Re: [clamav-users] Inquiry about ClamAV's clamdscan scan timeout
Hi Nozomi Tachibanaki, You may add this option to your clamd.conf to enable alerts when the scan limits are exceeded: AlertExceedsMax yes It should cause signature alerts like these when one of the limits causes the scan to end early: - Heuristics.Limits.Exceeded.MaxFileSize FOUND - Heuristics.Limits.Exceeded.MaxScanSize FOUND - Heuristics.Limits.Exceeded.MaxFiles FOUND - Heuristics.Limits.Exceeded.MaxRecursion FOUND - Heuristics.Limits.Exceeded.MaxScanTime FOUND If you do enable this, just keep in mind that when these alerts happen that it does not mean there is anything wrong with the file, just that the scan was incomplete because it exceeded one of the scan limits. These heuristic alerts should work most of the time, although I am actively working on improvements to error handling and alert reporting as I work on overhauling the allmatch-mode feature (for reporting more than one signature alert). I am hopeful that my current work will make these scan limit alerts even more reliable in the future. Regards, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. From: clamav-users on behalf of Tachibanaki Nozomi (橘木 希美) Sent: Tuesday, August 23, 2022 10:23 PM To: clamav-users@lists.clamav.net Cc: Hino Shogo (日野 翔豪) ; Sugawara Masatomo (菅原 正大) Subject: [clamav-users] Inquiry about ClamAV's clamdscan scan timeout Dear Sir or Madam, I am Tachibanaki from Ricoh IT Solutions Co., Ltd.. Thank you for your recent response to my inquiry. The purpose of this email is to inquire about ClamAV's clamdscan scan timeout. 1. Is there any way to check when a scan timeout occurs? (e.g., display a message, etc.) 2. I scanned a ZIP file(1.7GB) containing a test virus file with clamdscan and it exited successfully without detecting any virus. Is this a specification? The scan.conf settings are as follows: ・ReadTimeout 120 ・MaxScanTime 12 ・MaxScanSize 2048M ・MaxFileSize 2048M ・MaxZipTypeRcg 2048M I look forward to hearing from you soon. Yours sincerely, Nozomi Tachibanaki ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Inquiry about ClamAV's clamdscan scan timeout
Hello Nozomi as the big boys have yet to answer i would pick a random file and scan it manually if its anything like mine it will say no threats detected ,thats becuase it did not scan the file you might find that clamtk helps hear if you install it will give you a history folder to look into its the graphical front end for clam but i do not think the two are affilated but it will let you scan an indevidual file sepertatly . lastly this world is not want we think it is or at least run the way we think for some truth search this word i have to be cryptic now 64 or 32 B??for computershall i throw this rubbish down the disposble rubish C join the two words together and search it ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Inquiry about ClamAV's clamdscan scan timeout
Greetings from England, On Wed, 24 Aug 2022, Tachibanaki Nozomi (橘木 希美) wrote: 1. Is there any way to check when a scan timeout occurs? (e.g., display a message, etc.) Because clamd can be asked to scan multiple items in a single command it is sometimes easier to know what happened by looking in the logs, but even then you might not find what you want. When clamd scans a ZIP file, if the scan time exceeds the timeout set in the configuration file (usually clamd.conf) by the "MaxScanTime" configuration option, the response from clamd should be something like: 8<-- $ clamdscan --config-file=clamd_test.conf CH341SER_LINUX.ZIP /home/ged/CH341SER_LINUX.ZIP: Heuristics.Limits.Exceeded FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 1.395 sec (0 m 1 s) Start Date: 2022:08:24 11:15:24 End Date: 2022:08:24 11:15:26 8<-- In the test above I started a copy of clamd with the timeout value set to 30 milliseconds. As you can see the limit which was exceeded is not shown in the reply, so there is no way to know if it was a time limit or some other limit. There's a lot of unfinished business in ClamAV and I believe that in future the developers intend to make improvements, but I know nothing about their schedule: 8<-- ~/clamav-0.103.7/clamd $ grep -r TODO | tail -n 2 clamd_others.c:/* TODO: handle ReadTimeout */ thrmgr.c:/* TODO: show both queues */ 8<-- The test below, which I ran a few minutes earlier, used a copy of clamd with the default MaxScanTime (30 milliseconds) to scan the same file: 8<-- $ clamdscan --config-file=clamd_test.conf ~/CH341SER_LINUX.ZIP /home/ged/CH341SER_LINUX.ZIP: OK --- SCAN SUMMARY --- Infected files: 0 Time: 1.747 sec (0 m 1 s) Start Date: 2022:08:24 11:10:11 End Date: 2022:08:24 11:10:12 8<-- For both scans shown above the clamd configurations were identical, except for the timeout setting. Here is a diff of the configuration files which I used: 8<-- # diff -U2 clamd_test_1.conf clamd_test_2.conf --- clamd_test_1.conf 2022-08-24 11:07:26.358628737 +0100 +++ clamd_test_2.conf 2022-08-24 11:08:15.087874778 +0100 @@ -548,5 +548,5 @@ # Time is in milliseconds. # Default: 12 -MaxScanTime 30 +#MaxScanTime 30 8<-- Please note that the file 'clamd_test.conf' given in my command lines simply tells 'clamdscan' where to find the socket and where to write log information etc. in these tests - it does not affect the timeout values, which are fixed after clamd reads the configuration files when it starts. In both tests I used verbose logging to the same file, so that I could see the results in the log: 8<-- # grep CH341SER_LINUX.ZIP /var/log/clamav/clamd_test.log Wed Aug 24 11:10:11 2022 -> got command CONTSCAN /home/ged/CH341SER_LINUX.ZIP (38, 7), argument: /home/ged/CH341SER_LINUX.ZIP Wed Aug 24 11:10:12 2022 -> /home/ged/CH341SER_LINUX.ZIP: OK Wed Aug 24 11:15:25 2022 -> got command CONTSCAN /home/ged/CH341SER_LINUX.ZIP (38, 7), argument: /home/ged/CH341SER_LINUX.ZIP Wed Aug 24 11:15:26 2022 -> /home/ged/CH341SER_LINUX.ZIP: Heuristics.Limits.Exceeded FOUND 8<-- 2. I scanned a ZIP file(1.7GB) containing a test virus file with clamdscan and it exited successfully without detecting any virus. Is this a specification? The scan.conf settings are as follows: ・ReadTimeout 120 ・MaxScanTime 12 ・MaxScanSize 2048M ・MaxFileSize 2048M ・MaxZipTypeRcg 2048M Perhaps it was not an exceeded limit which terminated the scan. And as you know there are other limits, perhaps your test exceeded one of those. In your situation I should set up verbose logging, and look in the logs for more information. You can also choose to keep temporary files for inspection after the scan has completed which might help you. I use ClamAV to scan mail, and in my case the client is a milter which is written in Perl (I do not use clamav-milter). It's straightforward to write a client for clamd, the API is very simple. For my purposes I implement timeouts and some other limits in the client. Then I can configure things like timeouts dynamically, take a view on any limits per scan (and thus avoid a lot of wasted scanning time), and also get the client to tell me everything I need to know. HTH -- 73, Ged. ___ clamav-users
[clamav-users] Inquiry about ClamAV's clamdscan scan timeout
Dear Sir or Madam, I am Tachibanaki from Ricoh IT Solutions Co., Ltd.. Thank you for your recent response to my inquiry. The purpose of this email is to inquire about ClamAV's clamdscan scan timeout. 1. Is there any way to check when a scan timeout occurs? (e.g., display a message, etc.) 2. I scanned a ZIP file(1.7GB) containing a test virus file with clamdscan and it exited successfully without detecting any virus. Is this a specification? The scan.conf settings are as follows: ・ReadTimeout 120 ・MaxScanTime 12 ・MaxScanSize 2048M ・MaxFileSize 2048M ・MaxZipTypeRcg 2048M I look forward to hearing from you soon. Yours sincerely, Nozomi Tachibanaki ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat