Hi there, On Wed, 7 Apr 2021, Paul Kosinski via clamav-users wrote:
Seems to me that this behavior, advertising a 4GB limit while silently imposing a 2GB limit and reporting "OK" for anything in between, is a *major* security flaw: ClamAV *must* report that the file was too big to deal with (however worded).
Don't get too excited about it. When ClamAV says "OK" it really means "I didn't find anything in there", which if you're unlucky it will say for maybe two out of three infected files anyway. Getting bent out of shape about a couple of files which happen to give that result because they're huge and the scanner gives up on them is simply not seeing the Big Picture. You will have problems if you believe everything ClamAV (or indeed any other virus scanner) tells you. No scanner will give you an accurate result every time. The best anyone can hope for, with ANY scanner and ANY profile of data, is probably four out of five, so if you're seeing thousands of malicious samples every day, and all you do is trust your virus scanners to be right every time, you'll be accepting hundreds of malicious samples daily at least. My take on it is that the way to use ClamAV is to try to have it give you an estimate of the credibility the data sources rather than to try to whack all the moles, which is usually a fruitless exercise and will inevitably lead to failure.
Thus I've taken to using clamscan rather than clamdscan (slow though that is), because at least it reports how many bytes were read, and how many scanned, so I can see what's going on.
You can easily put something together which gives you that information but still uses clamd. If anyone wants to take a project and run with it I'll be happy to post some Perl code which sends a stream to clamd. It would take care of the ugly inter-process communications, leaving our hero to make it somehow useful. Perhaps on the development list, or the ClamAV Bugzilla.
P.S. Recently I've downloaded some MP3s from Amazon and scanned them (as I do everything I download -- except updates from my Linux distros). But for a reason I saw on this list -- but can't remember -- MP3s are fully read, but not scanned. Is this going to be remedied?
See this thread: https://marc.info/?l=clamav-users&m=150039601417286&w=2 See also the messages in 2014 from Steve Basford on Jul. 8 and Sep 17, and Douglas Goddard on Sep 25: https://marc.info/?l=clamav-users&w=2&r=1&s=MP3&q=b See also https://bugzilla.clamav.net/show_bug.cgi?id=11582 which tells me that there's plenty of work still to do but it isn't at the top of anybody's priority list. The bottom line seems to be that MP3 viruses are, if not non-existent, relatively rare and there's more to be achieved looking for things which masquerade as MP3 but aren't. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
