[clamav-users] Still Baffled: cli_scanxz: decompress file size exceeds limits

G.W. Haywood clamav at jubileegroup.co.uk
Fri Aug 30 05:28:18 EDT 2019

Hi there,

On Fri, 30 Aug 2019, Michael Newman via clamav-users wrote:

> I’m still baffled trying to figure out what is causing this error.

It's not an error.  As it says, it's a warning.  You're probably
worrying about nothing but it's usually as well to find out exactly
what's happening.

> /Users/mnewman/Downloads/Safety-Cut GFCI.pdf: OK
> LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only scanning 27262976 bytes
> /Users/mnewman/Downloads/gettext-0.19.6-MACOS-10.11-10.12-SDK-10.11.pkg: OK
> ...
> ... I have many files which are much bigger than 25 MB, but only
> this one, unidentified file is causing the problem.

There are quite a few limits set by the scanning engine.  Some of them
are set for the safety of the system, so that, for example, you don't
inadvertently give the computer more work to do than it's capable ever
of doing.  Amongst other things, that might happen if you scan a file
like a compressed archive which itself is small, but which claims that
it contains billions of enormous files.  That appears to be the sort
of thing that's happening here.  It's not the size of the file, it's
the size of the extracted, uncompressed content.  That, after all, is
what needs to be scanned.  Unfortuately, faults in the implementation
of compression methods, and even the techniques themselves, can expose
the system to risk from malicious files in this way.  It's unlikely to
do a lot of damage, but it might cause a type of denial of service so
it has to be considered by the software.

That's not to say that you have a malicious file on your system, but
it seems there's at least one which triggers a safety limit.  Some of
these limits are set quite conservatively, and they can be adjusted,
but most people don't bother.  I don't bother.

> I ran clamscan so that the log file would be verbose. I’m including
> a few lines from the log on both sides of the error message. As far
> as I can see, it doesn’t give me a clue as to what file is causing
> the error:

The clue is there - it's decompressing something.  Unfortunately it's
possible to have compressed data in all sorts of files.  Some parts of
the ClamAV libraries never actually know the name of the file that's
being scanned (there might not even be a file, it might just be a scan
of a stream of data sent to a socket for example), so at the point
where the warning is generated, there isn't any filename to give you.

If I wanted to know which file was triggering the warning in this case
I'd start with a scan of


because it looks to me like that's the file which was being scanned
when LibClamAV decided to emit the warning, but I don't know exactly
how you got the output that you've posted for us.  The log messages
for multi-tasking, multi-user systems often don't appear in exactly
the sequence that you might expect, nor even exactly in the
chronological sequence that they were generated, so things can
sometimes get a bit confusing.  You'll get used to it after a couple
of decades. :) If that's what's happening here you could scan one
directory at a time, then one sub-directory at a time and so on until
you find it.  When you're confused by the system logs then it can be
easier to figure out what's going on if instead of you get all the
output from the scan to go to the console.



More information about the clamav-users mailing list