[clamav-users] Incompatible clamav.h changes
Alessandro Vesely
vesely at tana.it
Thu Feb 28 18:55:58 UTC 2019
Hi Micah,
Thank you so much for your prompt reply.
On Wed 27/Feb/2019 20:48:44 +0100 Micah Snyder \(micasnyd\) via clamav-users wrote:
>
> You're correct, there are non-backwards compatible changes in clamav.h in version 0.101. The libclamav major version number as also increased to highlight the incompatibility.
>
> The changes are mentioned somewhat briefly in the release notes:
> https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html
> https://github.com/Cisco-Talos/clamav-devel/blob/clamav-0.101.1/NEWS.md#some-of-the-more-obvious-changes
That doc is rather brief about #define's. I attach my attempt at matching them. Besides having different values and going to different variables, CL_SCAN_* have new names.
> CL_SCAN_STDOPT previously enabled all parsers, plus heuristic alerts (which were sometimes/inconsistently referred to as algorithmic detection):
> https://github.com/Cisco-Talos/clamav-devel/blob/clamav-0.100.2/libclamav/clamav.h#L181
>
> In 0.101, CL_SCAN_STDOPT has gone away. Instead, you can get the same functionality by setting the following, as shown in the example (https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/examples/ex1.c#L93):
I see. I think I'll code #ifdef CL_SCAN_STDOPT for compile time switching, trying to be compatible with v100.
> options.parse |= ~0; /* enable all parsers */
> options.general |= CL_SCAN_GENERAL_HEURISTICS; /* enable heuristic alert options */
The docs suggest AlgorithmicDetection becomes HeuristicAlerts, I'm not clear if that implies CL_SCAN_ALGORITHMIC becomes CL_SCAN_GENERAL_HEURISTICS (as claimed in my attachment).
Best
Ale
--
-------------- next part --------------
CL_ENGINE_* and CL_DB_* defines are untouched.
CL_SCAN_* migrated as follows(?):
-#define CL_SCAN_RAW 0x0
-#define CL_SCAN_STDOPT (CL_SCAN_ARCHIVE | CL_SCAN_MAIL | CL_SCAN_OLE2 | CL_SCAN_PDF | CL_SCAN_HTML | CL_SCAN_PE | CL_SCAN_ALGORITHMIC | CL_SCAN_ELF | CL_SCAN_SWF | CL_SCAN_XMLDOCS | CL_SCAN_HWP3)
-#define CL_SCAN_ARCHIVE 0x1
+#define CL_SCAN_PARSE_ARCHIVE 0x1
-#define CL_SCAN_MAIL 0x2
+#define CL_SCAN_PARSE_MAIL 0x40
-#define CL_SCAN_OLE2 0x4
+#define CL_SCAN_PARSE_OLE2 0x80
-#define CL_SCAN_BLOCKENCRYPTED 0x8
+#define CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE 0x40 /* alert if archive is encrypted (rar, zip, etc) */
+#define CL_SCAN_HEURISTIC_ENCRYPTED_DOC 0x80 /* alert if a document is encrypted (pdf, docx, etc) */
-#define CL_SCAN_HTML 0x10
+#define CL_SCAN_PARSE_HTML 0x100
-#define CL_SCAN_PE 0x20
+#define CL_SCAN_PARSE_PE 0x200
-#define CL_SCAN_BLOCKBROKEN 0x40
+#define CL_SCAN_HEURISTIC_BROKEN 0x2 /* alert on broken PE and broken ELF files */
-#define CL_SCAN_MAILURL 0x80 /* ignored */
-#define CL_SCAN_BLOCKMAX 0x100
+#define CL_SCAN_HEURISTIC_EXCEEDS_MAX 0x4 /* alert when files exceed scan limits (filesize, max scansize, or max recursion depth) */
-#define CL_SCAN_ALGORITHMIC 0x200
+#define CL_SCAN_GENERAL_HEURISTICS 0x4 /* option to enable heuristic alerts */
-#define CL_SCAN_PHISHING_BLOCKSSL 0x800 /* ssl mismatches, not ssl by itself*/
+#define CL_SCAN_HEURISTIC_PHISHING_SSL_MISMATCH 0x8 /* alert on SSL mismatches */
-#define CL_SCAN_PHISHING_BLOCKCLOAK 0x1000
+#define CL_SCAN_HEURISTIC_PHISHING_CLOAK 0x10 /* alert on cloaked URLs in emails */
-#define CL_SCAN_ELF 0x2000
+#define CL_SCAN_PARSE_ELF 0x2
-#define CL_SCAN_PDF 0x4000
+#define CL_SCAN_PARSE_PDF 0x4
-#define CL_SCAN_STRUCTURED 0x8000
+#define CL_SCAN_HEURISTIC_STRUCTURED 0x200 /* data loss prevention options, i.e. alert when detecting personal information */
-#define CL_SCAN_STRUCTURED_SSN_NORMAL 0x10000
+#define CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL 0x400 /* alert when detecting social security numbers */
-#define CL_SCAN_STRUCTURED_SSN_STRIPPED 0x20000
+#define CL_SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED 0x800 /* alert when detecting stripped social security numbers */
-#define CL_SCAN_PARTIAL_MESSAGE 0x40000
+#define CL_SCAN_MAIL_PARTIAL_MESSAGE 0x1
-#define CL_SCAN_HEURISTIC_PRECEDENCE 0x80000
+#define CL_SCAN_GENERAL_HEURISTIC_PRECEDENCE 0x8 /* allow heuristic match to take precedence. */
-#define CL_SCAN_BLOCKMACROS 0x100000
+#define CL_SCAN_HEURISTIC_MACROS 0x20 /* alert on OLE2 files containing macros */
-#define CL_SCAN_ALLMATCHES 0x200000
+#define CL_SCAN_GENERAL_ALLMATCHES 0x1 /* scan in all-match mode */
-#define CL_SCAN_SWF 0x400000
+#define CL_SCAN_PARSE_SWF 0x8
-#define CL_SCAN_PARTITION_INTXN 0x800000
+#define CL_SCAN_HEURISTIC_PARTITION_INTXN 0x100 /* alert if partition table size doesn't make sense */
-#define CL_SCAN_XMLDOCS 0x1000000
+#define CL_SCAN_PARSE_XMLDOCS 0x20
-#define CL_SCAN_HWP3 0x2000000
+#define CL_SCAN_PARSE_HWP3 0x10
-#define CL_SCAN_PERFORMANCE_INFO 0x40000000 /* collect performance timings */
+#define CL_SCAN_DEV_COLLECT_PERFORMANCE_INFO 0x2 /* collect performance timings */
-#define CL_SCAN_INTERNAL_COLLECT_SHA 0x80000000 /* Enables hash output in sha-collect builds - for internal use only */
+#define CL_SCAN_DEV_COLLECT_SHA 0x1 /* Enables hash output in sha-collect builds - for internal use only */
-#define CL_SCAN_FILE_PROPERTIES 0x10000000
+#define CL_SCAN_GENERAL_COLLECT_METADATA 0x2 /* collect metadata (--gen-json) */
More information about the clamav-users
mailing list