Skip to content
Permalink
Browse files

v1.6 - PHP-AV App to v3.9. Defs to v4.7. Add SHA1 detection.

-v1.6.
-PHP-AV App to v3.9. Defs to v4.7.
-Add support for SHA1 hash detection ($data3, $virus[4]).
-Add code detection for lots of malicious files. 
-Includes malicious code samples for Golang, Python, C++, node.js, Java, Javascript, PowerShell, Ruby, VBS & more.
-Fix obscenely large logfiles by removing filename logging during scanning.
-To continue logging filenames like before (and generate really large log files) set $CONFIG['debug'] = True;
-Fixed indented code blocks.
  • Loading branch information...
zelon88 committed Mar 26, 2019
1 parent c65891b commit 4120b90bd60bb988cf100db94539195ae7897b83
Showing with 69 additions and 40 deletions.
  1. +13 −0 CHANGELOG.txt
  2. +53 −37 PHP-AV-Lib.php
  3. +2 −2 scanCore.php
  4. +1 −1 versionInfo.php
@@ -1,3 +1,16 @@
COMMIT 3/25/2019
v1.6 - PHP-AV App to v3.9. Defs to v4.7. Add SHA1 detection.

-v1.6.
-PHP-AV App to v3.9. Defs to v4.7.
-Add support for SHA1 hash detection ($data3, $virus[4]).
-Add code detection for lots of malicious files.
-Includes malicious code samples for Golang, Python, C++, node.js, Java, Javascript, PowerShell, Ruby, VBS & more.
-Fix obscenely large logfiles by removing filename logging during scanning.
-To continue logging filenames like before (and generate really large log files) set $CONFIG['debug'] = True;
-Fixed indented code blocks.

--------------------
COMMIT 11/18/2018
v1.5 - Improve sanitization.

@@ -2,10 +2,10 @@
$memoryLimit = 4000000;
$chunkSize = 1000000;
$report = '';
$filecount = $infected = $dircount = $CONFIG['debug'] = 0;
$filecount = $infected = $dircount = 0;
$CONFIG = Array();
$CONFIG['extensions'] = Array();
$abort = FALSE;
$abort = $CONFIG['debug'] = FALSE;
$AVLogDir = $ScanDir;
$AVLogFile = $PHPAVLogFile;
@@ -62,26 +62,26 @@ function virus_check($file, $defs, $debug, $defData, $AVLogFile) {
$txt = 'OP-Act: Chunking file ... ';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$handle = @fopen($file, "r");
if ($handle) {
while (($buffer = fgets($handle, $chunkSize)) !== false) {
$data = $buffer;
if ($debug) {
$txt = 'OP-Act: Scanning chunk ... ';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND); }
foreach ($defs as $virus) {
$virus = explode("\t", $virus[0]);
if (isset($virus[1]) && $virus[1] !== '' && $virus[1] !== ' ') {
if (strpos($data, $virus[1]) !== FALSE or strpos($file, $virus[1]) !== FALSE) {
// File matches virus defs.
$txt = 'Infected: '.$file.' ('.$virus[0].', Data Match: '.$virus[1].')';
$MAKELogFile = file_put_contents($AVLogFile, 'OP-Act: '.$txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } } } }
if (!feof($handle)) {
$txt = 'ERROR!!! PHPAV160, Unable to open '.$file.' on '.$Time.'!';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>'; }
if ($handle) {
while (($buffer = fgets($handle, $chunkSize)) !== false) {
$data = $buffer;
if ($debug) {
$txt = 'OP-Act: Scanning chunk ... ';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND); }
foreach ($defs as $virus) {
$virus = explode("\t", $virus[0]);
if (isset($virus[1]) && $virus[1] !== '' && $virus[1] !== ' ') {
if (strpos($data, $virus[1]) !== FALSE or strpos($file, $virus[1]) !== FALSE) {
// File matches virus defs.
$txt = 'Infected: '.$file.' ('.$virus[0].', Data Match: '.$virus[1].')';
$MAKELogFile = file_put_contents($AVLogFile, 'OP-Act: '.$txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } } } }
if (!feof($handle)) {
$txt = 'ERROR!!! PHPAV160, Unable to open '.$file.' on '.$Time.'!';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>'; }
fclose($handle); }
if (isset($virus[2]) && $virus[2] !== '' && $virus[2] !== ' ') {
if (strpos($data1, $virus[2]) !== FALSE) {
@@ -91,14 +91,22 @@ function virus_check($file, $defs, $debug, $defData, $AVLogFile) {
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } }
if (isset($virus[3]) && $virus[3] !== '' && $virus[3] !== ' ') {
if (strpos($data2, $virus[3]) !== FALSE) {
// File matches virus defs.
$txt = 'Infected: '.$file.' ('.$virus[0].', SHA256 Hash Match: '.$virus[3].')';
$MAKELogFile = file_put_contents($AVLogFile, 'OP-Act: '.$txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } } } } }
if (isset($virus[3]) && $virus[3] !== '' && $virus[3] !== ' ') {
if (strpos($data2, $virus[3]) !== FALSE) {
// File matches virus defs.
$txt = 'Infected: '.$file.' ('.$virus[0].', SHA256 Hash Match: '.$virus[3].')';
$MAKELogFile = file_put_contents($AVLogFile, 'OP-Act: '.$txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } }
if (isset($virus[4]) && $virus[4] !== '' && $virus[4] !== ' ') {
if (strpos($data3, $virus[4])) {
// File matches virus defs.
$txt = 'Infected: '.$file.' ('.$virus[0].', SHA1 Hash Match: '.$virus[4].')';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } } } } }
// / Scan files smaller than the memory limit by fitting the entire file into memory.
if ($filesize < $memoryLimit && file_exists($file)) {
$data = file_get_contents($file); }
@@ -122,14 +130,22 @@ function virus_check($file, $defs, $debug, $defData, $AVLogFile) {
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } }
if (isset($virus[3]) && $virus[3] !== '' && $virus[3] !== ' ') {
if (strpos($data2, $virus[3]) !== FALSE) {
if (isset($virus[3]) && $virus[3] !== '' && $virus[3] !== ' ') {
if (strpos($data2, $virus[3]) !== FALSE) {
// File matches virus defs.
$txt = 'Infected: '.$file.' ('.$virus[0].', SHA256 Hash Match: '.$virus[3].')';
$MAKELogFile = file_put_contents($AVLogFile, 'OP-Act: '.$txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } } }
$txt = 'Infected: '.$file.' ('.$virus[0].', SHA256 Hash Match: '.$virus[3].')';
$MAKELogFile = file_put_contents($AVLogFile, 'OP-Act: '.$txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } }
if (isset($virus[4]) && $virus[4] !== '' && $virus[4] !== ' ') {
if (strpos($data3, $virus[4])) {
// File matches virus defs.
$txt = 'Infected: '.$file.' ('.$virus[0].', SHA1 Hash Match: '.$virus[4].')';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } }}
if (($debug) && ($clean)) {
$report .= '<p class="g">Clean: '.$file.'</p>'; } }
return $infected; }
@@ -50,8 +50,8 @@
// / -----------------------------------------------------------------------------------
// / The following code sets the global variables for the session.
$HRScanVersion = 'v1.5';
$versions = 'PHP-AV App v3.8 | Virus Definition v4.7, 8/19/2018';
$HRScanVersion = 'v1.6';
$versions = 'PHP-AV App v3.9 | Virus Definition v4.8, 3/25/2019';
$Date = date("m_d_y");
$Time = date("F j, Y, g:i a");
$JanitorDeleteIndex = FALSE;
@@ -1,4 +1,4 @@
<?php
// / This file contains the current HRScan2 version for auto-update purposes.
$Version = 'v1.5';
$Version = 'v1.6';

0 comments on commit 4120b90

Please sign in to comment.
You can’t perform that action at this time.