Commit 0cf5943
committed
Increase max embedded objects limit from 10 -> 16
By limiting the embedded file recognition in embedded files, we detect
fewer embedded files overall.
For example, imagine a PE with a structure of embedded files like so:
outer pe:
emb. file #1: valid pe #1
emb. file #2: valid pe #2
emb. file #3: valid pe #3
emb. file #4: false positive for pe
emb. file #5: false positive for pe
emb. file #6: false positive for pe
emb. file #7: false positive for pe
emb. file #8: false positive for pe
emb. file #9: false positive for pe
emb. file #10: false positive for pe
emb. file #10: valid pe #4
With an embedded objects limit of 10, we won't extract that 4th valid PE
file.
However, previous we allowed detection of embedded files within embedded
files, so ClamAV mistook the above structure for something like this:
outer pe:
emb. file #1: valid pe #1
emb. file #1: valid pe #2
emb. file #1: valid pe #3
emb. file #1: false positive for pe
emb. file #2: false positive for pe
emb. file #3: false positive for pe
emb. file #4: false positive for pe
emb. file #5: false positive for pe
emb. file #6: false positive for pe
emb. file #7: false positive for pe
emb. file #8: valid pe #4
As you can see, this is able to find and scan that 4th PE file without
exceeding an embedded object limit of 10.
The old way of detecting embedded files within embedded files has other
drawbacks and is obviously inaccurate in terms of the actual file
structure. But it did have that going for it.
Anyways, to improve detection, this PR bumps the embedded objects limit
to 16. I think that's okay since we've added header checks for several
types like PE's, and have also removed the need to drop embedded PE
files to a temp file for each scan.
CLAM-28971 parent a1cd821 commit 0cf5943
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
33 | 33 | | |
34 | 34 | | |
35 | 35 | | |
36 | | - | |
| 36 | + | |
37 | 37 | | |
38 | 38 | | |
39 | 39 | | |
| |||
0 commit comments