I've been running some tests lately, and I can not make clam block files that exceed ArchiveMaxRecursion. I guess the same goes for the other limits too, although I haven't tested them. clamd.conf attached inline below. According to the log, the settings are acknowledged, but then a (too) deep zip testarchive with the eicar is let through. I have ofcourse verified that the file is in fact stopped as long as the archive is not too deep.
I'm using postfix->clamsmtpd->clamd, so could the problem be clamsmtpd not interpreting a certain return status from clamd?
... Dec 13 17:48:30 slugger clamd[11512]: Archive: Archived file size limit set to 20971520 bytes. Dec 13 17:48:30 slugger clamd[11512]: Archive: Recursion level limit set to 2. Dec 13 17:48:30 slugger clamd[11512]: Archive: Files limit set to 10000. Dec 13 17:48:30 slugger clamd[11512]: Archive: Compression ratio limit set to 300. Dec 13 17:48:30 slugger clamd[11512]: Archive support enabled. Dec 13 17:48:30 slugger clamd[11512]: Archive: RAR support disabled. Dec 13 17:48:30 slugger clamd[11512]: Archive: Blocking archives that exceed limits. ... Dec 13 17:49:09 slugger clamd[11512]: /tmp/clamsmtpd.3TKa2s: OK ... Dec 13 17:49:09 slugger clamsmtpd: 10002E: [EMAIL PROTECTED], [EMAIL PROTECTED], status=CLEAN ...
Surely, this is a huge security risk? It leaves an otherwise outstanding AV system completely useless for me, anyway.
I'm not on the list, so CC me if you expect a prompt response.
rgds, HR _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
