[clamav-users] Scanning very large files in chunks

sapientdust+clamav at gmail.com sapientdust+clamav at gmail.com
Tue Aug 9 13:21:38 EDT 2016

On Tue, Aug 9, 2016 at 9:40 AM, G.W. Haywood <clamav at jubileegroup.co.uk> wrote:
> Hi there,
> On Tue, 9 Aug 2016, sapientdust+clamav at gmail.com wrote:
> On Thu, Aug 4, 2016 at 7:14 PM, Al Varnell <alvarnell at mac.com> wrote:
>>> ... Risk = threat x vulnerability x consequence
>> I agree. In my case, the consequence factor is very large ...
> Perhaps you can elucidate the consequences.  If the consequence factor
> is as you say very large, then you have a problem to solve.

The specifics are not important to my question, which is about the
TECHNICAL feasibility of scanning in multiple pieces. If it won't work
reliably (relative to scanning files small enough to be scanned in
their entirety at once), that's fine, and I will have to switch to
another AV scanner, but I was hoping for some specific technical
reasons why it won't work before giving up on ClamAV.

>> I have to scan even the large files somehow.
> This will not solve the problem.  It can never and will never solve it.
> You need to find another way of going about things.

What's the technical reason that it won't work?

>> Skipping large files would just provide an easy attack vector ...
> Then you have to fix the system so that it wouldn't be easy.
>> Does anybody have any feedback on the proposed solution to scanning
>> large files in chunks?
> Stop worrying about it, it's a waste of time and effort.  The probability
> that you will actually find what you're looking for is very small.

What are the technical reasons that the probability is very small
(compared to the probability of finding a virus if the file is small
enough to be scanned in one instream call)?

More information about the clamav-users mailing list