[clamav-users] Input Stream Scanning for very large files

[Dennis Peterson]

Should have been file type as reported by the file command. Any usage of ClamAV 
outside its design objectives is vulnerable to failure, but the method I pointed 
out works, period. But if asked if I thought it was worth it I would say no, of 
course not. The OP seems determined though. ClamAV is first and foremost an 
acceptable real-time email scanner with limited ability to do file system and 
stream scanning.

dp


On 2/3/19 2:37 PM, Ángel wrote:
> On 2019-01-25 at 18:43 -0800, Dennis Peterson wrote:
>> You can easily use the unix split command and cat to scan files of any size. Or
>> use perl to break stream file segments to the stream. The first file in a split
>> or segment contains the file time and will need to be concatenated to the
>> beginning of each split or segment so clamav knows what it is. It doesn't matter
>> if the file makes no sense just so long as no malware is found. You will need
>> two split sizes in order to ensure a signature doesn't span splits which means
>> at least two runs of each large file, but that is trivial when scripted. SSD
>> drives would be useful.
>>
>> dp
> Sorry, but I think ClamAV is smarter than what you seem to think. While
> this will allow clamav to still detect some signatures, your approach
> will trivially fail for:
> * Extended signatures that specify an offset (can create both False
> Positives and Negatives)
> * Logical signatures using eg. FileSize or NumberOfSections.
> * Container signatures, as the container will be corrupted
> * Hash signatures
>
>
> Kind regards
>
>
> PS: I assume you meat 'file mime', not 'file time'
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml