Hi there,
On Fri, 27 Nov 2020, Micah Snyder (micasnyd) via clamav-users wrote:
> On Fri, 27 Nov 2020, ron ron via clamav-users wrote:
>
> > What is severe damage?
>
> Presumably it was added as an exaggeration to discourage people from
> setting it too high and then complaining about undefined behavior.
> My expectation is that anything over 2GB may not scan correctly ...
> ...
> Outside of that, the only consequence I’m aware for scanning very
> large files is very long scan times and perhaps very high RAM usage.
I'd add that Linux often uses an Out Of Memory (OOM) process killer,
which can terminate processes based on some algorithm if the system
decides that memory is too tight. Unluckily it doesn't always seem to
ignore processes that you or I might consider essential. For example
I've seen it kill NFS system processes, thus crashing remote systems.
So if you let a ClamAV process use all available memory it's as well
to configure the OOM process killer before you do it, or be prepared
for it to cause a system crash. I have one particular Raspberry Pi
which exports NFS filesystems to a few other Pis (but it doesn't run
ClamAV). Here's the OOM score adjustment for its 'rpc.mountd' daemon:
ged@pi3bplus:~$ cat /proc/`pidof rpc.mountd`/oom_score_adj
-1000
This should only be necessary if you don't have enough swap space to
cope with occasional excessive memory demands. If you do, as Micah
says, theoretically things should just slow to a crawl but still get
done eventually.
I don't think there's much risk of physical damage to a system as a
result of running out of memory but if a process is terminated without
getting the chance to flush output buffers, close open files etc. it's
possible that filesystem data structures, database files etc. could be
left in an inconsistent state. There are utilities (e.g. fsck) for
fixing such things but you can't be sure there won't be any data loss.
It's worth experimenting but I'd suggest doing it on a separate system
or virtual machine to limit the potential fallout.
> does this scan.conf also affect doing a manual "clamscan --recursive /"
I think 'scan.conf' is some certifiable package manager's idea of what
anyone in his right mind would have called 'clamd.conf'. As this is
the configuration file for the clamd daemon, it will have an effect on
a scan which uses 'clamdscan', but not one which uses 'clamscan'.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml