Is this a generic problem with compressed archives (like the Firefox ".tar.bz2") or is it zip specific?
If it is zip specific, there are 2 files in the Firefox distribution file that are zip format compressed which might explain the slowness. (They are both named omni.ja, but have different contents). On Fri, 10 Apr 2020 19:58:35 +0000 "Micah Snyder (micasnyd)" <micas...@cisco.com> wrote: > One issue ClamAV currently has with scanning Zip archives is that > ClamAV's self-extracting zip detection logic has a flaw wherein it > detects every file within a zip as a new self-extracting zip. As a > result, I believe (and I could be wrong on this), that Clam ends up > extracting and scanning every file in a zip *twice*. I'm still > brainstorming the best way to fix this -- but I suspect this is a > large part of why zip-based file formats take much longer than > expected to scan. > > -Micah > > > Micah Snyder > ClamAV Development > Talos > Cisco Systems, Inc. > > > > > On 4/7/20, 1:38 PM, "clamav-users on behalf of Paul Kosinski via > clamav-users" <clamav-users-boun...@lists.clamav.net on behalf of > clamav-users@lists.clamav.net> wrote: > > I didn't want to screw around with my clamdscan (clamd.conf) > settings, so I ran my optioned-up clamscan command on a smaller and > much less complicated file. It took less than 11 seconds total time. > (My previous guess on clamscan's DB load time was apparently way off.) > > This suggests that the ClamAV scanning process really does take a > lot of CPU to deal with a big, complicated file like a Firefox > package: > time clamscan > --alert-exceeds-max=yes --max-scantime=999999 > --max-scansize=4090M --max-filesize=4090M --max-files=30000 > --max-recursion=30 --pcre-match-limit=999999999 > --pcre-max-filesize=999999999 audiofile.wav > audiofile.wav: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 6804144 > Engine version: 0.102.1 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 1.74 MB > Data read: 1.73 MB (ratio 1.01:1) > Time: 10.836 sec (0 m 10 s) > > real 0m10.851s > user 0m10.439s > sys 0m0.412s > > P.S. This is an actual audio intermediate file, not just random > bytes. > > > On Mon, 6 Apr 2020 21:50:15 -0700 > Al Varnell via clamav-users <clamav-users@lists.clamav.net> wrote: > > > Much of that time is almost certainly being consumed by loading > > the signature database into RAM. How long does it take using > > clamdscan? > > > > Sent from my iPad > > > > -Al- > > > > On Apr 6, 2020, at 12:29, Paul Kosinski via clamav-users > > <clamav-users@lists.clamav.net> wrote: > > > > > > It *does* take more than 120 secs for the clamscan command to > > > fully scan the 62 MB Firefox installation file (.tar.bz2). > > > Trying the scan with the default clamscan limits results in > > > 62 MB "Data read" but *zero* "Data scanned"! > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
