Your message dated Wed, 6 Sep 2017 21:33:29 +0200
with message-id <[email protected]>
and subject line Re: Bug#817067: Bug#817067: clamscan large archive DOS
protection could be used to hide virus
has caused the Debian Bug report #817067,
regarding clamscan large archive DOS protection could be used to hide virus
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
817067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817067
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: clamav
Version: 0.99+dfsg-2
Severity: important
Tags: security
Any script relying on clamscan's exit status can probably be tricked
with a file that contains a virus, but that uses clamscan's DOS
protection to trick clamscan into not scanning it in full.
Unfortunately, when a file is too large or otherwise triggers the DOS
protections, clamscan exits 0 without checking all of it.
clamscan git-annex.dmg
git-annex.dmg: OK
----------- SCAN SUMMARY -----------
Known viruses: 4291311
Engine version: 0.99
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 25.35 MB (ratio 0.00:1)
Time: 8.958 sec (0 m 8 s)
The dmg in the example above could contain a virus. It's too large for
clamscan to process it, but there's no indication of that, except
perhaps a hint in the 0 MB scanned line.
Suggested fix: If clamscan doesn't process the whole file content for
any reason, exit with 2, which is documented to mean "some error
occurred".
--
see shy jo
--- End Message ---
--- Begin Message ---
Version: 0.99.3~snapshot20170704+dfsg-1
On 2016-08-22 23:59:55 [+0200], To [email protected] wrote:
> |Steven Morgan 2016-06-24 20:26:42 CEST May use a virus such as
> |Heuristic.SizeLimitsExceeded under the control of clamd/clamscan option
> |(BlockLimitsExceeded). Rational - its not really an error or a virus,
> |but flagging an heuristic fits better within ClamAV processing modes.
>From the upstream bugzilla:
|Steven Morgan 2017-09-06 18:20:56 CEST
|This issue has been addressed in 0.99.3 with the addition of the
|clamscan --block-max option and the clamd BlockMax directive.
Sebastian
--- End Message ---
_______________________________________________
Pkg-clamav-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel
