Commit 4361c2503 for clamav.net
commit 4361c25030eced74fd947dddaccea8810c2ba547
Author: John Humlick <15677335+jhumlick@users.noreply.github.com>
Date: Wed Dec 17 09:10:12 2025 -0800
libclamav: Remove MyDoom Heuristic (#1545)
The MyDoom heuristic has been causing too many false positives.
Since we already have MyDoom coverage through signature detection, the
hard-coded heuristic that causes many false positives is no longer
needed. This commit removes the hard-coded heuristic.
CLAM-2766
diff --git a/libclamav/dconf.c b/libclamav/dconf.c
index f65c75127..d3fe0f91e 100644
--- a/libclamav/dconf.c
+++ b/libclamav/dconf.c
@@ -131,7 +131,6 @@ static struct dconf_module modules[] = {
{"OTHER", "JPEG", OTHER_CONF_JPEG, 1},
{"OTHER", "CRYPTFF", OTHER_CONF_CRYPTFF, 1},
{"OTHER", "DLP", OTHER_CONF_DLP, 1},
- {"OTHER", "MYDOOMLOG", OTHER_CONF_MYDOOMLOG, 0},
{"OTHER", "PREFILTERING", OTHER_CONF_PREFILTERING, 1},
{"OTHER", "PDFNAMEOBJ", OTHER_CONF_PDFNAMEOBJ, 1},
{"OTHER", "PRTNINTXN", OTHER_CONF_PRTNINTXN, 1},
diff --git a/libclamav/dconf.h b/libclamav/dconf.h
index c45ab2abb..9d1bc3342 100644
--- a/libclamav/dconf.h
+++ b/libclamav/dconf.h
@@ -124,7 +124,6 @@ struct cli_dconf {
#define OTHER_CONF_JPEG 0x8
#define OTHER_CONF_CRYPTFF 0x10
#define OTHER_CONF_DLP 0x20
-#define OTHER_CONF_MYDOOMLOG 0x40
#define OTHER_CONF_PREFILTERING 0x80
#define OTHER_CONF_PDFNAMEOBJ 0x100
#define OTHER_CONF_PRTNINTXN 0x200
diff --git a/libclamav/scanners.c b/libclamav/scanners.c
index 2f8504417..24e7ee406 100644
--- a/libclamav/scanners.c
+++ b/libclamav/scanners.c
@@ -5138,12 +5138,6 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)
ret = cli_scanishield_msi(ctx, 14);
break;
- case CL_TYPE_BINARY_DATA:
- case CL_TYPE_TEXT_UTF16BE:
- if (SCAN_HEURISTICS && (DCONF_OTHER & OTHER_CONF_MYDOOMLOG))
- ret = cli_check_mydoom_log(ctx);
- break;
-
case CL_TYPE_TEXT_ASCII:
if (SCAN_HEURISTIC_STRUCTURED && (DCONF_OTHER & OTHER_CONF_DLP))
/* TODO: consider calling this from cli_scanscript() for
diff --git a/libclamav/special.c b/libclamav/special.c
index fdf633869..a81214029 100644
--- a/libclamav/special.c
+++ b/libclamav/special.c
@@ -46,63 +46,6 @@
#define special_endian_convert_16(v) be16_to_host(v)
#define special_endian_convert_32(v) be32_to_host(v)
-int cli_check_mydoom_log(cli_ctx *ctx)
-{
- uint32_t record[16];
- const uint32_t *ptr;
- uint32_t check, key;
- fmap_t *map = ctx->fmap;
- unsigned int blocks = map->len / (8 * 4);
-
- cli_dbgmsg("in cli_check_mydoom_log()\n");
- if (blocks < 2)
- return CL_CLEAN;
- if (blocks > 5)
- blocks = 5;
-
- /*
- * The following pointer might not be properly aligned. There there is
- * memcmp() + memcpy() workaround to avoid performing an unaligned access
- * while reading the uint32_t.
- */
- ptr = fmap_need_off_once(map, 0, 8 * 4 * blocks);
- if (!ptr)
- return CL_CLEAN;
-
- while (blocks) { /* This wasn't probably intended but that's what the current code does anyway */
- const uint32_t marker_ff = 0xffffffff;
-
- if (!memcmp(&ptr[--blocks], &marker_ff, sizeof(uint32_t)))
- return CL_CLEAN;
- }
-
- memcpy(record, ptr, sizeof(record));
-
- key = ~be32_to_host(record[0]);
- check = (be32_to_host(record[1]) ^ key) +
- (be32_to_host(record[2]) ^ key) +
- (be32_to_host(record[3]) ^ key) +
- (be32_to_host(record[4]) ^ key) +
- (be32_to_host(record[5]) ^ key) +
- (be32_to_host(record[6]) ^ key) +
- (be32_to_host(record[7]) ^ key);
- if ((~check) != key)
- return CL_CLEAN;
-
- key = ~be32_to_host(record[8]);
- check = (be32_to_host(record[9]) ^ key) +
- (be32_to_host(record[10]) ^ key) +
- (be32_to_host(record[11]) ^ key) +
- (be32_to_host(record[12]) ^ key) +
- (be32_to_host(record[13]) ^ key) +
- (be32_to_host(record[14]) ^ key) +
- (be32_to_host(record[15]) ^ key);
- if ((~check) != key)
- return CL_CLEAN;
-
- return cli_append_potentially_unwanted(ctx, "Heuristics.Worm.Mydoom.M.log");
-}
-
static uint32_t riff_endian_convert_32(uint32_t value, int big_endian)
{
if (big_endian)
diff --git a/libclamav/special.h b/libclamav/special.h
index 31edf17ab..a1cdcc11c 100644
--- a/libclamav/special.h
+++ b/libclamav/special.h
@@ -34,7 +34,6 @@ struct swizz_stats {
int entries;
};
-int cli_check_mydoom_log(cli_ctx *ctx);
int cli_check_riff_exploit(cli_ctx *ctx);
void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_stats *stats, int blob);
int cli_detect_swizz(struct swizz_stats *stats);