[clamav-users] A better zip bomb
G.W. Haywood
clamav at jubileegroup.co.uk
Sat Nov 9 19:09:11 UTC 2019
Hi there,
On Fri, 8 Nov 2019, Markus Kolb via clamav-users wrote:
> Am 08.11.2019 11:58, schrieb G.W. Haywood via clamav-users:
> > On Fri, 8 Nov 2019, Arnaud Jacques wrote:
> > ...Brent wrote:
> [...]
> > > clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M
> > > /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND
> >
> > It seems that there might be room for improvement in Brent's client's
> > ClamAV configuration, perhaps we should be trying to understand why it
> > is in this state. It should be a deliberate choice to disable a test
> > for excessive resource usage, not an accident.
>
> The alerting on exceed is disabled by default.
Ah, good point. I'd forgotten that long ago I'd set 'AlertExceedsMax' to
'yes' in the base configuration that I usually use as a starting point.
Maybe that should default to 'yes', perhaps with higher values for some of
the limits if that's an issue? I must say that I don't recall any problems
with the default values for archive limits in many years of using ClamAV.
There was one contract draughtsman who for some time insisted on sending 30-
megabyte emails to the QA manager at his client, but it was a Sendmail limit
which rejected the messages, not ClamAV. In the end they stopped using him. :/
--
73,
Ged.
More information about the clamav-users
mailing list