diff --git a/libclamav/asn1.c b/libclamav/asn1.c index 36ae477fa..d71c783f4 100644 --- a/libclamav/asn1.c +++ b/libclamav/asn1.c @@ -1435,12 +1435,12 @@ int asn1_check_mscat(fmap_t *map, size_t offset, unsigned int size, uint8_t *com if(crtmgr_add_roots(&certs)) { /* FIXME: do smthng here */ crtmgr_free(&certs); - return CL_CLEAN; + return CL_VIRUS; } ret = asn1_parse_mscat(map, offset, size, &certs, 1, &content, &content_size); crtmgr_free(&certs); if(ret) - return CL_VIRUS; /* FIXME */ + return CL_VIRUS; if(asn1_expect_objtype(map, content, &content_size, &c, 0x30)) return CL_VIRUS; diff --git a/libclamav/matcher.c b/libclamav/matcher.c index 75db33d72..aee6e8e1f 100644 --- a/libclamav/matcher.c +++ b/libclamav/matcher.c @@ -412,7 +412,7 @@ int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx) cli_dbgmsg("FP SIGNATURE: %s:%u:%s\n", md5, (unsigned int) size, *ctx->virname ? *ctx->virname : "Name"); map = *ctx->fmap; - have_sha1 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, size); + have_sha1 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, size) | cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, 1); have_sha256 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA256, size); if(have_sha1 || have_sha256) { if((ptr = fmap_need_off_once(map, 0, size))) { @@ -424,6 +424,10 @@ int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx) cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname); return CL_CLEAN; } + if(cli_hm_scan(&shash1[SHA1_HASH_SIZE], 1, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS){ + cli_dbgmsg("cli_checkfp(sha1): Found false positive detection via catalog file\n"); + return CL_CLEAN; + } } if(have_sha256) { sha256_init(&sha256); @@ -436,6 +440,7 @@ int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx) } } } + #ifdef HAVE__INTERNAL__SHA_COLLECT if((ctx->options & CL_SCAN_INTERNAL_COLLECT_SHA) && ctx->sha_collect>0) { if((ptr = fmap_need_off_once(map, 0, size))) { @@ -462,6 +467,16 @@ int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx) } #endif + switch(cli_checkfp_pe(ctx, shash1)) { + case CL_CLEAN: + cli_dbgmsg("cli_checkfp(pe): PE file whitelisted due to valid embedded digital signature\n"); + return CL_CLEAN; + case CL_VIRUS: + if(cli_hm_scan(&shash1[SHA1_HASH_SIZE], 2, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) { + cli_dbgmsg("cli_checkfp(pe): PE file whitelisted by catalog file\n"); + return CL_CLEAN; + } + } if (ctx->engine->cb_hash) ctx->engine->cb_hash(fmap_fd(*ctx->fmap), size, md5, ctx->virname ? *ctx->virname : NULL, ctx->cb_ctx); diff --git a/libclamav/pe.c b/libclamav/pe.c index c7cf4ae20..c9db13b71 100644 --- a/libclamav/pe.c +++ b/libclamav/pe.c @@ -2666,7 +2666,7 @@ static int sort_sects(const void *first, const void *second) { return (a->raw - b->raw); } -int cli_checkfp_pe(cli_ctx *ctx, uint8_t authsha1[SHA1_HASH_SIZE]) { +int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1) { uint16_t e_magic; /* DOS signature ("MZ") */ uint16_t nsections; uint32_t e_lfanew; /* address of new exe header */ @@ -2833,7 +2833,7 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t authsha1[SHA1_HASH_SIZE]) { } if(at < fsize) { - hlen = at - fsize; + hlen = fsize - at; if(dirs[4].Size > hlen) { free(exe_sections); return CL_EFORMAT; @@ -2848,7 +2848,7 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t authsha1[SHA1_HASH_SIZE]) { if(cli_debug_flag) { char shatxt[SHA1_HASH_SIZE*2+1]; - for(i=0; i