PHP Classes

This malware scanner works like a.

Recommend this page to a friend!

      Malware Scanner  >  All threads  >  This malware scanner works like a.  >  (Un) Subscribe thread alerts  
Subject:This malware scanner works like a.
Summary:Package rating comment
Author:Artur Graniszewski
Date:2011-03-14 08:37:40
Update:2011-03-20 22:44:10

Artur Graniszewski rated this package as follows:

Utility: Bad
Consistency: Good
Examples: Sufficient

  1. This malware scanner works like a.   Reply   Report abuse  
Picture of Artur Graniszewski Artur Graniszewski - 2011-03-14 08:37:40
This malware scanner works like a... malware. If auto_chmod is set to true, this class can change file permissions to chmod 0777 for scanning purposes allowing anyone to modify its contents (even by other users on the same server!) and does not changes it back after scanning. This for example allows anyone to read or change you configuration setting saved in *.php files, read your mail or source codes (depends what type of files you choose to scan by using this class).

Another problem is that this class uses file_get_contents() and @fread($f, filesize($file)); functions to read ENTIRE file into memory, so when the file is bigger than the memory_limit set in php.ini server configuration file, it causes entire script to throw fatal error and in result halt the scanning process.

I've got some concerns about a loop iterating through the signatures array in scan_file() method, this can result in reading and writting the same file many times (so slowing down entire scanning process exponentially).

Another problem is that repairing process can create... another malvare. How so? It uses preg_replace() to delete "malvare" from the file, but what if part of the malvare code is before and after the whole signature like so:

"DELEdeletingING" (signature to found: deleting), after removing the "deleting" string, the file contains another "DELETING" not found before. So in this case, scanning process should repair the file twice, and it's not doing so right now.

What's more there is no real-life "virus signatures" in this class, so it's up to the end-user to find them(which is not an easy task in today times, when there is so many new viruses created every day).

I highly discourage using this class in this.

  2. Re: This malware scanner works like a.   Reply   Report abuse  
Picture of Ahmed Hosny Ahmed Hosny - 2011-03-20 22:44:10 - In reply to message 1 from Artur Graniszewski
Thanks for your reply, it's really interesting mentioning these weak points, and please note that I implemented some new features in the last version in the repos.

Also, I'd work on the points you mentioned, and sure you're welcomed if you'd like to contribute.

Thanks Again.