Mailing List Archive

Greetings from England,

On Wed, 24 Aug 2022, Tachibanaki Nozomi ($B5LLZ(B $B4uH~(B) wrote:

> 1. Is there any way to check when a scan timeout occurs? (e.g., display a message, etc.)

Because clamd can be asked to scan multiple items in a single command
it is sometimes easier to know what happened by looking in the logs,
but even then you might not find what you want.

When clamd scans a ZIP file, if the scan time exceeds the timeout set
in the configuration file (usually clamd.conf) by the "MaxScanTime"
configuration option, the response from clamd should be something like:

8<----------------------------------------------------------------------
$ clamdscan --config-file=clamd_test.conf CH341SER_LINUX.ZIP
/home/ged/CH341SER_LINUX.ZIP: Heuristics.Limits.Exceeded FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 1.395 sec (0 m 1 s)
Start Date: 2022:08:24 11:15:24
End Date: 2022:08:24 11:15:26
8<----------------------------------------------------------------------

In the test above I started a copy of clamd with the timeout value set
to 30 milliseconds. As you can see the limit which was exceeded is
not shown in the reply, so there is no way to know if it was a time
limit or some other limit. There's a lot of unfinished business in
ClamAV and I believe that in future the developers intend to make
improvements, but I know nothing about their schedule:

8<----------------------------------------------------------------------
(J~(B/clamav-0.103.7/clamd $ grep -r TODO | tail -n 2
clamd_others.c:/* TODO: handle ReadTimeout */
thrmgr.c: /* TODO: show both queues */
8<----------------------------------------------------------------------

The test below, which I ran a few minutes earlier, used a copy of
clamd with the default MaxScanTime (300000 milliseconds) to scan the
same file:

8<----------------------------------------------------------------------
$ clamdscan --config-file=clamd_test.conf (J~(B/CH341SER_LINUX.ZIP
/home/ged/CH341SER_LINUX.ZIP: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 1.747 sec (0 m 1 s)
Start Date: 2022:08:24 11:10:11
End Date: 2022:08:24 11:10:12
8<----------------------------------------------------------------------

For both scans shown above the clamd configurations were identical,
except for the timeout setting. Here is a diff of the configuration
files which I used:

8<----------------------------------------------------------------------
# diff -U2 clamd_test_1.conf clamd_test_2.conf
--- clamd_test_1.conf 2022-08-24 11:07:26.358628737 +0100
+++ clamd_test_2.conf 2022-08-24 11:08:15.087874778 +0100
@@ -548,5 +548,5 @@
# Time is in milliseconds.
# Default: 120000
-MaxScanTime 30
+#MaxScanTime 300000
8<----------------------------------------------------------------------

Please note that the file 'clamd_test.conf' given in my command lines
simply tells 'clamdscan' where to find the socket and where to write
log information etc. in these tests - it does not affect the timeout
values, which are fixed after clamd reads the configuration files when
it starts.

In both tests I used verbose logging to the same file, so that I could
see the results in the log:

8<----------------------------------------------------------------------
# grep CH341SER_LINUX.ZIP /var/log/clamav/clamd_test.log
Wed Aug 24 11:10:11 2022 -> got command CONTSCAN /home/ged/CH341SER_LINUX.ZIP (38, 7), argument: /home/ged/CH341SER_LINUX.ZIP
Wed Aug 24 11:10:12 2022 -> /home/ged/CH341SER_LINUX.ZIP: OK
Wed Aug 24 11:15:25 2022 -> got command CONTSCAN /home/ged/CH341SER_LINUX.ZIP (38, 7), argument: /home/ged/CH341SER_LINUX.ZIP
Wed Aug 24 11:15:26 2022 -> /home/ged/CH341SER_LINUX.ZIP: Heuristics.Limits.Exceeded FOUND
8<----------------------------------------------------------------------

> 2. I scanned a ZIP file(1.7GB) containing a test virus file with clamdscan and it exited successfully without detecting any virus. Is this a specification?
> The scan.conf settings are as follows$B!'(B
> $B!&(BReadTimeout 120
> $B!&(BMaxScanTime 120000
> $B!&(BMaxScanSize 2048M
> $B!&(BMaxFileSize$B!!(B2048M
> $B!&(BMaxZipTypeRcg 2048M

Perhaps it was not an exceeded limit which terminated the scan. And
as you know there are other limits, perhaps your test exceeded one of
those. In your situation I should set up verbose logging, and look in
the logs for more information. You can also choose to keep temporary
files for inspection after the scan has completed which might help you.

I use ClamAV to scan mail, and in my case the client is a milter which
is written in Perl (I do not use clamav-milter). It's straightforward
to write a client for clamd, the API is very simple. For my purposes
I implement timeouts and some other limits in the client. Then I can
configure things like timeouts dynamically, take a view on any limits
per scan (and thus avoid a lot of wasted scanning time), and also get
the client to tell me everything I need to know.

HTH

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hello Nozomi

as the big boys have yet to answer
i would pick a random file and scan it manually if its anything like mine
it will say no threats detected ,thats becuase it did not scan the file

you might find that clamtk helps hear if you install it will give you a history
folder to look into its the graphical front end for clam but i do not think the
two are affilated but it will let you scan an indevidual file sepertatly .

lastly this world is not want we think it is or at least run the way we think for some truth
search this word i have to be cryptic now

64 or 32 B??for computer shall i throw this rubbish down the disposble rubish C????

join the two words together and search it
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hi Nozomi Tachibanaki,

You may add this option to your clamd.conf? to enable alerts when the scan limits are exceeded: AlertExceedsMax yes?

It should cause signature alerts like these when one of the limits causes the scan to end early:
- Heuristics.Limits.Exceeded.MaxFileSize? FOUND
- Heuristics.Limits.Exceeded.MaxScanSize?? FOUND
- Heuristics.Limits.Exceeded.MaxFiles?? FOUND
- Heuristics.Limits.Exceeded.MaxRecursion?? FOUND
- Heuristics.Limits.Exceeded.MaxScanTime?? FOUND

If you do enable this, just keep in mind that when these alerts happen that it does not mean there is anything wrong with the file, just that the scan was incomplete because it exceeded one of the scan limits.

These heuristic alerts should work most of the time, although I am actively working on improvements to error handling and alert reporting as I work on overhauling the allmatch-mode feature (for reporting more than one signature alert). I am hopeful that my current work will make these scan limit alerts even more reliable in the future.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Tachibanaki Nozomi (?? ??) <nozomi.tachibanaki@jp.ricoh.com>
Sent: Tuesday, August 23, 2022 10:23 PM
To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
Cc: Hino Shogo (?? ??) <Shogo.Hino@jp.ricoh.com>; Sugawara Masatomo (?? ??) <masatomo.sugawara@jp.ricoh.com>
Subject: [clamav-users] Inquiry about ClamAV's clamdscan scan timeout


Dear Sir or Madam,



I am Tachibanaki from Ricoh IT Solutions Co., Ltd..

Thank you for your recent response to my inquiry.



The purpose of this email is to inquire about ClamAV's clamdscan scan timeout.



1. Is there any way to check when a scan timeout occurs? (e.g., display a message, etc.)
2. I scanned a ZIP file(1.7GB) containing a test virus file with clamdscan and it exited successfully without detecting any virus. Is this a specification?

The scan.conf settings are as follows?

?ReadTimeout 120

?MaxScanTime 120000

?MaxScanSize 2048M

?MaxFileSize?2048M

?MaxZipTypeRcg 2048M



I look forward to hearing from you soon.

Yours sincerely,





Nozomi Tachibanaki