Re: [clamav-users] Inquiry about ClamAV's clamdscan scan timeout

Wed, 24 Aug 2022 04:24:21 -0700 

Greetings from England,

On Wed, 24 Aug 2022, Tachibanaki Nozomi (橘木 希美) wrote:


1.  Is there any way to check when a scan timeout occurs? (e.g., display a 
message, etc.)


Because clamd can be asked to scan multiple items in a single command
it is sometimes easier to know what happened by looking in the logs,
but even then you might not find what you want.

When clamd scans a ZIP file, if the scan time exceeds the timeout set
in the configuration file (usually clamd.conf) by the "MaxScanTime"
configuration option, the response from clamd should be something like:

8<----------------------------------------------------------------------
$ clamdscan --config-file=clamd_test.conf CH341SER_LINUX.ZIP /home/ged/CH341SER_LINUX.ZIP: Heuristics.Limits.Exceeded FOUND 

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 1.395 sec (0 m 1 s)
Start Date: 2022:08:24 11:15:24
End Date:   2022:08:24 11:15:26
8<----------------------------------------------------------------------

In the test above I started a copy of clamd with the timeout value set
to 30 milliseconds.  As you can see the limit which was exceeded is
not shown in the reply, so there is no way to know if it was a time
limit or some other limit.  There's a lot of unfinished business in
ClamAV and I believe that in future the developers intend to make
improvements, but I know nothing about their schedule:

8<----------------------------------------------------------------------
~/clamav-0.103.7/clamd $ grep -r TODO | tail -n 2
clamd_others.c:/* TODO: handle ReadTimeout */
thrmgr.c:        /* TODO: show both queues */
8<----------------------------------------------------------------------

The test below, which I ran a few minutes earlier, used a copy of
clamd with the default MaxScanTime (300000 milliseconds) to scan the
same file:

8<----------------------------------------------------------------------
$ clamdscan --config-file=clamd_test.conf ~/CH341SER_LINUX.ZIP /home/ged/CH341SER_LINUX.ZIP: OK 

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 1.747 sec (0 m 1 s)
Start Date: 2022:08:24 11:10:11
End Date:   2022:08:24 11:10:12
8<----------------------------------------------------------------------

For both scans shown above the clamd configurations were identical,
except for the timeout setting.  Here is a diff of the configuration
files which I used:

8<----------------------------------------------------------------------
# diff -U2 clamd_test_1.conf clamd_test_2.conf --- clamd_test_1.conf 2022-08-24 11:07:26.358628737 +0100 
+++ clamd_test_2.conf   2022-08-24 11:08:15.087874778 +0100
@@ -548,5 +548,5 @@
 # Time is in milliseconds.
 # Default: 120000
-MaxScanTime 30
+#MaxScanTime 300000
8<----------------------------------------------------------------------

Please note that the file 'clamd_test.conf' given in my command lines
simply tells 'clamdscan' where to find the socket and where to write
log information etc. in these tests - it does not affect the timeout
values, which are fixed after clamd reads the configuration files when
it starts.

In both tests I used verbose logging to the same file, so that I could
see the results in the log:

8<----------------------------------------------------------------------
# grep CH341SER_LINUX.ZIP /var/log/clamav/clamd_test.log
Wed Aug 24 11:10:11 2022 -> got command CONTSCAN /home/ged/CH341SER_LINUX.ZIP 
(38, 7), argument: /home/ged/CH341SER_LINUX.ZIP
Wed Aug 24 11:10:12 2022 -> /home/ged/CH341SER_LINUX.ZIP: OK
Wed Aug 24 11:15:25 2022 -> got command CONTSCAN /home/ged/CH341SER_LINUX.ZIP 
(38, 7), argument: /home/ged/CH341SER_LINUX.ZIP
Wed Aug 24 11:15:26 2022 -> /home/ged/CH341SER_LINUX.ZIP: 
Heuristics.Limits.Exceeded FOUND
8<----------------------------------------------------------------------


2.  I scanned a ZIP file(1.7GB) containing a test virus file with clamdscan and 
it exited successfully without detecting any virus. Is this a specification?
The scan.conf settings are as follows:
・ReadTimeout 120
・MaxScanTime 120000
・MaxScanSize 2048M
・MaxFileSize 2048M
・MaxZipTypeRcg 2048M


Perhaps it was not an exceeded limit which terminated the scan.  And
as you know there are other limits, perhaps your test exceeded one of
those.  In your situation I should set up verbose logging, and look in
the logs for more information.  You can also choose to keep temporary
files for inspection after the scan has completed which might help you.

I use ClamAV to scan mail, and in my case the client is a milter which
is written in Perl (I do not use clamav-milter).  It's straightforward
to write a client for clamd, the API is very simple.  For my purposes
I implement timeouts and some other limits in the client.  Then I can
configure things like timeouts dynamically, take a view on any limits
per scan (and thus avoid a lot of wasted scanning time), and also get
the client to tell me everything I need to know.

HTH

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Reply via email to