Skip to content

Commit

Permalink
Switch file patch.
Browse files Browse the repository at this point in the history
  • Loading branch information
@Maikuolan
Maikuolan committed Oct 15, 2024
1 parent 85afb42 commit 4510d8b
Show file tree
Hide file tree
Showing 3 changed files with 85 additions and 73 deletions.
1 change: 1 addition & 0 deletions Changelog.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,3 +152,4 @@ __*Why "v3.0.0" instead of "v1.0.0?"*__ Prior to phpMussel v3, the "phpMussel Co
- [2024.10.15]: Added support to optionally disable adding new hash cache entries when a specific instance cache flag is used.
- [2024.10.15]: Added support to inform the user via an optional instance cache flag which flags were set by the switch file during the scan when scanning via CLI.
- [2024.10.15]: Added MP4 file type detection and modified PHP file type detection to reduce the risk of false positives (e.g., see phpMussel/phpMussel#241).
- [2024.10.15]: Improved the phpMussel switch file.
116 changes: 69 additions & 47 deletions assets/switch.dat
View file
Original file line number Diff line number Diff line change
@@ -1,47 +1,69 @@
Switch file for phpMussel.

== Sets flags for ignoring some certain ClamAV signature files ==
FD-RX:377f068[23]002de218:A:8;infectable=false
FD:252150532d41646f62652d:A:11;infectable=false
FD:28546869732066696c65206d75737420626520636f6e76657274656420776974682042696e48657820342e3029:A:45;infectable=false
FD:2e524d46:A:4;infectable=false
FD:2f5247420a49440affffffffffffffffffffffffffffffffffffffffffffffff:0:128;infectable=false
FD:494433:A:3;infectable=false
FD:4f676753:A:4;infectable=false
FD:5349502d48495420285349502f48:A:14;infectable=false
FD:53514c69746520666f726d6174203300:A:16;infectable=false
FD:53594d430100:A:6;infectable=false
FD:d9d505f920a163d7:A:8;infectable=false
FD:fffb90:A:3;infectable=false

== Assists with determining potential file content ==
$fileswitch:unassigned;FN:\.[Mm][Pp]?4.?$;FD-RX:63(686170|6c6970|72676e|746162)|66726565|66747970|696d6170|6a7032|6b6d6174|6c6f6164|6d(617474|646174|6f6f66|6f6f76)|70696374|706e6f74|73(637074|6b6970|737263|796e63)|746d6364|75647461|75756964|77696465:4:4;fileswitch=mp4
$fileswitch:unassigned;FD:4d5a:A:2;fileswitch=pefile
$fileswitch:unassigned;FD-RX:(cafebabe|cafed00d|cefaedfe|cffaedfe|feedface|feedfacf):A:4;fileswitch=java
$fileswitch:unassigned;FD-RX:494433|fffb90:A:3;fileswitch=mp3
$fileswitch:unassigned;FD-NORM-RX:23212f7573722f(6c6f63616c2f)?62696e2f(656e76)?7065726c:A:24;fileswitch=perl
$fileswitch:unassigned;FD:43723234:A:4;fileswitch=chrome
$fileswitch:unassigned;FD:4c00000001140200:A:8;fileswitch=lnk
$fileswitch:unassigned;FD:d0cf11:A:3;fileswitch=docfile
$fileswitch:unassigned;FD-NORM-RX:23212f7573722f(6c6f63616c2f)?62696e2f(656e76)?707974686f6e:A:26;fileswitch=py
$fileswitch:unassigned;FD-NORM:6372656174656f626a656374;fileswitch=vb
$fileswitch:unassigned;FD-NORM:406563686f;fileswitch=bat
$fileswitch:unassigned;FD-NORM-RX:3c736372697074.{0,128}(6c616e67756167653d2[27]76627363726970742[27]|747970653d2[27]746578742f76627363726970742[27]);fileswitch=vb
$fileswitch:unassigned;FD-NORM-RX:3c736372697074.{0,128}(6c616e67756167653d2[27]6a6176617363726970742[27]|747970653d2[27]746578742f6a6176617363726970742[27]);fileswitch=js
$fileswitch:unassigned;FD-NORM-RX:3c25406c616e67756167653d(2[27])?76627363726970742e656e636f6465;fileswitch=vb
$fileswitch:unassigned;FD-NORM-RX:23212f7573722f(6c6f63616c2f)?62696e2f(656e76)?72756279:A:24;fileswitch=ruby
$fileswitch:unassigned;FN:\.([Bb][Aa][Tt]|[Cc][Mm][Dd]|[Bb][Tt][Mm])$;fileswitch=bat
$fileswitch:unassigned;FN:\.([Vv][Bb].{0,3}|[Ww][Ss][CcFf]|[Hh][Tt][Aa]?[Mm]?[Ll]?)$;fileswitch=vb
$fileswitch:unassigned;FN:\.[Mm][Pp].$;fileswitch=mp3
$fileswitch:unassigned;FD:3c25:A:2;fileswitch=asp
$fileswitch:unassigned;FN:\.([Aa][Uu][Tt][Oo][Rr][Uu][Nn]|[Ii][Nn][Ff]|[Ii][Nn][Ii]|[Cc][Ff][Gg])$;fileswitch=inf
$fileswitch:unassigned;FN:\.[Aa][Ss][Pp].?$;fileswitch=asp
$fileswitch:unassigned;FN:\.[Jj][Ss]([Pp][Xx]?|[Oo][Nn])?$;fileswitch=js
$fileswitch:unassigned;FN:\.[Pp][Yy].?$;fileswitch=py
$fileswitch:unassigned;FN:\.[Jj][Aa]([Vv][Aa]|[Rr])$;fileswitch=java
$fileswitch:unassigned;FN:\.[Pp]([Ee][Rr])?[Ll]$;fileswitch=perl
$fileswitch:unassigned;FN:\.[Cc][Gg][Ii]$;fileswitch=cgi
$fileswitch:unassigned;FN:\.([Rr][Uu]?[Bb][WwYy]?|[Gg][Ee][Mm])$;fileswitch=ruby
$fileswitch:unassigned;FN:\.([Cc][Vv][Dd]|[Ii][Nn][Cc]|[Mm][Dd]|[Tt][Xx][Tt])$;fileswitch=ignore
$fileswitch:unassigned;FD-RX:(1f8b|425a68|504b|52617221|7f454c46):A:4;fileswitch=vt_interest
$fileswitch:unassigned;FD:7801:A:2;FD:6b6f6c79:-512;fileswitch=vt_interest
# Switch file for phpMussel.



# Used by the ClamAV General and the ClamAV ASCII signature files to ignore certain signatures
# ---
!ISSET:infectable;FD-RX:377f068[23]002de218:A:8;infectable=false
!ISSET:infectable;FD:252150532d41646f62652d:A:11;infectable=false
!ISSET:infectable;FD:28546869732066696c65206d75737420626520636f6e76657274656420776974682042696e48657820342e3029:A:45;infectable=false
!ISSET:infectable;FD:2e524d46:A:4;infectable=false
!ISSET:infectable;FD:2f5247420a49440affffffffffffffffffffffffffffffffffffffffffffffff:0:128;infectable=false
!ISSET:infectable;FD:494433:A:3;infectable=false
!ISSET:infectable;FD:4f676753:A:4;infectable=false
!ISSET:infectable;FD:5349502d48495420285349502f48:A:14;infectable=false
!ISSET:infectable;FD:53514c69746520666f726d6174203300:A:16;infectable=false
!ISSET:infectable;FD:53594d430100:A:6;infectable=false
!ISSET:infectable;FD:d9d505f920a163d7:A:8;infectable=false
!ISSET:infectable;FD:fffb90:A:3;infectable=false
!ISSET:infectable;infectable=true



# Assists with determining most probably file format, and thus, probable types of content.
# ---
FD-RX:435753|465753|5a5753:A:3;is_swf=true
!ISSET:is_swf;FN:\.[Ss][Ww][FfTt]$;is_swf=true
!ISSET:is_swf;is_swf=false

FD:25504446:A:4;pdf_magic=true
!ISSET:pdf_magic;pdf_magic=false
$pdf_magic:true;is_pdf=true
FN:\.[Pp][Dd][Ff]$;is_pdf=true
!ISSET:is_pdf;is_pdf=false

!ISSET:fileswitch;FN:\.[Mm][Pp]?4.?$;FD-RX:63(?:686170|6c6970|72676e|746162)|66726565|66747970|696d6170|6a7032|6b6d6174|6c6f6164|6d(?:617474|646174|6f6f66|6f6f76)|70696374|706e6f74|73(?:637074|6b6970|737263|796e63)|746d6364|75647461|75756964|77696465:4:4;fileswitch=mp4
!ISSET:fileswitch;FD:4d5a:A:2;fileswitch=pefile
FD-RX:cafe(?:babe|d00d)|c[ef]faedfe|feedfac[ef]:A:4;is_macho=true
!ISSET:is_macho;is_macho=false
!ISSET:fileswitch;$is_macho:true;fileswitch=java
!ISSET:fileswitch;FD-RX:494433|fffb90:A:3;fileswitch=mp3
!ISSET:fileswitch;FD-NORM-RX:23212f7573722f(?:6c6f63616c2f)?62696e2f(?:656e76)?7065726c:A:24;fileswitch=perl
!ISSET:fileswitch;FD:43723234:A:4;fileswitch=chrome
!ISSET:fileswitch;FD:4c00000001140200:A:8;fileswitch=lnk
!ISSET:fileswitch;FD:d0cf11:A:3;fileswitch=docfile
!ISSET:fileswitch;FD-NORM-RX:23212f7573722f(?:6c6f63616c2f)?62696e2f(?:656e76)?707974686f6e:A:26;fileswitch=py
!ISSET:fileswitch;FD-NORM:6372656174656f626a656374;fileswitch=vb
!ISSET:fileswitch;FD-NORM:406563686f;fileswitch=bat
!ISSET:fileswitch;FD-NORM-RX:3c736372697074.{0,128}(?:6c616e67756167653d2[27]76627363726970742[27]|747970653d2[27]746578742f76627363726970742[27]);fileswitch=vb
!ISSET:fileswitch;FD-NORM-RX:3c736372697074.{0,128}(?:6c616e67756167653d2[27]6a6176617363726970742[27]|747970653d2[27]746578742f6a6176617363726970742[27]);fileswitch=js
!ISSET:fileswitch;FD-NORM-RX:3c25406c616e67756167653d(?:2[27])?76627363726970742e656e636f6465;fileswitch=vb
!ISSET:fileswitch;FD-NORM-RX:23212f7573722f(?:6c6f63616c2f)?62696e2f(?:656e76)?72756279:A:24;fileswitch=ruby
!ISSET:fileswitch;FN:\.(?:[Bb][Aa][Tt]|[Cc][Mm][Dd]|[Bb][Tt][Mm])$;fileswitch=bat
!ISSET:fileswitch;FN:\.(?:[Vv][Bb].{0,3}|[Ww][Ss][CcFf]|[Hh][Tt][Aa]?[Mm]?[Ll]?)$;fileswitch=vb
!ISSET:fileswitch;FN:\.[Mm][Pp].$;fileswitch=mp3
!ISSET:fileswitch;FD:3c25:A:2;fileswitch=asp
!ISSET:fileswitch;FN:\.(?:[Aa][Uu][Tt][Oo][Rr][Uu][Nn]|[Ii][Nn][Ff]|[Ii][Nn][Ii]|[Cc][Ff][Gg])$;fileswitch=inf
!ISSET:fileswitch;FN:\.[Aa][Ss][Pp].?$;fileswitch=asp
!ISSET:fileswitch;FN:\.[Jj][Ss](?:[Pp][Xx]?|[Oo][Nn])?$;fileswitch=js
!ISSET:fileswitch;FN:\.[Pp][Yy].?$;fileswitch=py
!ISSET:fileswitch;FN:\.[Jj][Aa](?:[Vv][Aa]|[Rr])$;fileswitch=java
!ISSET:fileswitch;FN:\.[Pp](?:[Ee][Rr])?[Ll]$;fileswitch=perl
!ISSET:fileswitch;FN:\.[Cc][Gg][Ii]$;fileswitch=cgi
!ISSET:fileswitch;FN:\.(?:[Rr][Uu]?[Bb][WwYy]?|[Gg][Ee][Mm])$;fileswitch=ruby
!ISSET:fileswitch;$is_swf:true;fileswitch=swf
!ISSET:fileswitch;$is_pdf:true;fileswitch=pdf
!ISSET:fileswitch;FN:\.(?:[Cc][Vv][Dd]|[Ii][Nn][Cc]|[Mm][Dd]|[Tt][Xx][Tt])$;fileswitch=ignore
!ISSET:fileswitch;FD-RX:(?:1f8b|425a68|504b|52617221|7f454c46):A:4;fileswitch=vt_interest
!ISSET:fileswitch;FD:7801:A:2;FD:6b6f6c79:-512;fileswitch=vt_interest
!ISSET:fileswitch;fileswitch=unassigned
41 changes: 15 additions & 26 deletions src/Scanner.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1269,7 +1269,6 @@ private function dataHandler(string $str = '', int $Depth = 0, string $OriginalF
$len_hgb = ($StringLength > 536870912) ? 1 : 0;
$phase = $this->Loader->InstanceCache['phase'];
$container = $this->Loader->InstanceCache['container'];
$pdf_magic = ($fourcc === '25504446');

/** CoEx flags for configuration directives related to signatures. */
foreach ([
Expand Down Expand Up @@ -1341,21 +1340,6 @@ private function dataHandler(string $str = '', int $Depth = 0, string $OriginalF
$str_hex
) || preg_match('/0a2d2d.{32}(?:2d2d)?(?:0d)?0a/i', $str_hex));

/** Look for potential Mach-O indicators. */
$is_macho = preg_match('/^(?:cafe(?:babe|d00d)|c[ef]faedfe|feedfac[ef])$/', $fourcc);

/** Look for potential PDF indicators. */
$is_pdf = ($pdf_magic || $xt === 'pdf');

/** Look for potential Shockwave/SWF indicators. */
$is_swf = (
strpos(',435753,465753,5a5753,', ',' . substr($str_hex, 0, 6) . ',') !== false ||
strpos(',swf,swt,', ',' . $xt . ',') !== false
);

/** "Infectable"? Used by ClamAV General and ClamAV ASCII signatures. */
$infectable = true;

/** "Asciiable"? Used by all ASCII signatures. */
$asciiable = (bool)$str_hex_norm_len;

Expand All @@ -1365,33 +1349,36 @@ private function dataHandler(string $str = '', int $Depth = 0, string $OriginalF
strpos(',bin,ole,xml,rels,', ',' . $xt . ',') !== false
);

/** Worked by the switch file. */
$fileswitch = 'unassigned';
if (!empty($this->Loader->InstanceCache['sf'])) {
if (!isset($this->Loader->InstanceCache['Print after CLI scan'])) {
$this->Loader->InstanceCache['Print after CLI scan'] = '';
}
$this->Loader->InstanceCache['Print after CLI scan'] .= sprintf($this->Loader->L10N->getString('label.Flags set by the switch file while scanning %s'), $OriginalFilename) . "\n";
}

/** Process the switch file. */
if (!isset($this->Loader->InstanceCache['switch.dat'])) {
$this->Loader->InstanceCache['switch.dat'] = $this->Loader->readFileAsArray($this->AssetsPath . 'switch.dat', FILE_IGNORE_NEW_LINES);
}
foreach ($this->Loader->InstanceCache['switch.dat'] as $ThisRule) {
if ($ThisRule === '' || substr($ThisRule, 0, 1) === '#') {
continue;
}
$Switch = (strpos($ThisRule, ';') === false) ? $ThisRule : $this->Loader->substrAfterLast($ThisRule, ';');
if (strpos($Switch, '=') === false) {
continue;
}
$Switch = explode('=', preg_replace('/[^\x20-\xFF]/', '', $Switch));
$Switch = explode('=', preg_replace('/[^\x20-\xFF]/', '', $Switch), 2);
if (empty($Switch[0])) {
continue;
}
if (empty($Switch[1])) {
$Switch[1] = false;
}
$theSwitch = $Switch[0];
$ThisRule = (strpos($ThisRule, ';') === false) ? [$ThisRule] : explode(';', $this->Loader->substrBeforeLast($ThisRule, ';'));
$ThisRule = (strpos($ThisRule, ';') === false) ? [] : explode(';', $this->Loader->substrBeforeLast($ThisRule, ';'));
foreach ($ThisRule as $Fragment) {
$Fragment = (strpos($Fragment, ':') === false) ? false : $this->splitSigParts($Fragment, 7);
$Fragment = (strpos($Fragment, ':') === false) ? [] : $this->splitSigParts($Fragment, 7);
if (empty($Fragment[0])) {
continue 2;
}
Expand Down Expand Up @@ -1489,15 +1476,17 @@ private function dataHandler(string $str = '', int $Depth = 0, string $OriginalF
continue 2;
}
}
} elseif (
} elseif (isset($Fragment[1]) && (
($Fragment[0] === 'FN' && !preg_match('/(?:' . $Fragment[1] . ')/i', $OriginalFilename)) ||
($Fragment[0] === 'FS-MIN' && $StringLength < $Fragment[1]) ||
($Fragment[0] === 'FS-MAX' && $StringLength > $Fragment[1]) ||
($Fragment[0] === 'FD' && strpos($str_hex, $Fragment[1]) === false) ||
($Fragment[0] === 'FD-RX' && !preg_match('/(?:' . $Fragment[1] . ')/i', $str_hex)) ||
($Fragment[0] === 'FD-NORM' && strpos($str_hex_norm, $Fragment[1]) === false) ||
($Fragment[0] === 'FD-NORM-RX' && !preg_match('/(?:' . $Fragment[1] . ')/i', $str_hex_norm))
) {
($Fragment[0] === 'FD-NORM-RX' && !preg_match('/(?:' . $Fragment[1] . ')/i', $str_hex_norm)) ||
($Fragment[0] === 'ISSET' && !isset(${$Fragment[1]})) ||
($Fragment[0] === '!ISSET' && isset(${$Fragment[1]}))
)) {
continue 2;
} elseif (substr($Fragment[0], 0, 1) === '$') {
$VarInSigFile = substr($Fragment[0], 1);
Expand All @@ -1506,10 +1495,10 @@ private function dataHandler(string $str = '', int $Depth = 0, string $OriginalF
}
} elseif (substr($Fragment[0], 0, 2) === '!$') {
$VarInSigFile = substr($Fragment[0], 2);
if (!isset($$VarInSigFile) || is_array($$VarInSigFile) || $$VarInSigFile == $Fragment[1]) {
if (isset($$VarInSigFile) && !is_array($$VarInSigFile) && $$VarInSigFile == $Fragment[1]) {
continue 2;
}
} elseif (strpos(',FN,FS-MIN,FS-MAX,FD,FD-RX,FD-NORM,FD-NORM-RX,', ',' . $Fragment[0] . ',') === false) {
} elseif (strpos(',FN,FS-MIN,FS-MAX,FD,FD-RX,FD-NORM,FD-NORM-RX,ISSET,!ISSET,', ',' . $Fragment[0] . ',') === false) {
continue 2;
}
}
Expand Down

0 comments on commit 4510d8b

Please sign in to comment.