[clamav-users] 1 - cl_scanfile return value checking, 2 - JIT and SElinux

Micah Snyder (micasnyd) micasnyd at cisco.com
Fri Jan 19 16:17:43 UTC 2018


Sorry, I forgot to respond to the second part of your email.   When you are asking about enabling JIT, are you referring to LLVM/bytecode features in ClamAV or are you referring to a JIT compiler for PHP?

To answer question A:  ClamAV uses either LLVM or a bytecode interpreter for a small set of malware signatures that are written in bytecode.  JIT is not used to improve ClamAV performance, simply to support this type of signature.  At this time the set of bytecode signatures is pretty small relative to the rest of the signatures.  It is up to you if you want to enable support for these or not.

I don’t know how to answer question B.

Regards,

Micah

Micah Snyder
Software Engineer
Talos
Cisco Systems, Inc.



On Jan 14, 2018, at 6:07 PM, Jose <teacherjh at aol.com<mailto:teacherjh at aol.com>> wrote:

contents:
1: an observation and caution regarding the cl_scanfile() return value
2: a question about JIT and SElinux

===

1: cl_scanfile()

The php function cl_scanfile() returns an int, where 0 means the file is clean, and a nonzero value indicates an infection of some sort.  The actual ints are abstracted behind constants such as CL_VIRUS and CL_CLEAN, and the documentation shows the following (edited) example usage (note the == comparison):

$retcode = cl_scanfile($file, $virusname);
if ($retcode == CL_VIRUS)
{   // do "infected file" stuff
}
else
{   // do "clean file" stuff
}

However, if cl_scanfile() is refused permission to run at all (such as by a misconfigured SElinux), then the return value is a boolean (FALSE).

When compared to the int value CL_VIRUS using a "double equal" operator, the boolean FALSE is converted to an int zero, and the file looks clean rather than unscanned!

Always check for boolean FALSE, and consider when to use double and triple equal comparisons with this in mind.

Better would be:

$retcode = cl_scanfile($file, $virusname);
if ($retcode === FALSE)
{ // do "file wasn't scanned" stuff
}
elseif ($retcode == CL_VIRUS)
{ // do "infected file" stuff
}
elseif ($retcode === CL_CLEAN)
{ // do "clean file" stuff
}
else
{ // you should never get here
 // do "program has a bug" stuff
}

====

2: Question about JIT and SElinux

It appears to me that if I use JIT, and want to scan file uploads from within php then I also have to tell SElinux to allow httpd (Apache) to use exec, something I'd just as soon not do.  If I disable JIT and disable Apache's access to exec in SElinux, I can still scan files (presumably with a performance hit, which is why JIT is there in the first place).

So my two questions are:

A: Considering I'm calling the virus scanner from within a php script already, does JIT make that much of a performance difference?

B: And (how) can I set cl_scanfile() to use JIT without letting Apache use exec?

Thanks.

Jose
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list