Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] clam scan.conf meaning of severe damage to the system
clamav-users at lists
Nov 27, 2020, 8:13 AM
Post #1 of 3 (238 views)
Permalink
in /etc/clam.d/scan.conf there is this for many settings (MaxScanSize=150M
for example)

# Note: disabling this limit or setting it too high may result in severe
damage to the system.

What is severe damage?
- it causes linux to corrupt itself, where I need to reinstall linux?
- it somehow causes irreparable damage to a hard disk or ssd or RAM?
- it causes the cpu or motherboard to fail?

Can the reason for this statement of severe damage be further clarified and
explained?
If I set MaxScanSize to 151M is that good or bad and why?

does this scan.conf also affect doing a manual "clamscan --recursive /"
Re: [clamav-users] clam scan.conf meaning of severe damage to the system [ In reply to ]
clamav-users at lists
Nov 27, 2020, 1:41 PM
Post #2 of 3 (237 views)
Permalink
Presumably it was added as an exaggeration to discourage people from setting it too high and then complaining about undefined behavior. My expectation is that anything over 2GB may not scan correctly because clamav wasn’t written to handle large files and thus the variables used for storing file sizes and offsets are inconsistent throughout the codebase. My personal recommendation is to not set MaxScanSize or MaxFileSize higher than 2GB.

Outside of that, the only consequence I’m aware for scanning very large files is very long scan times and perhaps very high RAM usage.

-Micah

From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of ron ron via clamav-users
Sent: Friday, November 27, 2020 8:14 AM
To: clamav-users@lists.clamav.net
Cc: ron ron <ron7000cg@gmail.com>
Subject: [clamav-users] clam scan.conf meaning of severe damage to the system

in /etc/clam.d/scan.conf there is this for many settings (MaxScanSize=150M for example)

# Note: disabling this limit or setting it too high may result in severe damage to the system.

What is severe damage?
- it causes linux to corrupt itself, where I need to reinstall linux?
- it somehow causes irreparable damage to a hard disk or ssd or RAM?
- it causes the cpu or motherboard to fail?

Can the reason for this statement of severe damage be further clarified and explained?
If I set MaxScanSize to 151M is that good or bad and why?

does this scan.conf also affect doing a manual "clamscan --recursive /"
Re: [clamav-users] clam scan.conf meaning of severe damage to the system [ In reply to ]
clamav-users at lists
Nov 27, 2020, 3:27 PM
Post #3 of 3 (237 views)
Permalink
Hi there,

On Fri, 27 Nov 2020, Micah Snyder (micasnyd) via clamav-users wrote:
> On Fri, 27 Nov 2020, ron ron via clamav-users wrote:
>
> > What is severe damage?
>
> Presumably it was added as an exaggeration to discourage people from
> setting it too high and then complaining about undefined behavior.
> My expectation is that anything over 2GB may not scan correctly ...
> ...
> Outside of that, the only consequence I’m aware for scanning very
> large files is very long scan times and perhaps very high RAM usage.

I'd add that Linux often uses an Out Of Memory (OOM) process killer,
which can terminate processes based on some algorithm if the system
decides that memory is too tight. Unluckily it doesn't always seem to
ignore processes that you or I might consider essential. For example
I've seen it kill NFS system processes, thus crashing remote systems.
So if you let a ClamAV process use all available memory it's as well
to configure the OOM process killer before you do it, or be prepared
for it to cause a system crash. I have one particular Raspberry Pi
which exports NFS filesystems to a few other Pis (but it doesn't run
ClamAV). Here's the OOM score adjustment for its 'rpc.mountd' daemon:

ged@pi3bplus:~$ cat /proc/`pidof rpc.mountd`/oom_score_adj
-1000

This should only be necessary if you don't have enough swap space to
cope with occasional excessive memory demands. If you do, as Micah
says, theoretically things should just slow to a crawl but still get
done eventually.

I don't think there's much risk of physical damage to a system as a
result of running out of memory but if a process is terminated without
getting the chance to flush output buffers, close open files etc. it's
possible that filesystem data structures, database files etc. could be
left in an inconsistent state. There are utilities (e.g. fsck) for
fixing such things but you can't be sure there won't be any data loss.

It's worth experimenting but I'd suggest doing it on a separate system
or virtual machine to limit the potential fallout.

> does this scan.conf also affect doing a manual "clamscan --recursive /"

I think 'scan.conf' is some certifiable package manager's idea of what
anyone in his right mind would have called 'clamd.conf'. As this is
the configuration file for the clamd daemon, it will have an effect on
a scan which uses 'clamdscan', but not one which uses 'clamscan'.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal