search

bytedance / Elkeid

Elkeid is an open source solution that can meet the security requirements of various workloads such as hosts, containers and K8s, and serverless. It is derived from ByteDance's internal best practices.
https://elkeid.bytedance.com
2.23k stars 432 forks source link

扫描引擎增加对压缩包的支持 #549

Closed driverxdw closed 6 months ago

driverxdw commented 11 months ago

观察到new clamav引擎的时候的代码如下:

impl Clamav {
    pub fn new() -> Result<Self> {
        let pointer = unsafe { clamav::cl_engine_new() };
        return Ok(Clamav {
            engine: pointer,
            scan_option: clamav::cl_scan_options {
                general: clamav::CL_SCAN_GENERAL_YARAHIT,
                parse: clamav::CL_SCAN_PARSE_ELF,
                heuristic: 0,
                mail: 0,
                dev: 0,
            },
        });
    }

其中parse成员未设置CL_SCAN_PARSE_ARCHIVE选项,这会导致扫描时不对压缩包进行解压扫描,但我看scanner插件又链接了解压相关的静态库,想确认下作者是不是忘加这个扫描选项了。

AlkenePan commented 10 months ago

@kulukami

kulukami commented 6 months ago

场景不同 并未进入 main 分支,2.2.0.1/scanner 分支 已添加 https://github.com/bytedance/Elkeid/blob/2.2.0.1/scanner/plugins/scanner/src/model/engine/clamav/mod.rs#L55

对应 commit : Sep 11, 2023 https://github.com/bytedance/Elkeid/commit/863099db541ff7be99034586646764545c394d20#diff-6e03e9e9bc330818df2128e89b380d888b018574337a804cd332b039c4e4205a