LH);
return 0;
--
Debian repository for ClamAV
More information about the Pkg-clamav-commits
mailing list