Sindbad~EG File Manager
<!DOCTYPE HTML>
<html lang="en" class="clamav sidebar-visible" dir="ltr">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>Dev Tips & Tricks - ClamAV Documentation</title>
<!-- Custom HTML head -->
<meta name="description" content="An open source malware detection toolkit and antivirus engine.">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff">
<link rel="shortcut icon" href="../../favicon.png">
<link rel="stylesheet" href="../../css/variables.css">
<link rel="stylesheet" href="../../css/general.css">
<link rel="stylesheet" href="../../css/chrome.css">
<link rel="stylesheet" href="../../css/print.css" media="print">
<!-- Fonts -->
<link rel="stylesheet" href="../../FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="../../fonts/fonts.css">
<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" id="highlight-css" href="../../highlight.css">
<link rel="stylesheet" id="tomorrow-night-css" href="../../tomorrow-night.css">
<link rel="stylesheet" id="ayu-highlight-css" href="../../ayu-highlight.css">
<!-- Custom theme stylesheets -->
<!-- MathJax -->
<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script>
<!-- Provide site root and default themes to javascript -->
<script>
const path_to_root = "../../";
const default_light_theme = "clamav";
const default_dark_theme = "clamav";
</script>
<!-- Start loading toc.js asap -->
<script src="../../toc.js"></script>
</head>
<body>
<div id="body-container">
<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script>
try {
let theme = localStorage.getItem('mdbook-theme');
let sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>
<!-- Set the theme before any content is loaded, prevents flash -->
<script>
const default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? default_dark_theme : default_light_theme;
let theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
const html = document.documentElement;
html.classList.remove('clamav')
html.classList.add(theme);
html.classList.add("js");
</script>
<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">
<!-- Hide / unhide sidebar before it is displayed -->
<script>
let sidebar = null;
const sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
sidebar_toggle.checked = sidebar === 'visible';
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
</script>
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<!-- populated by js -->
<mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>
<noscript>
<iframe class="sidebar-iframe-outer" src="../../toc.html"></iframe>
</noscript>
<div id="sidebar-resize-handle" class="sidebar-resize-handle">
<div class="sidebar-resize-indicator"></div>
</div>
</nav>
<div id="page-wrapper" class="page-wrapper">
<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky">
<div class="left-buttons">
<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</label>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="clamav">Dark</button></li>
<li role="none"><button role="menuitem" class="theme" id="clamav_light">Light</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
</div>
<h1 class="menu-title">ClamAV Documentation</h1>
<div class="right-buttons">
<a href="../../print.html" title="Print this book" aria-label="Print this book">
<i id="print-button" class="fa fa-print"></i>
</a>
</div>
</div>
<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script>
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>
<div id="content" class="content">
<main>
<h1 id="development-tips--tricks"><a class="header" href="#development-tips--tricks">Development Tips & Tricks</a></h1>
<p>The following are a collection of tips that may help you be a more productive ClamAV developer.</p>
<ul>
<li><a href="#development-tips--tricks">Development Tips & Tricks</a>
<ul>
<li><a href="#downloading-the-official-ruleset">Downloading the Official Ruleset</a></li>
<li><a href="#general-debugging">General Debugging</a>
<ul>
<li><a href="#useful-clamscan-flags">Useful clamscan Flags</a></li>
<li><a href="#using-gdb">Using gdb</a></li>
</ul>
</li>
<li><a href="#hunting-for-memory-leaks">Hunting for Memory Leaks</a></li>
</ul>
</li>
</ul>
<h2 id="downloading-the-official-ruleset"><a class="header" href="#downloading-the-official-ruleset">Downloading the Official Ruleset</a></h2>
<p>If you plan to use custom rules for testing, you can invoke <code>clamscan</code> via <code>./installed/bin/clamscan</code>, specifying your custom rule files via <code>-d</code> parameters.</p>
<p>If you want to download the official ruleset to use with <code>clamscan</code>, do the following:</p>
<ol>
<li>Run <code>mkdir -p installed/share/clamav</code></li>
<li>Comment out line 8 of etc/freshclam.conf.sample</li>
<li>Run <code>./installed/bin/freshclam --config-file etc/freshclam.conf.sample</code></li>
</ol>
<h2 id="general-debugging"><a class="header" href="#general-debugging">General Debugging</a></h2>
<p>NOTE: Some of the debugging/profiling tools mentioned in the sections below are specific to Linux</p>
<h3 id="useful-clamscan-flags"><a class="header" href="#useful-clamscan-flags">Useful clamscan Flags</a></h3>
<p>The following are useful flags to include when debugging clamscan:</p>
<ul>
<li>
<p><code>--debug --verbose</code>: Print lots of helpful debug information</p>
</li>
<li>
<p><code>--gen-json</code>: Print some additional debug information in a JSON format</p>
</li>
<li>
<p><code>--statistics=pcre --statistics=bytecode</code>: Print execution statistics on any PCRE and bytecode rules that were evaluated</p>
</li>
<li>
<p><code>--dev-performance</code>: Print per-file statistics regarding how long scanning took and the times spent in various scanning stages</p>
</li>
<li>
<p><code>--alert-broken</code>: This will attempt to detect broken executable files. If an executable is determined to be broken, some functionality might not get invoked for the sample, and this could be an indication of an issue parsing the PE header or file. This causes those binary to generate an alert instead of just continuing on. This flag replaces the <code>--detect-broken</code> flag from releases prior to 0.101.</p>
</li>
<li>
<p><code>--max-filesize=2000M --max-scansize=2000M --max-files=2000000 --max-recursion=2000000 --max-embeddedpe=2000M --max-htmlnormalize=2000000 --max-htmlnotags=2000000 --max-scriptnormalize=2000000 --max-ziptypercg=2000000 --max-partitions=2000000 --max-iconspe=2000000 --max-rechwp3=2000000 --pcre-match-limit=2000000 --pcre-recmatch-limit=2000000 --pcre-max-filesize=2000M --max-scantime=2000000</code>:</p>
<p>Effectively disables all file limits and maximums for scanning. This is useful if you'd like to ensure that all files in a set get scanned, and would prefer clam to just run slowly or crash rather than skip a file because it encounters one of these thresholds</p>
</li>
</ul>
<p>The following are useful flags to include when debugging rules that you're
writing:</p>
<ul>
<li>
<p><code>-d</code>: Allows you to specify a custom ClamAV rule file from the command line</p>
</li>
<li>
<p><code>--bytecode-unsigned</code>: If you are testing custom bytecode rules, you'll need this flag so that <code>clamscan</code> actually runs the bytecode signature</p>
</li>
<li>
<p><code>--all-match</code>: Allows multiple signatures to match on a file being scanned</p>
</li>
<li>
<p><code>--leave-temps --tmpdir=/tmp</code>: By default, ClamAV will attempt to extract embedded files that it finds, normalize certain text files before looking for matches, and unpack packed executables that it has unpacking support for. These flags tell ClamAV to write these intermediate files out to the directory specified. Usually when a file is written, it will mention the file name in the --debug output, so you can have some idea at what stage in the scanning process a tmp file was created.</p>
</li>
<li>
<p><code>--dump-certs</code>: For signed PE files that match a rule, display information about the certificates stored within the binary.</p>
<blockquote>
<p><em>Note</em>: sigtool has this functionality as well and doesn't require a rule match to view the cert data</p>
</blockquote>
</li>
</ul>
<h3 id="using-gdb"><a class="header" href="#using-gdb">Using gdb</a></h3>
<p>Given that you might want to pass a lot of arguments to <code>gdb</code>, consider taking advantage of the <code>--args</code> parameter. For example:</p>
<pre><code class="language-bash">gdb --args ./installed/bin/clamscan -d /tmp/test.ldb -d /tmp/block_list.crb -d --dumpcerts --debug --verbose --max-filesize=2000M --max-scansize=2000M --max-files=2000000 --max-recursion=2000000 --max-embeddedpe=2000M --max-iconspe=2000000 f8f101166fec5785b4e240e4b9e748fb6c14fdc3cd7815d74205fc59ce121515
</code></pre>
<p>When using ClamAV without libclamav statically linked, if you set breakpoints on libclamav functions by name, you'll need to make sure to indicate that the breakpoints should be resolved after libraries have been loaded.</p>
<p>For other documentation about how to use <code>gdb</code>, check out the following resources:</p>
<ul>
<li><a href="http://www.cabrillo.edu/~shodges/cs19/progs/guide_to_gdb_1.1.pdf">A Guide to gdb</a></li>
<li><a href="http://users.ece.utexas.edu/~adnan/gdb-refcard.pdf">gdb Quick Reference</a></li>
</ul>
<h2 id="hunting-for-memory-leaks"><a class="header" href="#hunting-for-memory-leaks">Hunting for Memory Leaks</a></h2>
<p>You can easily hunt for memory leaks with valgrind. Check out this guide to get started: <a href="http://valgrind.org/docs/manual/quick-start.html">Valgrind Quick Start</a></p>
<p>If checking for leaks, be sure to run <code>clamscan</code> with samples that will hit as many of the unique code paths in the code you are testing. An example invocation is as follows:</p>
<pre><code class="language-bash">valgrind --leak-check=full ./installed/bin/clamscan -d /tmp/test.ldb --leave-temps --tempdir /tmp/test --debug --verbose /tmp/upx-samples/ > /tmp/upx-results-2.txt 2>&1
</code></pre>
<p>Alternatively, on Linux, you can use glibc's built-in leak checking functionality:</p>
<pre><code class="language-bash">MALLOC_CHECK_=7 ./installed/bin/clamscan
</code></pre>
<p>See the <a href="http://manpages.ubuntu.com/manpages/trusty/man3/mallopt.3.html">mallopt man page</a> for more details</p>
</main>
<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<a rel="prev" href="../../manual/Development/build-installer-packages.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../../manual/Development/performance-profiling.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
<div style="clear: both"></div>
</nav>
</div>
</div>
<nav class="nav-wide-wrapper" aria-label="Page navigation">
<a rel="prev" href="../../manual/Development/build-installer-packages.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../../manual/Development/performance-profiling.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
</nav>
</div>
<script>
window.playground_line_numbers = true;
</script>
<script>
window.playground_copyable = true;
</script>
<script src="../../ace.js"></script>
<script src="../../editor.js"></script>
<script src="../../mode-rust.js"></script>
<script src="../../theme-dawn.js"></script>
<script src="../../theme-tomorrow_night.js"></script>
<script src="../../elasticlunr.min.js"></script>
<script src="../../mark.min.js"></script>
<script src="../../searcher.js"></script>
<script src="../../clipboard.min.js"></script>
<script src="../../highlight.js"></script>
<script src="../../book.js"></script>
<!-- Custom JS scripts -->
</div>
</body>
</html>
Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists