Tomasz Kojm wrote:
>>int
>>scan_mem_data(char *data,int datasize)
>>{
>> int rc;
>> if (cl_needfilescan(data,datasize,...)) {
>> int tempfd=make_tempfile();
>> jumbo_write(tempfd,data,datasize);
>> rc=cl_scandesc(tempfd,...);
>> remove_tempfile(tempfd);
>> } else {
>> rc=cl_scanbuff(data,datasize,...);
>> }
>> return rc;
>>}
>>
>>What do you think? Is it possible?
>
>
> cl_needfilescan would be hard to implement (and most likely
> ineffective) because file type classification in ClamAV is rather
> complex (there are three methods and one of them even uses signature
> scanning).
First, I think that even very conservative approach (return "need file
scanning" if there is a slightest doubt) would be useful anyway,
eliminating large portion of unnecessary temp file operations.
Second, another round of signature scanning is OK if it saves filesystem
operation. Of course it would be ideal if cl_scanbuff() returned
tristate ("clean", "infected", "not sure, use file scanning") but it's
OK for me if there is a separate function.
For a start, what about adding something along these lines to libclamav:
/* return true (1) if file scanning is recommended */
int
cl_needfilescan(char *buf, size_t buflen)
{
int rc=1;
cli_file_t filetype;
filetype=cli_filetype(buf,buflen);
switch (filetype) {
case CL_TYPE_UNKNOWN_TEXT:
case CL_TYPE_UNKNOWN_DATA:
/* case CL_TYPE_MSEXE: not all exe's need filescan
but how to tell?? */
case CL_TYPE_DATA:
case CL_TYPE_GRAPHICS:
case CL_TYPE_RIFF:
case CL_TYPE_HTML:
rc=0;
break;
default:
rc=1;
break;
}
return rc;
}
Eugene
signature.asc
Description: OpenPGP digital signature
_______________________________________________ http://lurker.clamav.net/list/clamav-devel.html
