I am puzzled (and dismayed) by the following behavior of ClamAV. When I scan some archive files, I often get "Heuristics.Limits.Exceeded FOUND". This makes me wonder about ClamAV's utility in protecting our systems against malware.
I'm not talking about archive files downloaded from questionable sources, or incredibly large files (like DVD ISO files). I'm talking about files like the latest 64-bit Linux Firefox ESR binary file (65 MB) downloaded from "http://ftp.mozilla.org/pub/firefox/releases/";. Although this file passed its GPG signature verification, and its SHA512 checksum test, I still like to use ClamAV for additional checking (since even reputable distribution sites have been known to have been compromised). However, applying clamscan to this file (which was slightly renamed by my download script to be more readable) results in the following output: clamscan --alert-exceeds-max=yes --max-scantime=999 --max-scansize=4090M --max-filesize=4090M --max-files=30000 --max-recursion=30 --pcre-match-limit=999999999 --pcre-max-filesize=999999999 firefox-68.6.1-esr-64.tar.bz2 firefox-68.6.1-esr-64.tar.bz2: Heuristics.Limits.Exceeded FOUND This is in spite of the extra options I added to relax the "Limits". So I decided that since the Firefox tar.bz2 file passed its GPG and SHA512 tests, I would expand the into a temp directory and clamscan the result. (Which files are those used directly to run Firefox): clamscan --alert-exceeds-max=yes --max-scantime=999 --max-scansize=4090M --max-filesize=4090M --max-files=30000 --max-recursion=30 --pcre-match-limit=999999999 --pcre-max-filesize=999999999 -r firefox | grep -v ' OK' firefox/removed-files: Empty file firefox/chrome.manifest: Empty file firefox/browser/chrome.manifest: Empty file firefox/browser/omni.ja: Heuristics.Limits.Exceeded FOUND firefox/omni.ja: Heuristics.Limits.Exceeded FOUND The 'empty' files are Mozilla's doing, but the fact that the ".ja" files (which are "Mozilla archive" files -- basically jar/zip), were flagged bothered me. A lot. So what should I do to have confidence in ClamAV's utility in such situations? The version of clamscan I am using is 0.102.1 (built from source), and I only started using the "--alert-exceeds-max=yes" option recently. Thanks, Paul Kosinski P.S. I hope everybody is staying healthy. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
