[clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps
Kris Deugau
kdeugau at vianet.ca
Mon Nov 6 23:30:04 UTC 2017
Ravi wrote:
> Hi,
>
> Looking forward for comments and suggestions for the below reported issue
> from the community.
Well, to answer your original question, it looks to me like the test is
doing exactly what it's supposed to. Core dumps would quite reasonably
contain executable chunks, but may not contain the complete executable,
or may come out with wrong code entry points, and so they are "broken"
when assumed to be executable files.
For your use case you should probably either turn this test off, or
adjust your filter system glue layer to handle this result differently.
Whether you can do the latter depends on how you call Clam.
-kgd
> On Oct 27, 2017 4:09 PM, "Ravi" <ravin4u at gmail.com> wrote:
>
>> Hi,
>>
>> We are seeing instances when customer uploads his zip files which contains
>> core files/core dumps during scanning ClamAV is treating some of them as
>> “Heuristics.Broken.Executable FOUND”. Currently we have turned-on this
>> check in the clamd.conf as below.
>>
>> *# With this option clamav will try to detect broken executables (both PE
>> and*
>> *# ELF) and mark them as Broken.Executable.*
>> *# Default: no*
>> *DetectBrokenExecutables yes*
>>
>> The question is why ClamAV is treating core files/core dumps as
>> “Heuristics.Broken.Executable FOUND”. Is it safe to turn-off this setting
>> for ClamAV? or is there way to skip these checks for core files/core dumps
>> in ClamAV?
>>
>> Thanks
>> Ravi
>>
>>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list