Hi there, On Fri, 30 Aug 2019, Michael Newman via clamav-users wrote:
I’m still baffled trying to figure out what is causing this error.
It's not an error. As it says, it's a warning. You're probably worrying about nothing but it's usually as well to find out exactly what's happening.
/Users/mnewman/Downloads/Safety-Cut GFCI.pdf: OK LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only scanning 27262976 bytes /Users/mnewman/Downloads/gettext-0.19.6-MACOS-10.11-10.12-SDK-10.11.pkg: OK ... ... I have many files which are much bigger than 25 MB, but only this one, unidentified file is causing the problem.
There are quite a few limits set by the scanning engine. Some of them are set for the safety of the system, so that, for example, you don't inadvertently give the computer more work to do than it's capable ever of doing. Amongst other things, that might happen if you scan a file like a compressed archive which itself is small, but which claims that it contains billions of enormous files. That appears to be the sort of thing that's happening here. It's not the size of the file, it's the size of the extracted, uncompressed content. That, after all, is what needs to be scanned. Unfortuately, faults in the implementation of compression methods, and even the techniques themselves, can expose the system to risk from malicious files in this way. It's unlikely to do a lot of damage, but it might cause a type of denial of service so it has to be considered by the software. That's not to say that you have a malicious file on your system, but it seems there's at least one which triggers a safety limit. Some of these limits are set quite conservatively, and they can be adjusted, but most people don't bother. I don't bother.
I ran clamscan so that the log file would be verbose. I’m including a few lines from the log on both sides of the error message. As far as I can see, it doesn’t give me a clue as to what file is causing the error:
The clue is there - it's decompressing something. Unfortunately it's possible to have compressed data in all sorts of files. Some parts of the ClamAV libraries never actually know the name of the file that's being scanned (there might not even be a file, it might just be a scan of a stream of data sent to a socket for example), so at the point where the warning is generated, there isn't any filename to give you. If I wanted to know which file was triggering the warning in this case I'd start with a scan of /Users/mnewman/Downloads/gettext-0.19.6-MACOS-10.11-10.12-SDK-10.11.pkg because it looks to me like that's the file which was being scanned when LibClamAV decided to emit the warning, but I don't know exactly how you got the output that you've posted for us. The log messages for multi-tasking, multi-user systems often don't appear in exactly the sequence that you might expect, nor even exactly in the chronological sequence that they were generated, so things can sometimes get a bit confusing. You'll get used to it after a couple of decades. :) If that's what's happening here you could scan one directory at a time, then one sub-directory at a time and so on until you find it. When you're confused by the system logs then it can be easier to figure out what's going on if instead of you get all the output from the scan to go to the console. -- 73, Ged. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
