[Clamav-devel] cli_scanbuff usage

chris 0 viscousplacebo at gmail.com
Sun Mar 16 13:27:14 EDT 2014


Hi,

I'm just wondering if anyone can give me any advice on using cli_scanbuff,
I'm currently
completely stumped, I'm trying to simply get it to detect the EICAR 'virus'.

I call it with the following snippet:
--------------
unsigned char *buf = "X5O!P%@AP
[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";

if((ret = cl_scanbuff(buf, strlen(buf),&virname, &size, engine,
CL_SCAN_STDOPT)) == CL_VIRUS) {
         ................................
}
-------------

Using the following additions I've added to the library:
-------------

int cl_scanbuff(unsigned char *data,unsigned int len, const char **virname,
unsigned long int *scanned, const struct cl_engine *engine, unsigned int
scanoptions)
{
    return cl_scanbuff_callback(data, len,virname, scanned, engine,
scanoptions, NULL);
}

int cl_scanbuff_callback(unsigned char *data,unsigned int len, const char
**virname, unsigned long int *scanned, const struct cl_engine *engine,
unsigned int scanoptions, void *context)
{
    return scan_buff(data,len, NULL, virname, scanned, engine, scanoptions,
context);
}


static int scan_buff(unsigned char *data,uint32_t len, cl_fmap_t *map,
const char **virname, unsigned long int *scanned, const struct cl_engine
*engine, unsigned int scanoptions, void *context)
{
    cli_ctx ctx;
    int rc;
    struct cli_matcher *groot = NULL;
    struct cli_matcher *troot = NULL;
    struct cli_matcher *root;
    struct cli_ac_data gmdata, tmdata;
    struct cli_ac_data *mdata[2];
    int ret;
    unsigned int viruses_found = 0;

    int *partcnt;
    unsigned long int *partoff;

    cli_file_t ftype = CL_TYPE_ANY;

    memset(&ctx, '\0', sizeof(cli_ctx));
    ctx.engine = engine;
    ctx.virname = virname;
    ctx.scanned = scanned;
    ctx.options = scanoptions;

    root = (struct cli_matcher *) mpool_calloc(ctx.engine->mempool, 1,
sizeof(struct cli_matcher));

#ifdef USE_MPOOL
    root->mempool = ctx.engine->mempool;
#endif

    ctx.engine->root[0] = root;

   ret = cli_scanbuff(data, len, 0, &ctx, 0, NULL);

    if (ret == CL_VIRUS)
        viruses_found++;

    if (ret == CL_CLEAN && ctx.num_viruses){
        ret = CL_VIRUS;
    }

     return (ret != CL_CLEAN)?ret:viruses_found?CL_VIRUS:CL_CLEAN;
}

-------------

Currently it always returns, with CL_CLEAN.  I can easily detect EICAR with
a file, but for some reason not with cli_scanbuff.

Anyone got any ideas?

Kind Regards

Chris


More information about the clamav-devel mailing list