The --max-scantime" option apparently was the culprit. I had set it to 999 to ensure it *wouldn't* times out. I never imagined that the time was in milliseconds, since "--help" didn't say so, and the clamscan *command* needs on the order of 100,000 msecs even to start. (So why specify max scan time in units of msecs then?)
The millisecs hypothesis is "proved" (small sample, though) by the fact that when I changed the command to say "--max-scantime=999999", the scan finished normally and reported the file clean (as I would expect, the file having come from a well regarded source). To wit: clamscan --alert-exceeds-max=yes --max-scantime=999999 --max-scansize=4090M --max-filesize=4090M --max-files=30000 --max-recursion=30 --pcre-match-limit=999999999 --pcre-max-filesize=999999999 firefox-68.6.1-esr-64.tar.bz2 firefox-68.6.1-esr-64.tar.bz2: OK ----------- SCAN SUMMARY ----------- Known viruses: 6797620 Engine version: 0.102.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 622.26 MB Data read: 62.06 MB (ratio 10.03:1) Time: 138.749 sec (2 m 18 s) P.S. It would be helpful if ClamAV reported exactly *which* Heuristic Limit was exceeded (which would be quite easy, I suspect). ------------------------ On Sat, 4 Apr 2020 00:22:12 +0300 Reio Remma via clamav-users <[email protected]> wrote: > On 04.04.2020 00:17, Kris Deugau wrote: > > Arjen de Korte via clamav-users wrote: > >> Citeren Paul Kosinski via clamav-users > >> <[email protected]>: > > > >>> However, applying clamscan to this file (which was slightly > >>> renamed by my download script to be more readable) results in the > >>> following output: > >>> > >>> clamscan --alert-exceeds-max=yes --max-scantime=999 > >>> --max-scansize=4090M --max-filesize=4090M --max-files=30000 > >>> --max-recursion=30 --pcre-match-limit=999999999 > >>> --pcre-max-filesize=999999999 firefox-68.6.1-esr-64.tar.bz2 > >>> > > > >> Before writing this whole rant, you have not considered checking > >> which of the options might have triggered this? You've reduced the > >> --max-scantime from the default 120 seconds to under 1 second and > >> still wonder why this breaks? Really? > > > > That option seems to be missing from the man page entirely: > > > > $ dpkg -l clamav > > ii clamav 0.102.1+dfsg-0+deb10u2 amd64 [...] > > $ zgrep scantime /usr/share/man/man1/clamscan.1.gz > > $ > > > > > > and does not specify units in the --help text: > > > > $ clamscan --help > > [...] > > --max-scantime=#n Scan time longer than this > > will be skipped and assumed clean > > [...] > > > > Absent any documentation, I would reasonably assume this to be in > > seconds, not milliseconds. > > > > I have no idea if you're wrong about this being the cause, but > > without diving into the source, Paul's use of that option looks > > entirely reasonable to me. > > > > -kgd > > https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html > > It is indeed a rather obscure option and missing from man pages. > > Good luck, > Reio _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
