Hi Max,
Please be aware that at present, ClamAV can't scan files above 2G
because of internal variable limitations.
If your ZIP files are around 2G then this may be the limit you are
encountering.
Regards
Mark.
On 04/10/2021 09:37, Max Allan via clamav-users wrote:
Thanks Laurent,
The results say : "Infected files: 1". Therefore our automated systems
cannot differentiate between this file being infected and not. And if
the AV scanner has stopped scanning before everything was scanned, it
MAY be infected and I cannot allow the file in.
If it went above a limit, which limit do I need to increase to make it
scan. There is only one extra level of zip nesting and none of the
files are large. So I can presumably increase one of those limits by
"1" to count for the extra level of nesting perhaps. But I increased
the limits related to recursion massively and it still fails. All of
those limits are far, far bigger than the content (mostly 2GB and
hundreds of thousands of files). And content that it CAN scan when
extracted, so clearly there is nothing there that is beyond a limit.
I do not want files beyond a limit to remain unscanned, I want them
all to be scanned. And I can achieve that manually by extracting the
.zip. But it fails to scan when the zip still compressed. It is not
feasible to have an automated AV system uncompress every zip file it
finds outside of the scan solution and feed in all found zip files as
exclusions from the scan.
So I ask again, why does it hit a limit when in a .zip file but not
when the zip is expanded, when all the limits are clearly much higher
than anything it will encounter?
Max
On Fri, 1 Oct 2021 at 18:06, Laurent S. via clamav-users
<[email protected]> wrote:
Dear Max Allan,
Heuristics.Limits.Exceeded doesn't mean the file is infected, but it's
only a warning telling you that something went above the limits you set.
It give the warning this way because of --alert-exceeds-max=yes
ClamAV managed to go search into those files in each case as you can see
from the scan summaries. It will count the zip as a single file.
I would recommend against copy-pasting all those parameters without
having given proper thought into what you are doing.
Best regards,
Laurent
On 01.10.21 18:09, Max Allan via clamav-users wrote:
Hi,
I have a requirement (from the business) to AV scan all docker
containers we create.
I started experimenting with tomcat:latest, which is handy because you
can follow along at home easily!
Someone else has already recommended a scan command :
clamscan <file> \
--infected \
--recursive=yes \
--alert-exceeds-max=yes \
--max-recursion=2000000 \
--max-dir-recur
sion=2000000 \
--max-files=2000000 \
--max-filesize=2000M \
--max-scansize=2000M \
--max-embeddedpe=2000M \
--max-htmlnormalize=2000M \
--max-htmlnotags=2000M \
--max-scriptnormalize=2000M \
--max-ziptypercg=2000M \
--max-partitions=2000000 \
--max-iconspe=2000000 \
--max-rechwp3=2000000 \
--pcre-match-limit=2000000 \
--pcre-recmatch-limit=2000000 \
--pcre-max-filesize=2000M -a
So, if you run the tomcat:latest container, apt update, apt install
clamav, freshclam and run that scan command against
/usr/local/openjdk-11/lib/src.zip you will probably get a failure :
/usr/local/openjdk-11/lib/src.zip: Heuristics.Limits.Exceeded FOUND
/usr/local/openjdk-11/lib/src.zip!(0)ZIP:jdk.zipfs/jdk/nio/zipfs/ZipInfo.java:
Heuristics.Limits.Exceeded FOUND
---------- SCAN SUMMARY -----------
Known viruses: 8570214
Engine version: 0.103.3
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 290.07 MB
Data read: 55.52 MB (ratio 5.22:1)
Time: 260.438 sec (4 m 20 s)
Start Date: 2021:10:01 13:39:47
End Date: 2021:10:01 13:44:07
However, if I extract that zip file to /src and then run clamscan on
/src then it passes without a problem :
----------- SCAN SUMMARY -----------
Known viruses: 8570214
Engine version: 0.103.3
Scanned directories: 2076
Scanned files: 18415
Infected files: 0
Data scanned: 333.04 MB
Data read: 170.92 MB (ratio 1.95:1)
Time: 320.573 sec (5 m 20 s)
Start Date: 2021:10:01 13:23:39
End Date: 2021:10:01 13:29:00
(There are indeed 18415 files in that .zip according to unzip -l)
Or even scan the single file :
clamscan ZipInfo.java --infected --recursive=yes
--alert-exceeds-max=yes --max-recursion=2000000
--max-dir-recursion=2000000 --max-files=2000000
--max-filesize=2000M --max-scansize=2000M --max-embeddedpe=2000M
-
-max-htmlnormalize=2000M --max-htmlnotags=2000M
--max-scriptnormalize=2000M --max-ziptypercg=2000M
--max-partitions=2000000 --max-iconspe=2000000
--max-rechwp3=2000000 --pcre-match-limit=2000000
--pcre-recmatch-limit=2000000 --pcre-max-filesize=2000M -a
----------- SCAN SUMMARY -----------
Known viruses: 8570214
Engine version: 0.103.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.01 MB (ratio 1.50:1)
Time: 68.326 sec (1 m 8 s)
Start Date: 2021:10:01 16:03:14
End Date: 2021:10:01 16:04:22
Clearly the content of src.zip (ZipInfo.java) IS scannable, when
extracted, but for some reason not scannable when it is in a zip
file... Is this a bug? Or am I specifying some options that are
causing it??
(clamscan -V
ClamAV 0.103.3/26309/Fri Oct 1 09:03:53 2021 )
_______________________________________________
clamav-users mailing list
clam
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
