It's possible to scan a file or descriptor using:
int cl_scanfile(const char *filename, const char **virname,
unsigned long int *scanned, const struct cl_engine *engine,
unsigned int options);
int cl_scandesc(int desc, const char **virname, unsigned
long int *scanned, const struct cl_engine *engine,
unsigned int options);
Both functions will store a virus name under the pointer virname
,
the virus name is part of the engine structure and must not be released
directly. If the third argument (scanned
) is not NULL, the
functions will increase its value with the size of scanned data (in
CL_COUNT_PRECISION
units).
The last argument (options
) specified the scan options and supports
the following flags (which can be combined using bit operators):
- CL_SCAN_STDOPT
This is an alias for a recommended set of scan options. You
should use it to make your software ready for new features
in the future versions of libclamav.
- CL_SCAN_RAW
Use it alone if you want to disable support for special files.
- CL_SCAN_ARCHIVE
This flag enables transparent scanning of various archive formats.
- CL_SCAN_BLOCKENCRYPTED
With this flag the library will mark encrypted archives as viruses
(Encrypted.Zip, Encrypted.RAR).
- CL_SCAN_MAIL
Enable support for mail files.
- CL_SCAN_OLE2
Enables support for OLE2 containers (used by MS Office and .msi
files).
- CL_SCAN_PDF
Enables scanning within PDF files.
- CL_SCAN_SWF
Enables scanning within SWF files, notably compressed SWF.
- CL_SCAN_PE
This flag enables deep scanning of Portable Executable files and
allows libclamav to unpack executables compressed with run-time
unpackers.
- CL_SCAN_ELF
Enable support for ELF files.
- CL_SCAN_BLOCKBROKEN
libclamav will try to detect broken executables and mark them as
Broken.Executable.
- CL_SCAN_HTML
This flag enables HTML normalisation (including ScrEnc
decryption).
- CL_SCAN_ALGORITHMIC
Enable algorithmic detection of viruses.
- CL_SCAN_PHISHING_BLOCKSSL
Phishing module: always block SSL mismatches in URLs.
- CL_SCAN_PHISHING_BLOCKCLOAK
Phishing module: always block cloaked URLs.
- CL_SCAN_STRUCTURED
Enable the DLP module which scans for credit card and SSN
numbers.
- CL_SCAN_STRUCTURED_SSN_NORMAL
Search for SSNs formatted as xx-yy-zzzz.
- CL_SCAN_STRUCTURED_SSN_STRIPPED
Search for SSNs formatted as xxyyzzzz.
- CL_SCAN_PARTIAL_MESSAGE
Scan RFC1341 messages split over many emails. You will need to
periodically clean up $TemporaryDirectory/clamav-partial
directory.
- CL_SCAN_HEURISTIC_PRECEDENCE
Allow heuristic match to take precedence. When enabled, if
a heuristic scan (such as phishingScan) detects a possible
virus/phish it will stop scan immediately. Recommended, saves CPU
scan-time. When disabled, virus/phish detected by heuristic scans
will be reported only at the end of a scan. If an archive
contains both a heuristically detected virus/phishing, and a real
malware, the real malware will be reported.
- CL_SCAN_BLOCKMACROS
OLE2 containers, which contain VBA macros will be marked infected
(Heuristics.OLE2.ContainsMacros).
All functions return CL_CLEAN
when the file seems clean,
CL_VIRUS
when a virus is detected and another value on failure.
...
const char *virname;
if((ret = cl_scanfile("/tmp/test.exe", &virname, NULL, engine,
CL_SCAN_STDOPT)) == CL_VIRUS) {
printf("Virus detected: %s\n", virname);
} else {
printf("No virus detected.\n");
if(ret != CL_CLEAN)
printf("Error: %s\n", cl_strerror(ret));
}
Cisco 2019-02-28