http://stackoverflow.com/questions/33227375/malware-detected-after-compiling-with-inno-setup
http://www.ac3filter.net/wiki/Antivirus_notes
https://www.virustotal.com/en/file/601671b2466d0b46d5ab4fc598a5f5d864a81e49d9ae11b6ed8a3aef2d427d2c/analysis/1445309382/

is this related to PUA detection?

C:\Program Files(x86)\Adobe\Acrobat...*.pdf

• set of files including malware and clean files
• set of operations that can be automated
• check that the malware files are blocked and the clean not
• MEASURE PERFORMANCE
• make a portable test suite

http://www.gossamer-threads.com/lists/clamav/users/61463

http://www.gossamer-threads.com/lists/clamav/users/59413

One way you can reduce the amount of memory that clamav uses is to specify 
the "--disable-llvm" flag to clamav configuration line. This flag tells 
clamav not to compile the packaged llvm project into libclamav library and 
will use up less space with libclamav is loaded into memory. Note that this 
means bytecode signatures will be run on the internal interpreter instead 
of compiled to JIT using llvm. 

The downside is that bytecode signatures with run slightly slower on the 
clamav interpreter than with llvm JIT. However, bytecodes make up a fairly 
small amount of clamav's signatures and, if JIT is desired with a smaller 
memory footprint in clamav, you can configure clamav with 
"--with-system-llvm" to use the system's native llvm. 

-Kevin 

vulnerability disclosed here:
http://seclists.org/fulldisclosure/2016/Jun/69

An absence of verification in function get_db_module_path, file update.c, allows to write the downloaded file anywhere in the file system using ".........." filename.

I would like to point out that an identifier like "_LIBARMADITO_SCAN_H_" does eventually not fit to the expected naming convention of the C language standard.
Would you like to adjust your selection for unique names?

==26609== 11 bytes in 1 blocks are definitely lost in loss record 60 of 1,366
==26609==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26609==    by 0x5A1D839: strdup (strdup.c:42)
==26609==    by 0x4E3DF97: free_and_set (confparser.c:383)
==26609==    by 0x4E3E069: r_section_name (confparser.c:414)
==26609==    by 0x4E3E018: r_section (confparser.c:405)
==26609==    by 0x4E3DFE1: r_section_list (confparser.c:396)
==26609==    by 0x4E3DFED: r_section_list (confparser.c:397)
==26609==    by 0x4E3DFED: r_section_list (confparser.c:397)
==26609==    by 0x4E3DFBB: r_configuration (confparser.c:389)
==26609==    by 0x4E3E423: a6o_conf_parser_parse (confparser.c:534)
==26609==    by 0x4E3C96B: a6o_conf_load_file (conf.c:261)
==26609==    by 0x4032A0: load_conf (main.c:186)

having a problem with this.

Not all files are scanned

Integrate armadito in windows security center, so that windows knows that an antivirus is installed and up to date.

Current configuration does to allow:

• to modify and save configuration
• to store/load configuration from registry for windows

Changes to do:

• change API to something similar to glib ini parser
• create a struct a6o_conf
• pass a pointer to this structure to a6o_open()
• implement conf_load(), conf_save()
• change modules configuration (may imply to merge _init and _post_init ?)

Configuration file does not change, we keep the .INI syntax.

When inserting into the registry, each "section" of the conf file become a sub-key of "ArmaditoAV", like "ArmaditoAV\quarantine".

Calling the scan callbacks inside a6o_scan_context does not work for the quarantine on windows:

• moving the file requires that the driver has received the answer
• but the answer is returned after calling the callbacks
  so moving a file in the quarantine is not feasible in a callback with the current code

Change:

• separate scanning from calling the callbacks
• pass a report * to scan_simple and use it
• move call to a6o_scan_call_callbacks() outside scan_context()

Platform dependant code should be compacted into one .h (instead of dir.h file.h io.h etc) and may be one .c.

vulnerability disclosed here: http://seclists.org/fulldisclosure/2016/Jun/69

index file download is done using HTTP, which allows MITM attacks. Use of HTTPS is mandatory

Hi,

Checking QA on builded RPMs on my Fedora system, I got the following warning:

armadito.x86_64: W: shared-lib-calls-exit /usr/lib64/libarmadito.so.0.0.0 exit@GLIBC_2.2.5
This library package calls exit() or _exit(), probably in a non-fork()
context. Doing so from a library is strongly discouraged - when a library
function calls exit(), it prevents the calling program from handling the
error, reporting it to the user, closing files properly, and cleaning up any
state that the program has. It is preferred for the library to return an
actual error code and let the calling program decide how to handle the
situation.

• call a6o_call_all_callbacks after a6o_scan_simple.
• cause: can't move file in quarantine because the handle of the file is not released.

Signability test failed.
22.9.6 : DriverVer missing or in incorrect format in \armaditoguard.inf
Setting DriverVer variable in ArmaditoGuard.inf temporarily fixes the problem :
DriverVer=06/14/2016,1.0.0.0

It does not work the same on each system.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa365600(v=vs.85).aspx

vulnerability disclosed here:
http://seclists.org/fulldisclosure/2016/Jun/69

In function verify_file_signature, file crypt.c, a bug makes function return 0 in case of public key download error, a status which means no error. As a result, any file is then considered as valid.

Hi guys,

I'm trying to get armadito compiled on a CentOS6 host, but it fails; as far as I understand because fanotify is not available on this platform:

response.h:25:28: error: linux/fanotify.h: No such file or directory
In file included from famonitor.c:28:
response.h:38: error: expected declaration specifiers or '...' before '__u32'
famonitor.c:37:26: error: sys/fanotify.h: No such file or directory
[...]

You'll find the full build.log in the attached file.

Thank you!
armadito-el6-build.log.zip

C:\cygwin64... : 694

C:\Perl : 17

built-in callbacks are called during on_demand analysis.

a6o_scan_new() function adds built-in modules (quarantine, alert) callbacks.

Actually, AV scan request is parsed two times in gui.

We would like to list all free software programs in the Free Software Directory, including all programs licensed under the GPL (any version). Please see the Directory web page for information and an online submission form.

Add a log function to print message related to the system error code
https://msdn.microsoft.com/en-us/library/windows/desktop/ms680582(v=vs.85).aspx

Registry or plaintext file ?

define

a6o_dgb_svc

a6o_dbg_lib

a6o_dbg_mod

a6o_warn_svc

a6o_warn_lib

a6o_warn_mod

a6o_err_svc

a6o_err_lib

a6o_err_mod

built-in callbacks are called during on_demand analysis.

a6o_scan_new() function adds built-in modules (quarantine, alert) callbacks.

Armadito 0.10.0 installed on windows 7.

After a scan is started, you can switch between tabs but tabs are not updated immediately. For example, while coming back on scan tab while Armadito is scanning a really big file shows 0/0/0 on scanned/found/suspect numbers until the current file is scanned. Also the last threat found text is removed even if the found count is right after such a switch.

I expect at least to see the same stuffs I had before the tab switch.

I guess the last known tab state should be saved between switchs.

os_dir_map continuing anyway

• put in autostart a .desktop file that just launches the systray
• put in /usr/share/application another .desktop file that opens main window

file is public domain, GPL header was added by mistake

files are not deleted and stay in ihm

Hello,

You don't have release for this software ?

Cordialy

Windows client 0.10.0 installed on windows 7:

• wanting to see notification icon all the time: looks to change state using standard icon tray feature and it appears to be named nwjs

• if no bases found, update state must be "critical" because no scan is possible

needed feature

• Install prerequisites packages
• install armadito msi.

Multiple-Package Installations

https://msdn.microsoft.com/en-us/library/windows/desktop/bb736322.aspx

Current solution uses D-Bus notification to add on the fly fanotify watch on the mounted USB key. But this does not work for USB keys that are already mounted when the daemon starts (or restarts).

Solution: use udev to enumerate mounted USB keys, find their mount points and add them to fanotify

Problem: udev has no documentation

• check how to configure apport so that the crash report goes to the right email
• use the bug reports