Re: [Declude.Virus] Oversized.RAR FOUND in ClamAV
I used (and probably posted the --max-ratio 0 ). The max-ratio defines the maximum compression ratio for scanned files. I kept getting legit text files that were zipped that were over ratio, so that's why I why I went to the max-ration 0. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, September 06, 2006 9:31 PM Subject: [Declude.Virus] Oversized.RAR FOUND in ClamAV I have an email that was held as a virus after ClamAV was triggered with the result Oversized.RAR FOUND. I looked for an explanation but couldn't find anything detailed. Apparently this is due to some type of bug in ClamAV that shows up with certain RAR or ZIP files. I found one posting that suggested that the problem could be fixed by adjusting the max-ratio value. The default max-ratio value for ClamAV is 250. The suggested value for running it with Declude is 0. What would be the safest value to run with and why? Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Oversized.RAR FOUND in ClamAV
Disclaimer: I haven't implemented ClamAV with Declude, so I'm guessing here... It sounds like the max-ratio solution is a red herring. It sounds like ClamAV returned an error because it couldn't scan the overlarge file (compressed or not). It sounds like Gary's configuration is quarantining emails based on any non-zero return code from ClamAV and that this is not the behaviour he really wants. Comments? Flames? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, September 07, 2006 7:02 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Oversized.RAR FOUND in ClamAV I used (and probably posted the --max-ratio 0 ). The max-ratio defines the maximum compression ratio for scanned files. I kept getting legit text files that were zipped that were over ratio, so that's why I why I went to the max-ration 0. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, September 06, 2006 9:31 PM Subject: [Declude.Virus] Oversized.RAR FOUND in ClamAV I have an email that was held as a virus after ClamAV was triggered with the result Oversized.RAR FOUND. I looked for an explanation but couldn't find anything detailed. Apparently this is due to some type of bug in ClamAV that shows up with certain RAR or ZIP files. I found one posting that suggested that the problem could be fixed by adjusting the max-ratio value. The default max-ratio value for ClamAV is 250. The suggested value for running it with Declude is 0. What would be the safest value to run with and why? Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Oversized.RAR FOUND in ClamAV
I think it is in their to defend against an archive bomb. Archive bomb: This is a seemingly small archive file that is actually highly compressed and expands into a huge file or several identical files. Such archives typically take quite a long time to scan, thus potentially forming a DDoS attack on an anti-virus program that tries to scan them. Good anti-virus programs include a smart algorithm to avoid extracting such files - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, September 07, 2006 1:26 PM Subject: RE: [Declude.Virus] Oversized.RAR FOUND in ClamAV Disclaimer: I haven't implemented ClamAV with Declude, so I'm guessing here... It sounds like the max-ratio solution is a red herring. It sounds like ClamAV returned an error because it couldn't scan the overlarge file (compressed or not). It sounds like Gary's configuration is quarantining emails based on any non-zero return code from ClamAV and that this is not the behaviour he really wants. Comments? Flames? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, September 07, 2006 7:02 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Oversized.RAR FOUND in ClamAV I used (and probably posted the --max-ratio 0 ). The max-ratio defines the maximum compression ratio for scanned files. I kept getting legit text files that were zipped that were over ratio, so that's why I why I went to the max-ration 0. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, September 06, 2006 9:31 PM Subject: [Declude.Virus] Oversized.RAR FOUND in ClamAV I have an email that was held as a virus after ClamAV was triggered with the result Oversized.RAR FOUND. I looked for an explanation but couldn't find anything detailed. Apparently this is due to some type of bug in ClamAV that shows up with certain RAR or ZIP files. I found one posting that suggested that the problem could be fixed by adjusting the max-ratio value. The default max-ratio value for ClamAV is 250. The suggested value for running it with Declude is 0. What would be the safest value to run with and why? Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Oversized.RAR FOUND in ClamAV
Yep, archive bombs are a huge threat since it only takes one message to kill a server that doesn't possess detection. Most AV programs have detection, but apparently ClamAV allows you to tune it. I would search for a value that approximated more than 99.9% compression if possible and block on that. I figure that a setting of 250 is 250:1 or 99.75% compression if I am reading things right, so maybe making it 1000 instead (i.e. 1000:1 or 99.9% compression) would be safer. The goal of a compression bomb is to just simply fill disk space and therefore impact a server's ability to function, typically by having many GB of data that decompresses from a zip/rar/etc. that is tiny in comparison. Matt Scott Fisher wrote: I think it is in their to defend against an archive bomb. Archive bomb: This is a seemingly small archive file that is actually highly compressed and expands into a huge file or several identical files. Such archives typically take quite a long time to scan, thus potentially forming a DDoS attack on an anti-virus program that tries to scan them. Good anti-virus programs include a smart algorithm to avoid extracting such files - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, September 07, 2006 1:26 PM Subject: RE: [Declude.Virus] Oversized.RAR FOUND in ClamAV Disclaimer: I haven't implemented ClamAV with Declude, so I'm guessing here... It sounds like the max-ratio solution is a red herring. It sounds like ClamAV returned an error because it couldn't scan the overlarge file (compressed or not). It sounds like Gary's configuration is quarantining emails based on any non-zero return code from ClamAV and that this is not the behaviour he really wants. Comments? Flames? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, September 07, 2006 7:02 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Oversized.RAR FOUND in ClamAV I used (and probably posted the --max-ratio 0 ). The max-ratio defines the maximum compression ratio for scanned files. I kept getting legit text files that were zipped that were over ratio, so that's why I why I went to the max-ration 0. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, September 06, 2006 9:31 PM Subject: [Declude.Virus] Oversized.RAR FOUND in ClamAV I have an email that was held as a virus after ClamAV was triggered with the result Oversized.RAR FOUND. I looked for an explanation but couldn't find anything detailed. Apparently this is due to some type of bug in ClamAV that shows up with certain RAR or ZIP files. I found one posting that suggested that the problem could be fixed by adjusting the max-ratio value. The default max-ratio value for ClamAV is 250. The suggested value for running it with Declude is 0. What would be the safest value to run with and why? Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Oversized.RAR FOUND in ClamAV
I have an email that was held as a virus after ClamAV was triggered with the result Oversized.RAR FOUND. I looked for an explanation but couldn't find anything detailed. Apparently this is due to some type of bug in ClamAV that shows up with certain RAR or ZIP files. I found one posting that suggested that the problem could be fixed by adjusting the max-ratio value. The default max-ratio value for ClamAV is 250. The suggested value for running it with Declude is 0. What would be the safest value to run with and why? Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
