[clamav-users] Disable MaxFileSize and MaxFileSize to scan the whole system

Albert o alberto.bed995 at gmail.com
Fri Dec 7 15:41:48 EST 2018


There is something I don't get
this my clamd.conf

user at debian:~/Downloads/clamav-0.101.0$ cat /etc/clamav/clamd.conf
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 100
FollowDirectorySymlinks true
FollowFileSymlinks true
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 2000
LogSyslog true
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground true
Debug 0
PidFile true
MaxEmbeddedPE 3999M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 3999M
MaxHTMLNoTags 3999M
MaxScriptNormalize 3999M
MaxZipTypeRcg 3999M
ScanSWF true
DetectBrokenExecutables false
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
ScanPE true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
ExtendedDetectionInfo true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA 1
BlockMax 1
OLE2BlockMacros 1
ArchiveBlockEncrypted 1
ScanPartialMessages 1
PartitionIntersection 1
HeuristicScanPrecedence 1
StructuredDataDetection 1
CommandReadTimeout 5
SendBufTimeout 400
MaxQueue 100
ExtendedDetectionInfo 1
OLE2BlockMacros 1
ScanOnAccess true
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanSize 3999M
MaxFileSize 3999M
MaxRecursion 160
MaxFiles 20000
MaxPartitions 10000
MaxIconsPE 10000
PCREMatchLimit 10000
PCRERecMatchLimit 10000
PCREMaxFileSize 3999M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 3999M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock true
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
BytecodeUnsigned 1
ScanOnAccess 1
OnAccessMaxFileSize 0
OnAccessMountPath /
OnAccessIncludePath /
OnAccessMaxFileSize 0
OnAccessPrevention 1
OnAccessDisableDDD 1

but I still get

LibClamAV Warning: cli_msxml_parse_document: encountered issue in
parsing xml document
LibClamAV Warning: cli_scanxz: decompress file size exceeds limits -
only scanning 27262976 bytes

What am I missing? should't all the files >4G be scanned?
On Tue, Dec 4, 2018 at 4:42 PM Ángel <angel at av.16bits.net> wrote:
>
> On 2018-12-03 at 09:58 -0800, Dennis Peterson wrote:
> > If it is a big concern you can use the split command to create
> > "splits" of the suspect file. Split accepts various size arguments
> > (bytes, lines...) and will create as many files as it takes to split
> > the entire large file. These can be scanned individually and discarded
> > when done. There is a risk of a split happening in the middle of a
> > section that might match a signature but that is small. A work around
> > is to split a file, scan it, delete the splits, then split it a second
> > time using a different split size and repeat the scan.
>
> > This is obviously tedious and works best on static files. There's
> > always a way if you don't mind the effort. It is easily scriptable.
> >
> > dp
>
>
> Splitting a file will probably make chunks other than the first to
> appear as random bytes, rather than having the correct filetype, thus
> making some signatures not to be applied.
> (the first chunk will _probably_ be detected properly, still splitting
> can make it miss what would be found on the full size, eg. splitting a
> zip file will lose its central directory...)
>
> Signatures are generally more complex than looking for a certain
> substring...
>
> Best regards
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list