I used (and probably posted the --max-ratio 0 ).
The max-ratio defines the maximum compression ratio for scanned files. I
kept getting legit text files that were zipped that were over ratio, so
that's why I why I went to the max-ration 0.
- Original Message -
From: Gary Steiner
Disclaimer: I haven't implemented ClamAV with Declude, so I'm guessing
here...
It sounds like the max-ratio solution is a red herring.
It sounds like ClamAV returned an error because it couldn't scan the
overlarge file (compressed or not).
It sounds like Gary's configuration is quarantining
I think it is in their to defend against an archive bomb.
Archive bomb:
This is a seemingly small archive file that is actually highly compressed
and expands into a huge file or several identical files. Such archives
typically take quite a long time to scan, thus potentially forming a DDoS
Yep, archive bombs are a huge threat since it only takes one message to
kill a server that doesn't possess detection. Most AV programs have
detection, but apparently ClamAV allows you to tune it.
I would search for a value that approximated more than 99.9% compression
if possible and block