[Clamav-devel] RFC: Patch to block Windows executables

Saint Aardvark the Carpeted Wed, 23 Nov 2005 09:00:06 -0800

I'm attaching a patch against version 0.87.1 that adds an option to
return a positive on *any* Windows executable, not just one that matches
a virus signature.  This has already caught one virus (the mail server
I run doesn't get a whole lot of traffic) that otherwise would've made
it through, and I expect it'll catch more.


Rationale:  A couple times in the last few weeks, I've had cases where a
zipped attachment with an .exe/.pif/whatever inside gets past ClamAV...yet
a couple hours later, there's a signature for it.  I figured it would
be good to take advantage of ClamAV's existing features (already a check
for executables, limits on .zip recursion) rather than roll my own tests.

I realize that you guys may not want to add this to ClamAV, but I'd be
grateful if someone could have a look and tell me if I'm shooting myself
in the foot with this.  Please let me know if the format of the patch
isn't good...I'm new at all this.

Many thanks for ClamAV and your time!
-- 
Saint Aardvark the Carpeted
[EMAIL PROTECTED]
Because the plural of Anecdote is Myth.


diff --exclude config.log --exclude '*.Po' --exclude '*.Plo' --exclude '*~' 
-urN clamav-0.87.1/clamd/server-th.c clamav-0.87.1-mine/clamd/server-th.c
--- clamav-0.87.1/clamd/server-th.c     2005-10-30 08:01:38.000000000 -0800
+++ clamav-0.87.1-mine/clamd/server-th.c        2005-11-21 12:32:34.000000000 
-0800
@@ -374,6 +374,11 @@
            options |= CL_SCAN_BLOCKBROKEN;
        }
 
+       if(cfgopt(copt, "BlockExecutables")) {
+           logg("Blocking of executables enabled.\n");
+           options |= CL_SCAN_BLOCKEXECUTABLE;
+       }
+
     } else {
        logg("Portable Executable support disabled.\n");
     }
diff --exclude config.log --exclude '*.Po' --exclude '*.Plo' --exclude '*~' 
-urN clamav-0.87.1/clamscan/manager.c clamav-0.87.1-mine/clamscan/manager.c
--- clamav-0.87.1/clamscan/manager.c    2005-07-24 15:22:47.000000000 -0700
+++ clamav-0.87.1-mine/clamscan/manager.c       2005-11-21 12:36:59.000000000 
-0800
@@ -169,6 +169,9 @@
     if(optl(opt, "detect-broken"))
        options |= CL_SCAN_BLOCKBROKEN;
 
+    if(optl(opt, "detect-executable"))
+       options |= CL_SCAN_BLOCKEXECUTABLE;
+
     if(optl(opt, "block-encrypted"))
        options |= CL_SCAN_BLOCKENCRYPTED;
 
diff --exclude config.log --exclude '*.Po' --exclude '*.Plo' --exclude '*~' 
-urN clamav-0.87.1/clamscan/options.c clamav-0.87.1-mine/clamscan/options.c
--- clamav-0.87.1/clamscan/options.c    2005-06-23 13:03:09.000000000 -0700
+++ clamav-0.87.1-mine/clamscan/options.c       2005-11-21 12:36:59.000000000 
-0800
@@ -94,6 +94,7 @@
            {"disable-archive", 0, 0, 0},
            {"no-archive", 0, 0, 0},
            {"detect-broken", 0, 0, 0},
+           {"detect-executable", 0, 0, 0},
            {"block-encrypted", 0, 0, 0},
            {"block-max", 0, 0, 0},
            {"no-pe", 0, 0, 0},
diff --exclude config.log --exclude '*.Po' --exclude '*.Plo' --exclude '*~' 
-urN clamav-0.87.1/docs/man/clamd.conf.5.in 
clamav-0.87.1-mine/docs/man/clamd.conf.5.in
--- clamav-0.87.1/docs/man/clamd.conf.5.in      2005-06-23 13:03:04.000000000 
-0700
+++ clamav-0.87.1-mine/docs/man/clamd.conf.5.in 2005-11-21 12:35:10.000000000 
-0800
@@ -203,6 +203,11 @@
 With this option clamd will try to detect broken executables and mark them as 
Broken.Executable.
 .br 
 Default: disabled
+.TP
+\fBBlockExecutable\fR
+With this option clamd will try to detect any executable and mark it as 
Any.Executable.
+.br
+Default: disabled
 .TP 
 \fBScanOLE2\fR
 Enables scanning of Microsoft Office document macros.
diff --exclude config.log --exclude '*.Po' --exclude '*.Plo' --exclude '*~' 
-urN clamav-0.87.1/docs/man/clamscan.1 clamav-0.87.1-mine/docs/man/clamscan.1
--- clamav-0.87.1/docs/man/clamscan.1   2005-06-23 13:03:04.000000000 -0700
+++ clamav-0.87.1-mine/docs/man/clamscan.1      2005-11-21 12:35:55.000000000 
-0800
@@ -84,6 +84,9 @@
 .TP 
 \fB\-\-detect\-broken\fR
 Mark broken executables as viruses (Broken.Executable).
+.TP
+\fB\-\-detect\-executable\fR
+Mark any Windows executable as a virus (Any.Executable).
 .TP 
 \fB\-\-block\-encrypted\fR
 Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
diff --exclude config.log --exclude '*.Po' --exclude '*.Plo' --exclude '*~' 
-urN clamav-0.87.1/libclamav/clamav.h clamav-0.87.1-mine/libclamav/clamav.h
--- clamav-0.87.1/libclamav/clamav.h    2005-06-23 13:03:13.000000000 -0700
+++ clamav-0.87.1-mine/libclamav/clamav.h       2005-11-21 12:36:59.000000000 
-0800
@@ -75,6 +75,7 @@
 #define CL_SCAN_BLOCKBROKEN    128
 #define CL_SCAN_MAILURL                256
 #define CL_SCAN_BLOCKMAX       512
+#define CL_SCAN_BLOCKEXECUTABLE 1024
 
 /* recommended options */
 #define CL_SCAN_STDOPT         (CL_SCAN_ARCHIVE | CL_SCAN_MAIL | CL_SCAN_OLE2 
| CL_SCAN_HTML | CL_SCAN_PE) 
diff --exclude config.log --exclude '*.Po' --exclude '*.Plo' --exclude '*~' 
-urN clamav-0.87.1/libclamav/pe.c clamav-0.87.1-mine/libclamav/pe.c
--- clamav-0.87.1/libclamav/pe.c        2005-07-24 13:16:28.000000000 -0700
+++ clamav-0.87.1-mine/libclamav/pe.c   2005-11-21 12:36:59.000000000 -0800
@@ -48,6 +48,7 @@
 #define IMAGE_OPTIONAL_SIGNATURE    0x010b
 
 #define DETECT_BROKEN              (options & CL_SCAN_BLOCKBROKEN)
+#define DETECT_EXECUTABLE          (options & CL_SCAN_BLOCKEXECUTABLE)
 
 #define UPX_NRV2B 
"\x11\xdb\x11\xc9\x01\xdb\x75\x07\x8b\x1e\x83\xee\xfc\x11\xdb\x11\xc9\x11\xc9\x75\x20\x41\x01\xdb"
 #define UPX_NRV2D 
"\x83\xf0\xff\x74\x78\xd1\xf8\x89\xc5\xeb\x0b\x01\xdb\x75\x07\x8b\x1e\x83\xee\xfc\x11\xdb\x11\xc9"
@@ -217,6 +218,11 @@
        dll = 1;
     } else if(EC16(file_hdr.Characteristics) & 0x01) {
        cli_dbgmsg("File type: Executable\n");
+       if(DETECT_EXECUTABLE) {
+         if(virname)
+           *virname = "Any.Executable";
+         return CL_VIRUS;
+       }
     }
 
     switch(EC16(file_hdr.Machine)) {
@@ -442,6 +448,11 @@
 
        if(EC32(section_hdr[i].Characteristics) & 0x20) {
            cli_dbgmsg("Section contains executable code\n");
+           if(DETECT_EXECUTABLE) {
+             if(virname)
+               *virname = "Any.Executable";
+             return CL_VIRUS;
+           }
 
            if(EC32(section_hdr[i].VirtualSize) < 
EC32(section_hdr[i].SizeOfRawData)) {
                cli_dbgmsg("Section contains free space\n");
@@ -453,8 +464,14 @@
            }
        }
 
-       if(EC32(section_hdr[i].Characteristics) & 0x20000000)
+       if(EC32(section_hdr[i].Characteristics) & 0x20000000) {
            cli_dbgmsg("Section's memory is executable\n");
+           if(DETECT_EXECUTABLE) {
+             if(virname)
+               *virname = "Any.Executable";
+             return CL_VIRUS;
+           }
+       }
 
        if(EC32(section_hdr[i].Characteristics) & 0x80000000)
            cli_dbgmsg("Section's memory is writeable\n");
diff --exclude config.log --exclude '*.Po' --exclude '*.Plo' --exclude '*~' 
-urN clamav-0.87.1/shared/cfgparser.c clamav-0.87.1-mine/shared/cfgparser.c
--- clamav-0.87.1/shared/cfgparser.c    2005-09-15 16:42:58.000000000 -0700
+++ clamav-0.87.1-mine/shared/cfgparser.c       2005-11-21 12:32:47.000000000 
-0800
@@ -54,6 +54,7 @@
            {"DisableDefaultScanOptions", OPT_NOARG},
            {"ScanPE", OPT_NOARG},
            {"DetectBrokenExecutables", OPT_NOARG},
+           {"BlockExecutables", OPT_NOARG},
            {"ScanMail", OPT_NOARG},
            {"MailFollowURLs", OPT_NOARG},
            {"ScanHTML", OPT_NOARG},
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html

[Clamav-devel] RFC: Patch to block Windows executables

Reply via email to