mirror/clamav
1
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2025-12-23 23:18:20 -05:00
Code Issues Packages Projects Releases Wiki Activity

libclamav: Remove MyDoom Heuristic (#1545)

Browse Source 
The MyDoom heuristic has been causing too many false positives.
Since we already have MyDoom coverage through signature detection, the
hard-coded heuristic that causes many false positives is no longer
needed. This commit removes the hard-coded heuristic.

CLAM-2766
This commit is contained in:
John Humlick
2025-12-17 09:10:12 -08:00
committed by GitHub
parent cb844d3897
commit 4361c25030
5 changed files with 0 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
libclamav/dconf.c
View File

@@ -131,7 +131,6 @@ static struct dconf_module modules[] = {
{"OTHER", "JPEG", OTHER_CONF_JPEG, 1},
{"OTHER", "CRYPTFF", OTHER_CONF_CRYPTFF, 1},
{"OTHER", "DLP", OTHER_CONF_DLP, 1},
{"OTHER", "MYDOOMLOG", OTHER_CONF_MYDOOMLOG, 0},
{"OTHER", "PREFILTERING", OTHER_CONF_PREFILTERING, 1},
{"OTHER", "PDFNAMEOBJ", OTHER_CONF_PDFNAMEOBJ, 1},
{"OTHER", "PRTNINTXN", OTHER_CONF_PRTNINTXN, 1},

1
libclamav/dconf.h
View File

@@ -124,7 +124,6 @@ struct cli_dconf {
#define OTHER_CONF_JPEG 0x8
#define OTHER_CONF_CRYPTFF 0x10
#define OTHER_CONF_DLP 0x20
#define OTHER_CONF_MYDOOMLOG 0x40
#define OTHER_CONF_PREFILTERING 0x80
#define OTHER_CONF_PDFNAMEOBJ 0x100
#define OTHER_CONF_PRTNINTXN 0x200

6
libclamav/scanners.c
View File

@@ -5138,12 +5138,6 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)
ret = cli_scanishield_msi(ctx, 14);
break;
case CL_TYPE_BINARY_DATA:
case CL_TYPE_TEXT_UTF16BE:
if (SCAN_HEURISTICS && (DCONF_OTHER & OTHER_CONF_MYDOOMLOG))
ret = cli_check_mydoom_log(ctx);
break;
case CL_TYPE_TEXT_ASCII:
if (SCAN_HEURISTIC_STRUCTURED && (DCONF_OTHER & OTHER_CONF_DLP))
/* TODO: consider calling this from cli_scanscript() for

57
libclamav/special.c
View File

@@ -46,63 +46,6 @@
#define special_endian_convert_16(v) be16_to_host(v)
#define special_endian_convert_32(v) be32_to_host(v)
int cli_check_mydoom_log(cli_ctx *ctx)
{
uint32_t record[16];
const uint32_t *ptr;
uint32_t check, key;
fmap_t *map = ctx->fmap;
unsigned int blocks = map->len / (8 * 4);
cli_dbgmsg("in cli_check_mydoom_log()\n");
if (blocks < 2)
return CL_CLEAN;
if (blocks > 5)
blocks = 5;
/*
* The following pointer might not be properly aligned. There there is
* memcmp() + memcpy() workaround to avoid performing an unaligned access
* while reading the uint32_t.
*/
ptr = fmap_need_off_once(map, 0, 8 * 4 * blocks);
if (!ptr)
return CL_CLEAN;
while (blocks) { /* This wasn't probably intended but that's what the current code does anyway */
const uint32_t marker_ff = 0xffffffff;
if (!memcmp(&ptr[--blocks], &marker_ff, sizeof(uint32_t)))
return CL_CLEAN;
}
memcpy(record, ptr, sizeof(record));
key = ~be32_to_host(record[0]);
check = (be32_to_host(record[1]) ^ key) +
(be32_to_host(record[2]) ^ key) +
(be32_to_host(record[3]) ^ key) +
(be32_to_host(record[4]) ^ key) +
(be32_to_host(record[5]) ^ key) +
(be32_to_host(record[6]) ^ key) +
(be32_to_host(record[7]) ^ key);
if ((~check) != key)
return CL_CLEAN;
key = ~be32_to_host(record[8]);
check = (be32_to_host(record[9]) ^ key) +
(be32_to_host(record[10]) ^ key) +
(be32_to_host(record[11]) ^ key) +
(be32_to_host(record[12]) ^ key) +
(be32_to_host(record[13]) ^ key) +
(be32_to_host(record[14]) ^ key) +
(be32_to_host(record[15]) ^ key);
if ((~check) != key)
return CL_CLEAN;
return cli_append_potentially_unwanted(ctx, "Heuristics.Worm.Mydoom.M.log");
}
static uint32_t riff_endian_convert_32(uint32_t value, int big_endian)
{
if (big_endian)

1
libclamav/special.h
View File

@@ -34,7 +34,6 @@ struct swizz_stats {
int entries;
};
int cli_check_mydoom_log(cli_ctx *ctx);
int cli_check_riff_exploit(cli_ctx *ctx);
void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_stats *stats, int blob);
int cli_detect_swizz(struct swizz_stats *stats);