[clamav-users] A better zip bomb
Markus Kolb
markus.kolb+clamav at tower-net.de
Sat Nov 9 13:55:47 UTC 2019
Am 08.11.2019 11:58, schrieb G.W. Haywood via clamav-users:
> Hi there,
>
> On Fri, 8 Nov 2019, Arnaud Jacques wrote:
> ...Brent wrote:
[...]
>> clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M
>> /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND
>
> It seems that there might be room for improvement in Brent's client's
> ClamAV configuration, perhaps we should be trying to understand why it
> is in this state. It should be a deliberate choice to disable a test
> for excessive resource usage, not an accident.
The alerting on exceed is disabled by default.
So you have to set the config option.
I think it is disabled because the default limits on file-sizes,
archive-sizes and so on are bit low.
So without adapting all this to your needs you will most likely see
false-positiv exceed warnings.
Maybe there should be options to enable/disable the different exceed
types separately.
Markus
More information about the clamav-users
mailing list