Mailing List Archive

Hi Micah,

Thank you so much for your prompt reply.

On Wed 27/Feb/2019 20:48:44 +0100 Micah Snyder \(micasnyd\) via clamav-users wrote:
>
> You're correct, there are non-backwards compatible changes in clamav.h in version 0.101. The libclamav major version number as also increased to highlight the incompatibility.
>
> The changes are mentioned somewhat briefly in the release notes:
> https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html
> https://github.com/Cisco-Talos/clamav-devel/blob/clamav-0.101.1/NEWS.md#some-of-the-more-obvious-changes


That doc is rather brief about #define's. I attach my attempt at matching them. Besides having different values and going to different variables, CL_SCAN_* have new names.


> CL_SCAN_STDOPT previously enabled all parsers, plus heuristic alerts (which were sometimes/inconsistently referred to as algorithmic detection):
> https://github.com/Cisco-Talos/clamav-devel/blob/clamav-0.100.2/libclamav/clamav.h#L181
>
> In 0.101, CL_SCAN_STDOPT has gone away. Instead, you can get the same functionality by setting the following, as shown in the example (https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/examples/ex1.c#L93):


I see. I think I'll code #ifdef CL_SCAN_STDOPT for compile time switching, trying to be compatible with v100.


> options.parse |= ~0; /* enable all parsers */
> options.general |= CL_SCAN_GENERAL_HEURISTICS; /* enable heuristic alert options */

The docs suggest AlgorithmicDetection becomes HeuristicAlerts, I'm not clear if that implies CL_SCAN_ALGORITHMIC becomes CL_SCAN_GENERAL_HEURISTICS (as claimed in my attachment).


Best
Ale
--

Alessandro,

Your attachment is correct. I will also note that the following macros enable the same feature. The name "collect metadata" seemed to be more intelligible than simply "properties":

-#define CL_SCAN_FILE_PROPERTIES 0x10000000
+#define CL_SCAN_GENERAL_COLLECT_METADATA 0x2 /* collect metadata (--gen-json) */

To be clear about how the new scan options defines work... Instead of one bit-flag variable, we now have 5 bitflags variables to select options using the cl_scan_options structure. They are categorized by feature, like this:

struct cl_scan_options {
uint32_t general; // <-- CL_SCAN_GENERAL_...
uint32_t parse; // <-- CL_SCAN_PARSE_...
uint32_t heuristic; // <-- CL_SCAN_HEURISTIC_...
uint32_t mail; // <-- CL_SCAN_MAIL_...
uint32_t dev; // <-- CL_SCAN_DEV_...
};

Come to think of it, I'm not sure why we don't include a macro in clamav.h to define the libclamav version number. I will have to discuss it with the team. To programmatically query a string of the version number, you can use `cl_retver()`.

Let me know if you have any other questions, and my apologies for the confusion.

Regards,
Micah

?On 2/28/19, 1:56 PM, "Alessandro Vesely" <vesely@tana.it> wrote:

Hi Micah,

Thank you so much for your prompt reply.

On Wed 27/Feb/2019 20:48:44 +0100 Micah Snyder \(micasnyd\) via clamav-users wrote:
>
> You're correct, there are non-backwards compatible changes in clamav.h in version 0.101. The libclamav major version number as also increased to highlight the incompatibility.
>
> The changes are mentioned somewhat briefly in the release notes:
> https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html
> https://github.com/Cisco-Talos/clamav-devel/blob/clamav-0.101.1/NEWS.md#some-of-the-more-obvious-changes


That doc is rather brief about #define's. I attach my attempt at matching them. Besides having different values and going to different variables, CL_SCAN_* have new names.


> CL_SCAN_STDOPT previously enabled all parsers, plus heuristic alerts (which were sometimes/inconsistently referred to as algorithmic detection):
> https://github.com/Cisco-Talos/clamav-devel/blob/clamav-0.100.2/libclamav/clamav.h#L181
>
> In 0.101, CL_SCAN_STDOPT has gone away. Instead, you can get the same functionality by setting the following, as shown in the example (https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/examples/ex1.c#L93):


I see. I think I'll code #ifdef CL_SCAN_STDOPT for compile time switching, trying to be compatible with v100.


> options.parse |= ~0; /* enable all parsers */
> options.general |= CL_SCAN_GENERAL_HEURISTICS; /* enable heuristic alert options */

The docs suggest AlgorithmicDetection becomes HeuristicAlerts, I'm not clear if that implies CL_SCAN_ALGORITHMIC becomes CL_SCAN_GENERAL_HEURISTICS (as claimed in my attachment).


Best
Ale
--






_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Bugzilla: http://bugzilla.clamav.net

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Micah,

On Fri 01/Mar/2019 03:34:10 +0100 Micah Snyder (micasnyd) wrote:
>
> Your attachment is correct. I will also note that the following macros enable the same feature. The name "collect metadata" seemed to be more intelligible than simply "properties":
>
> -#define CL_SCAN_FILE_PROPERTIES 0x10000000
> +#define CL_SCAN_GENERAL_COLLECT_METADATA 0x2 /* collect metadata (--gen-json) */


I suspected that, thank you for confirming.


> To be clear about how the new scan options defines work... Instead of one bit-flag variable, we now have 5 bitflags variables to select options using the cl_scan_options structure. They are categorized by feature, like this:
>
> struct cl_scan_options {
> uint32_t general; // <-- CL_SCAN_GENERAL_...
> uint32_t parse; // <-- CL_SCAN_PARSE_...
> uint32_t heuristic; // <-- CL_SCAN_HEURISTIC_...
> uint32_t mail; // <-- CL_SCAN_MAIL_...
> uint32_t dev; // <-- CL_SCAN_DEV_...
> };


Yeah, I got that. After I slept on it, I dropped the idea of keeping compatibility with previous version. The problem is user options to my client program. Following the example, I coded something like so:

if (load_options == 0)
load_options = CL_DB_STDOPT;

if (scan_options.general == 0 &&
scan_options.parse == 0 &&
scan_options.heuristic == 0 &&
scan_options.mail == 0 &&
scan_options.dev == 0)
{
scan_options.parse |= ~0; /* enable all parsers */
scan_options.general |= CL_SCAN_GENERAL_HEURISTICS; /* enable heuristic alert options */
scan_options.mail |= CL_SCAN_MAIL_PARTIAL_MESSAGE; /* no easy attack paths... */
}

if ((scan_options.parse & CL_SCAN_PARSE_MAIL) == 0) // no nonsense
{
err = 1;
filelog(logfile, LOG_ERR, "scan_mail disabled?!");
}

That snippet runs after user options are loaded from config file. If it's all zeroes, the user configured no option —the most likely case. Choosy users can set default options and then adjust them as needed. Testing single fields separately would make it difficult to disable heuristics, say.

The client program is a mail filter, so I routinely enable CL_SCAN_MAIL_PARTIAL_MESSAGE, lest allow attachments like:

Content-Type: Message/Partial; number=1; total=1; id="easy.attack@malware.example"


> Come to think of it, I'm not sure why we don't include a macro in clamav.h to define the libclamav version number. I will have to discuss it with the team. To programmatically query a string of the version number, you can use `cl_retver()`.


Yup, I coded:

if (strstr(cl_retver(), ".101.") == NULL)
{
filelog(logfile, LOG_ALERT, "Need libclamav 101, found %s", cl_retver());
return 1;
}


> Let me know if you have any other questions, and my apologies for the confusion.


You've got nothing to apologize for, your answers are crystal clear, and let me thank you for them once more.


Best
Ale
--



_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Bugzilla: http://bugzilla.clamav.net

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml