Mailing List Archive

cli_scanbuff usage
Hi,

I'm just wondering if anyone can give me any advice on using cli_scanbuff,
I'm currently
completely stumped, I'm trying to simply get it to detect the EICAR 'virus'.

I call it with the following snippet:
--------------
unsigned char *buf = "X5O!P%@AP
[.4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";

if((ret = cl_scanbuff(buf, strlen(buf),&virname, &size, engine,
CL_SCAN_STDOPT)) == CL_VIRUS) {
................................
}
-------------

Using the following additions I've added to the library:
-------------

int cl_scanbuff(unsigned char *data,unsigned int len, const char **virname,
unsigned long int *scanned, const struct cl_engine *engine, unsigned int
scanoptions)
{
return cl_scanbuff_callback(data, len,virname, scanned, engine,
scanoptions, NULL);
}

int cl_scanbuff_callback(unsigned char *data,unsigned int len, const char
**virname, unsigned long int *scanned, const struct cl_engine *engine,
unsigned int scanoptions, void *context)
{
return scan_buff(data,len, NULL, virname, scanned, engine, scanoptions,
context);
}


static int scan_buff(unsigned char *data,uint32_t len, cl_fmap_t *map,
const char **virname, unsigned long int *scanned, const struct cl_engine
*engine, unsigned int scanoptions, void *context)
{
cli_ctx ctx;
int rc;
struct cli_matcher *groot = NULL;
struct cli_matcher *troot = NULL;
struct cli_matcher *root;
struct cli_ac_data gmdata, tmdata;
struct cli_ac_data *mdata[2];
int ret;
unsigned int viruses_found = 0;

int *partcnt;
unsigned long int *partoff;

cli_file_t ftype = CL_TYPE_ANY;

memset(&ctx, '\0', sizeof(cli_ctx));
ctx.engine = engine;
ctx.virname = virname;
ctx.scanned = scanned;
ctx.options = scanoptions;

root = (struct cli_matcher *) mpool_calloc(ctx.engine->mempool, 1,
sizeof(struct cli_matcher));

#ifdef USE_MPOOL
root->mempool = ctx.engine->mempool;
#endif

ctx.engine->root[0] = root;

ret = cli_scanbuff(data, len, 0, &ctx, 0, NULL);

if (ret == CL_VIRUS)
viruses_found++;

if (ret == CL_CLEAN && ctx.num_viruses){
ret = CL_VIRUS;
}

return (ret != CL_CLEAN)?ret:viruses_found?CL_VIRUS:CL_CLEAN;
}

-------------

Currently it always returns, with CL_CLEAN. I can easily detect EICAR with
a file, but for some reason not with cli_scanbuff.

Anyone got any ideas?

Kind Regards

Chris
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net