From 1217a12f80aa96848d61a14faa8efcf9230c84d2 Mon Sep 17 00:00:00 2001 From: Yvan Janssens Date: Fri, 7 Apr 2023 13:45:57 +0200 Subject: [PATCH] Implement sanity check so we stop startup if we can't detect any malware samples. --- go.mod | 2 +- go.sum | 2 ++ malscan.go | 55 +++++++++++++---------------------------- scanner.go | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 92 insertions(+), 39 deletions(-) create mode 100644 scanner.go diff --git a/go.mod b/go.mod index 1031acb..b9ba34c 100644 --- a/go.mod +++ b/go.mod @@ -2,4 +2,4 @@ module git.cyber.gent/friedkiwi/malscan go 1.18 -require git.cyber.gent/friedkiwi/go-clamav v0.7.1 +require git.cyber.gent/friedkiwi/go-clamav v0.7.2 diff --git a/go.sum b/go.sum index a21dd10..41ccf69 100644 --- a/go.sum +++ b/go.sum @@ -4,5 +4,7 @@ git.cyber.gent/friedkiwi/go-clamav v0.7.0 h1:d6AxgOZhC1XEoo+msrRn3CQ6T7foF5JnbAp git.cyber.gent/friedkiwi/go-clamav v0.7.0/go.mod h1:g/eB2nMDbD9z92r4ceCjEzXr189AD3ChiSi431iINhg= git.cyber.gent/friedkiwi/go-clamav v0.7.1 h1:Xb53blnUfsqhudlqjMbbbLTY0gIdsUri+WmH5+E8ARI= git.cyber.gent/friedkiwi/go-clamav v0.7.1/go.mod h1:g/eB2nMDbD9z92r4ceCjEzXr189AD3ChiSi431iINhg= +git.cyber.gent/friedkiwi/go-clamav v0.7.2 h1:N4xp5vHxjtVBOE9C27+6cAvi6gnuVnb3cEesM7fdTPw= +git.cyber.gent/friedkiwi/go-clamav v0.7.2/go.mod h1:g/eB2nMDbD9z92r4ceCjEzXr189AD3ChiSi431iINhg= github.com/ca110us/go-clamav v0.6.0 h1:f8h/5Z9rJbSRFrmeZsAJCpJZ+6DVGBYw1fufvuc+oQA= github.com/ca110us/go-clamav v0.6.0/go.mod h1:6kMDtag0KOIuKxfoArtCRCATCYr1inVLGatSXp9xm1s= diff --git a/malscan.go b/malscan.go index aa7fdcf..04ebf97 100644 --- a/malscan.go +++ b/malscan.go @@ -2,9 +2,8 @@ package main import ( "fmt" + "log" "time" - - clamav "git.cyber.gent/friedkiwi/go-clamav" ) func banner() { @@ -13,49 +12,29 @@ func banner() { fmt.Println("") } +func sanity_check() bool { + vName, error := scan_data([]byte("X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*")) + if error != nil && vName == "" { + panic(error) + } + if vName == "Win.Test.EICAR_HDB-1" { + return true + } + return false +} + func main() { banner() // start freshclam goroutine go freshclam_update() - // new clamav instance - c := new(clamav.Clamav) - err := c.Init(clamav.SCAN_OPTIONS{ - General: 0, - Parse: clamav.CL_SCAN_PARSE_ARCHIVE | clamav.CL_SCAN_PARSE_ELF, - Heuristic: 0, - Mail: 0, - Dev: 0, - }) - - if err != nil { - panic(err) + log.Println("Carrying out sanity checks...") + if !sanity_check() { + log.Println("Sanity check failed!") + return } - - // free clamav memory - defer c.Free() - - // load db - signo, err := c.LoadDB("/usr/local/share/clamav", uint(clamav.CL_DB_DIRECTORY)) - if err != nil { - panic(err) - } - fmt.Println("db load succeed:", signo) - - // compile engine - err = c.CompileEngine() - if err != nil { - panic(err) - } - - c.EngineSetNum(clamav.CL_ENGINE_MAX_SCANSIZE, 1024*1024*40) - c.EngineSetNum(clamav.CL_ENGINE_MAX_SCANTIME, 9000) - // fmt.Println(c.EngineGetNum(clamav.CL_ENGINE_MAX_SCANSIZE)) - - // scan - scanned, virusName, ret := c.ScanFile("/bin/bash") - fmt.Println(scanned, virusName, ret) + log.Println("Sanity check passed! Continuing startup...") // loop forever. for { diff --git a/scanner.go b/scanner.go new file mode 100644 index 0000000..e129d36 --- /dev/null +++ b/scanner.go @@ -0,0 +1,72 @@ +package main + +import ( + "errors" + "io/ioutil" + "log" + "os" + + clamav "git.cyber.gent/friedkiwi/go-clamav" +) + +func scan_data(data []byte) (string, error) { + log.Println("scan_data(): scanning data...") + + // write data out to file to be scanned + tempFile, err := ioutil.TempFile("", "*.bin") + if err != nil { + return "", err + } + defer os.Remove(tempFile.Name()) + + bytesWritten, writeErr := tempFile.Write(data) + if writeErr != nil { + return "", writeErr + } + + if bytesWritten != len(data) { + return "", errors.New("scan_data(): bytesWritten!= len(data)") + } + + if err := tempFile.Close(); err != nil { + return "", err + } + // temporary file is now written to disk + + // new clamav instance + clamavInstance := new(clamav.Clamav) + clamInitError := clamavInstance.Init(clamav.SCAN_OPTIONS{ + General: 0, + Parse: clamav.CL_SCAN_PARSE_ARCHIVE | clamav.CL_SCAN_PARSE_ELF, + Heuristic: 0, + Mail: 0, + Dev: 0, + }) + + if clamInitError != nil { + return "", clamInitError + } + + // free clamav memory + defer clamavInstance.Free() + + // load db + _, loadDbError := clamavInstance.LoadDB("/usr/local/share/clamav", uint(clamav.CL_DB_DIRECTORY)) + if loadDbError != nil { + return "", err + } + + // compile engine + err = clamavInstance.CompileEngine() + if err != nil { + return "", err + } + + clamavInstance.EngineSetNum(clamav.CL_ENGINE_MAX_SCANSIZE, 1024*1024*40) + clamavInstance.EngineSetNum(clamav.CL_ENGINE_MAX_SCANTIME, 9000) + + // scan + _, virusName, ret := clamavInstance.ScanFile(tempFile.Name()) + + return virusName, ret +}