Hi all,
I am trying to write an antivirus module for my ICAP server (http://c-icap.sourceforge.net) and I have some questions.
First of all, How safe is to use the cl_scanbuff function for uncompressed data, e.g. javascript or html pages, java applets, uncompressed executables, pdf or MS-office files?
What about jpeg or gif files? I think that the viruses exists in uncompressed sections in these file types.
Moreover, I want to scan the data when they comes into the c-icap server. The data comes into chunks so I want to scan first the 1st chunk, next the 2st chunk etc. But In this case the virus signature maybe divided into two or more sequential chunks. How many bytes must I hold from previous chunks in order to say that I can safely scan incomming data?
(In practice I think that the question is: which can be the maximum size of a virus signature and how can I compute it?)
I found in libclamav the function:
cli_file_t cli_filetype(const char *buf, size_t buflen);
and I am using this function to determine the file type. As I show it
can determine the file type, reading only the first bytes and for types where more data needed in order to determine file type (e.g. html or mime mails), can not be used. Is there any single function which reads the rest data and determine file types?
However cli_filetype is a useful function and maybe can be placed in clamav.h header file.
Thanks in advance,
Christos_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
