Having built ClamAV 0.102.1 a few days ago, I stumbled on the following
unfortunate behavior (which is probably not related to 0.102.1), and
have a suggestion to remedy it.
I recently did a backup from a Win 7 Pro machine to a directory on our
CIFS server and decided to try running ClamAV on the large set of ZIP
files which resulted, and I used clamdscan for efficiency. (All the ZIP
files within ClamAV's inherent 4 GB size limit.)
I was shocked to find that 24 out of the 715 ZIP files were flagged as
containing viruses, in spite of the fact that the Win 7 machine runs
Microsoft Security Essentials and it never found any problems in the
files which comprise the backup ZIPs. So I figured that ClamAV probably
had a few virus patterns that MSE didn't have, or the two AV updates
were out of sync.
So I ran MSE explicitly on one of the files in question, and it still
didn't find anything. OK, different virus DBs for MSE and ClamAV. Then
I ran clamscan on that same file (#177). Now *it* didn't find the virus
that the clamdscan had found. OK again, slightly different ClamAV DB
since they were run on different days.
Finally, I ran clamdscan again on that file (after stopping and
restarting clamd to make sure it had the same DB as clamscan). This
time, again, it found the same virus, whether or not I used the
"--fdpass" option (just in case that made a difference).
Why did this happen? It seems to be because clamscan does not respect
the options in clamd.conf, in particular those relating to max file
size and max scan size. The 4 console outputs below illustrate this.
The first is a simple clamscan (which finds no virus), the next are 2
clamdscans (with and without "--fdpass") and the 4th is a clamscan with
explicit max options (to correspond to the clamd maxes). Notice that
this last clamscan now detects the virus that both clamds detected.
Currently clamscan doesn't even give a warning (e.g., an error message)
if it scans no data at all. Note how the 1st clamscan (with default
maxes) reported "Backup files 177.zip: OK". It took me a while to see
that it also said "Data scanned 0.00 MB", which makes the "OK" claim
extremely questionable.
To mitigate this kind of misleading behavior, where clamscan apparently
uses some built-in maxes, I would suggest that either clamscan should
respect the relevant options in clamd.conf if they are made explicit,
or, better yet, have its own clamscan.conf which allows overriding the
any built-in defaults. (A separate clamscan.conf file could then also
make clear what the defaults are, and the extra time to process it
would be trivial compared to the time spent loading the virus DBs.)
============================================
imes>/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148$ clamscan -v Backup\ files\ 177.zip
Scanning Backup files 177.zip
Backup files 177.zip: OK
----------- SCAN SUMMARY -----------
Known viruses: 6659621
Engine version: 0.102.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 199.59 MB (ratio 0.00:1)
Time: 8.917 sec (0 m 8 s)
============================================
imes>/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148$ /opt/clamav/bin/clamdscan -v --fdpass Backup\ files\ 177.zip
/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148/Backup files 177.zip: Win.Trojan.Agent-1367203 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 2.010 sec (0 m 2 s)
============================================
imes>/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148$ /opt/clamav/bin/clamdscan -v Backup\ files\ 177.zip
/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148/Backup files 177.zip: Win.Trojan.Agent-1367203 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 1.964 sec (0 m 1 s)
============================================
imes>/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148$ /opt/clamav/bin/clamscan --max-filesize=1000M --max-scansize=1000M -v Backup\ files\ 177.zip
Scanning Backup files 177.zip
Backup files 177.zip: Win.Trojan.Agent-1367203 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6659621
Engine version: 0.102.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 4.05 MB
Data read: 199.59 MB (ratio 0.02:1)
Time: 12.085 sec (0 m 12 s)
============================================
P.S. Why ClamAV finds viruses that MSE doesn't find is a separate
question. Perhaps MSE has size limits that they don't even tell us
about?
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
unfortunate behavior (which is probably not related to 0.102.1), and
have a suggestion to remedy it.
I recently did a backup from a Win 7 Pro machine to a directory on our
CIFS server and decided to try running ClamAV on the large set of ZIP
files which resulted, and I used clamdscan for efficiency. (All the ZIP
files within ClamAV's inherent 4 GB size limit.)
I was shocked to find that 24 out of the 715 ZIP files were flagged as
containing viruses, in spite of the fact that the Win 7 machine runs
Microsoft Security Essentials and it never found any problems in the
files which comprise the backup ZIPs. So I figured that ClamAV probably
had a few virus patterns that MSE didn't have, or the two AV updates
were out of sync.
So I ran MSE explicitly on one of the files in question, and it still
didn't find anything. OK, different virus DBs for MSE and ClamAV. Then
I ran clamscan on that same file (#177). Now *it* didn't find the virus
that the clamdscan had found. OK again, slightly different ClamAV DB
since they were run on different days.
Finally, I ran clamdscan again on that file (after stopping and
restarting clamd to make sure it had the same DB as clamscan). This
time, again, it found the same virus, whether or not I used the
"--fdpass" option (just in case that made a difference).
Why did this happen? It seems to be because clamscan does not respect
the options in clamd.conf, in particular those relating to max file
size and max scan size. The 4 console outputs below illustrate this.
The first is a simple clamscan (which finds no virus), the next are 2
clamdscans (with and without "--fdpass") and the 4th is a clamscan with
explicit max options (to correspond to the clamd maxes). Notice that
this last clamscan now detects the virus that both clamds detected.
Currently clamscan doesn't even give a warning (e.g., an error message)
if it scans no data at all. Note how the 1st clamscan (with default
maxes) reported "Backup files 177.zip: OK". It took me a while to see
that it also said "Data scanned 0.00 MB", which makes the "OK" claim
extremely questionable.
To mitigate this kind of misleading behavior, where clamscan apparently
uses some built-in maxes, I would suggest that either clamscan should
respect the relevant options in clamd.conf if they are made explicit,
or, better yet, have its own clamscan.conf which allows overriding the
any built-in defaults. (A separate clamscan.conf file could then also
make clear what the defaults are, and the extra time to process it
would be trivial compared to the time spent loading the virus DBs.)
============================================
imes>/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148$ clamscan -v Backup\ files\ 177.zip
Scanning Backup files 177.zip
Backup files 177.zip: OK
----------- SCAN SUMMARY -----------
Known viruses: 6659621
Engine version: 0.102.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 199.59 MB (ratio 0.00:1)
Time: 8.917 sec (0 m 8 s)
============================================
imes>/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148$ /opt/clamav/bin/clamdscan -v --fdpass Backup\ files\ 177.zip
/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148/Backup files 177.zip: Win.Trojan.Agent-1367203 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 2.010 sec (0 m 2 s)
============================================
imes>/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148$ /opt/clamav/bin/clamdscan -v Backup\ files\ 177.zip
/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148/Backup files 177.zip: Win.Trojan.Agent-1367203 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 1.964 sec (0 m 1 s)
============================================
imes>/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148$ /opt/clamav/bin/clamscan --max-filesize=1000M --max-scansize=1000M -v Backup\ files\ 177.zip
Scanning Backup files 177.zip
Backup files 177.zip: Win.Trojan.Agent-1367203 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6659621
Engine version: 0.102.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 4.05 MB
Data read: 199.59 MB (ratio 0.02:1)
Time: 12.085 sec (0 m 12 s)
============================================
P.S. Why ClamAV finds viruses that MSE doesn't find is a separate
question. Perhaps MSE has size limits that they don't even tell us
about?
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml