[clamav-users] ClamWin finds malware, ClamAV doesn't.
Dennis Peterson
dennispe at inetnw.com
Tue Jul 26 17:06:03 UTC 2016
ClamAV is both an email/attachment scanner and a file system scanner. It is
pointless to set the email scanner to scan files larger than your MTA is
configured to accept. Secondarily, the interface between the MTA and ClamAV
frequently has a max filesize parameter, too. This is to prevent DOS'ing your
own system. This means only that the clamd.conf file used for file scanning is
possibly inappropriate for use as an email scanner. And there is absolutely no
reason people cannot run multiple instances of clamd on a system so long as each
has its own clamdxx.conf and port/socket/log settings.
dp
On 7/26/16 9:26 AM, Kevin Lin wrote:
> The filesize limit can be dynamically set for clamscan with the
> "--max-filesize=xxM" option. clamd.conf can be used to change the clamd
> filesize limit with "MaxFileSize".
>
> Excerpt from clamscan help:
> ----
> --max-filesize=#n Files larger than this will be
> skipped and assumed clean
> --max-scansize=#n The maximum amount of data to scan
> for each container file (**)
> --max-files=#n The maximum number of files to
> scan for each container file (**)
> ----
>
> Excerpt from clamd.conf manpage:
> ----
> MaxScanSize SIZE
> Sets the maximum amount of data to be scanned for each input
> file. Archives and other containers are recursively extracted and scanned
> up to this value. The size of an archive plus the sum of the sizes of all
> files within archive count toward the scan size. For example, a 1M
> uncompressed archive containing a single 1M inner file counts as 2M toward
> the max scan size. Warning: disabling this limit or setting it too
> high may result
> in severe damage to the system.
> Default: 100M
>
> MaxFileSize SIZE
> Files larger than this limit won't be scanned. Affects the
> input file itself as well as files contained inside it (when the input file
> is an archive, a document or some other kind of container). Warning:
> disabling this limit or setting it too high may result in severe damage to
> the system.
> Default: 25M
>
> ...
>
> MaxFiles NUMBER
> Number of files to be scanned within an archive, a document,
> or any other kind of container. Warning: disabling this limit or setting it
> too high may result in severe damage to the system.
> Default: 10000
> ----
>
> As said earlier, be careful with expanding the engine limits as scanning
> oversized files can be dangerous.
>
> -Kevin
>
> On Tue, Jul 26, 2016 at 2:10 AM, Al Varnell <alvarnell at mac.com> wrote:
>
>> You might be able to re-compile the ClamAV source and configure it with
>> --maxfilesize=xxM, but the limit is there to prevent severe system damage
>> that can result from attempting to scan over-sized files. I know in the
>> case of OS X there is no known malware that exceed the established limits.
>>
>> -Al-
>>
>>> Thanks for your questions and suggestions.
>>>
>>> I had a look via the --debug method, and found the following in the
>> clamAV call:-
>>> LibClamAV debug: cli_updatelimits: filesize exceeded (allowed: 26214400,
>> needed: 104096320)
>> <snip>
>>> Is there somewhere in the clamAV config I can set the cli_updatelimits:
>> filesize to be larger?
>>> In the install dir I only see clamd.conf and freshclam.conf:
>>>
>>> TCPSocket 3310
>>> MaxThreads 2
>>> LogFile C:\working\clam_av_logs\clamd.txt
>>> DatabaseDirectory C:\Program Files\clamav-amd64-0.99.2\db
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list