[clamav-users] Heuristics.Limits.Exceeded FOUND
Arjen de Korte
build+clamav at de-korte.org
Fri Apr 3 20:36:37 UTC 2020
Citeren Paul Kosinski via clamav-users <clamav-users at lists.clamav.net>:
> I am puzzled (and dismayed) by the following behavior of ClamAV. When I
> scan some archive files, I often get "Heuristics.Limits.Exceeded FOUND".
> This makes me wonder about ClamAV's utility in protecting our systems
> against malware.
>
> I'm not talking about archive files downloaded from questionable
> sources, or incredibly large files (like DVD ISO files). I'm talking
> about files like the latest 64-bit Linux Firefox ESR binary file (65
> MB) downloaded from "http://ftp.mozilla.org/pub/firefox/releases/".
>
> Although this file passed its GPG signature verification, and its
> SHA512 checksum test, I still like to use ClamAV for additional
> checking (since even reputable distribution sites have been known to
> have been compromised).
>
>
> However, applying clamscan to this file (which was slightly renamed by
> my download script to be more readable) results in the following output:
>
> clamscan --alert-exceeds-max=yes --max-scantime=999
> --max-scansize=4090M --max-filesize=4090M --max-files=30000
> --max-recursion=30 --pcre-match-limit=999999999
> --pcre-max-filesize=999999999 firefox-68.6.1-esr-64.tar.bz2
>
> firefox-68.6.1-esr-64.tar.bz2: Heuristics.Limits.Exceeded FOUND
>
> This is in spite of the extra options I added to relax the "Limits".
>
>
> So I decided that since the Firefox tar.bz2 file passed its GPG and
> SHA512 tests, I would expand the into a temp directory and clamscan
> the result. (Which files are those used directly to run Firefox):
>
> clamscan --alert-exceeds-max=yes --max-scantime=999
> --max-scansize=4090M --max-filesize=4090M --max-files=30000
> --max-recursion=30 --pcre-match-limit=999999999
> --pcre-max-filesize=999999999 -r firefox | grep -v ' OK'
> firefox/removed-files: Empty file
> firefox/chrome.manifest: Empty file
> firefox/browser/chrome.manifest: Empty file
> firefox/browser/omni.ja: Heuristics.Limits.Exceeded FOUND
> firefox/omni.ja: Heuristics.Limits.Exceeded FOUND
>
> The 'empty' files are Mozilla's doing, but the fact that the ".ja"
> files (which are "Mozilla archive" files -- basically jar/zip), were
> flagged bothered me. A lot.
>
>
> So what should I do to have confidence in ClamAV's utility in such
> situations?
Before writing this whole rant, you have not considered checking which
of the options might have triggered this? You've reduced the
--max-scantime from the default 120 seconds to under 1 second and
still wonder why this breaks? Really?
> The version of clamscan I am using is 0.102.1 (built from source), and
> I only started using the "--alert-exceeds-max=yes" option recently.
>
> Thanks,
> Paul Kosinski
>
> P.S. I hope everybody is staying healthy.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list