Hello,
We have been using ClamAV for several months, and are noticing some strange behaviour when scanning files (and archives) above a certain size.
The documentation states:
--max-filesize=#n can be anything up to 4GB
--max-scansize=#n can be anything up to 4GB
We are however experiencing different behaviour:
Scanning a file of ~3GB in size results in no scan taking place, but reporting the file is OK anyway.
COMMAND:
clamscan --max-scansize=4000M --max-filesize=4000M -rav --block-max=yes --max-recursion=5 --max-dir-recursion=4 Users.xml
OUTPUT:
Scanning Users.xml
Users.xml: OK
----------- SCAN SUMMARY -----------
Known viruses: 6813534
Engine version: 0.101.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB <=================
Data read: 2955.02 MB (ratio 0.00:1)
Time: 12.935 sec (0 m 12 s)
As this file is less than 4GB, we would have expected this to have been scanned properly.
We have also noted erratic behaviour when scanning archive files. For example:
COMMAND:
clamscan --max-scansize=4000M --max-filesize=4000M -rav --block-max=yes --max-recursion=5 --max-dir-recursion=4 stackoverflow.com-Users.7z
OUTPUT:
Scanning stackoverflow.com-Users.7z
Scanning stackoverflow.com-Users.7z!7Z:Users.xml
stackoverflow.com-Users.7z: OK
----------- SCAN SUMMARY -----------
Known viruses: 6813534
Engine version: 0.101.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 413.86 MB
Data read: 410.01 MB (ratio 1.01:1)
Time: 28.029 sec (0 m 28 s)
This archive contains the same file as in the first example, and it does not appear to extract the file from the archive. It simply scan the archive itself. We have observed other cases where archives are extracted and scanned fully by clamscan.
Questions:
- Is this expected behaviour for clamscan?
- Is there another, lower, limit on file sizes which can actually be scanned in practice?
- Is there a way to force clamscan to error if a file has not actually been scanned?
Regards,
Gareth
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
We have been using ClamAV for several months, and are noticing some strange behaviour when scanning files (and archives) above a certain size.
The documentation states:
--max-filesize=#n can be anything up to 4GB
--max-scansize=#n can be anything up to 4GB
We are however experiencing different behaviour:
Scanning a file of ~3GB in size results in no scan taking place, but reporting the file is OK anyway.
COMMAND:
clamscan --max-scansize=4000M --max-filesize=4000M -rav --block-max=yes --max-recursion=5 --max-dir-recursion=4 Users.xml
OUTPUT:
Scanning Users.xml
Users.xml: OK
----------- SCAN SUMMARY -----------
Known viruses: 6813534
Engine version: 0.101.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB <=================
Data read: 2955.02 MB (ratio 0.00:1)
Time: 12.935 sec (0 m 12 s)
As this file is less than 4GB, we would have expected this to have been scanned properly.
We have also noted erratic behaviour when scanning archive files. For example:
COMMAND:
clamscan --max-scansize=4000M --max-filesize=4000M -rav --block-max=yes --max-recursion=5 --max-dir-recursion=4 stackoverflow.com-Users.7z
OUTPUT:
Scanning stackoverflow.com-Users.7z
Scanning stackoverflow.com-Users.7z!7Z:Users.xml
stackoverflow.com-Users.7z: OK
----------- SCAN SUMMARY -----------
Known viruses: 6813534
Engine version: 0.101.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 413.86 MB
Data read: 410.01 MB (ratio 1.01:1)
Time: 28.029 sec (0 m 28 s)
This archive contains the same file as in the first example, and it does not appear to extract the file from the archive. It simply scan the archive itself. We have observed other cases where archives are extracted and scanned fully by clamscan.
Questions:
- Is this expected behaviour for clamscan?
- Is there another, lower, limit on file sizes which can actually be scanned in practice?
- Is there a way to force clamscan to error if a file has not actually been scanned?
Regards,
Gareth
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml