Bugzilla – Bug 11512
[clamav-users] heuristic-scan-precedence is broken
Last modified: 2016-04-12 15:21:56 EDT
The following was reported by David Shrimpton on the clamav-users mailing list: Hi, --heuristic-scan-precedence=no is broken in clamav-0.99 eg create a test encrypted zip /tmp/abcdef.zip clamscan -z --database=/tmp/test.ndb --block-encrypted=yes /tmp/abcdef.zip /tmp/abcdef.zip: Heuristics.Encrypted.Zip FOUND clamscan -z --database=/tmp/test.ndb --block-encrypted=no /tmp/abcdef.zip /tmp/abcdef.zip: testsig.1.UNOFFICIAL FOUND /tmp/abcdef.zip: testsig.1.UNOFFICIAL FOUND clamscan -z --database=/tmp/test.ndb --block-encrypted=yes --heuristic-scan-precedence=no /tmp/abcdef.zip /tmp/abcdef.zip: Heuristics.Encrypted.Zip FOUND With --heuristic-scan-precedence=no testsig.1.UNOFFICIAL should have been returned and not Heuristics.Encrypted.Zip . With -z --heuristic-scan-precedence=no , both testsig.1.UNOFFICIAL and Heuristics.Encrypted.Zip should have been returned. This is same problem as occurs with clamdscan and OLE2BlockMacros yes. Heuristics.OLE2.ContainsMacros gets returned and not any real sigs that also might match. I suspect --heuristic-scan-precedence=no might not work for any heuristic detection. If heuristic-scan-precedence=no worked , you could parse the returned virus name and treat files that only matched Heuristics sig eg pdf or encrypted zip or ole2 with macros, differently to files that matched a real sig. eg do logging only instead of discarding.
Created attachment 7077 [details] Make OLE2BlockMacros behave better This is a very simplistic patch that makes OLE2BlockMacros behave more like a heuristic match, i.e. it does not prohibit detection of other real viruses. Someone familiar with the logic of the code might come up with something better, but I was in a hurry to get generic macro detection without sacrificing third-party signatures that match actual macro viruses!