[clamav-users] Heuristics.Limits.Exceeded FOUND

Paul Kosinski clamav-users at iment.com
Sat Apr 4 01:16:28 UTC 2020 

The --max-scantime" option apparently was the culprit. I had set it to
999 to ensure it *wouldn't* times out. I never imagined that the time
was in milliseconds, since "--help" didn't say so, and the clamscan
*command* needs on the order of 100,000 msecs even to start. (So why
specify max scan time in units of msecs then?)

The millisecs hypothesis is "proved" (small sample, though) by the fact
that when I changed the command to say "--max-scantime=999999", the
scan finished normally and reported the file clean (as I would expect,
the file having come from a well regarded source). To wit:

clamscan --alert-exceeds-max=yes --max-scantime=999999 --max-scansize=4090M --max-filesize=4090M --max-files=30000 --max-recursion=30 --pcre-match-limit=999999999 --pcre-max-filesize=999999999    firefox-68.6.1-esr-64.tar.bz2

firefox-68.6.1-esr-64.tar.bz2: OK

----------- SCAN SUMMARY -----------
Known viruses: 6797620
Engine version: 0.102.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 622.26 MB
Data read: 62.06 MB (ratio 10.03:1)
Time: 138.749 sec (2 m 18 s)


P.S. It would be helpful if ClamAV reported exactly *which* Heuristic
Limit was exceeded (which would be quite easy, I suspect).

------------------------

On Sat, 4 Apr 2020 00:22:12 +0300
Reio Remma via clamav-users <clamav-users at lists.clamav.net> wrote:

> On 04.04.2020 00:17, Kris Deugau wrote:
> > Arjen de Korte via clamav-users wrote:  
> >> Citeren Paul Kosinski via clamav-users
> >> <clamav-users at lists.clamav.net>:  
> >  
> >>> However, applying clamscan to this file (which was slightly
> >>> renamed by my download script to be more readable) results in the
> >>> following output:
> >>>
> >>> clamscan --alert-exceeds-max=yes --max-scantime=999 
> >>> --max-scansize=4090M --max-filesize=4090M --max-files=30000 
> >>> --max-recursion=30 --pcre-match-limit=999999999 
> >>> --pcre-max-filesize=999999999    firefox-68.6.1-esr-64.tar.bz2
> >>>  
> >  
> >> Before writing this whole rant, you have not considered checking 
> >> which of the options might have triggered this? You've reduced the 
> >> --max-scantime from the default 120 seconds to under 1 second and 
> >> still wonder why this breaks? Really?  
> >
> > That option seems to be missing from the man page entirely:
> >
> > $ dpkg -l clamav
> > ii  clamav         0.102.1+dfsg-0+deb10u2          amd64 [...]
> > $ zgrep scantime /usr/share/man/man1/clamscan.1.gz
> > $
> >
> >
> > and does not specify units in the --help text:
> >
> > $ clamscan --help
> > [...]
> >     --max-scantime=#n                    Scan time longer than this 
> > will be skipped and assumed clean
> > [...]
> >
> > Absent any documentation, I would reasonably assume this to be in 
> > seconds, not milliseconds.
> >
> > I have no idea if you're wrong about this being the cause, but
> > without diving into the source, Paul's use of that option looks
> > entirely reasonable to me.
> >
> > -kgd  
> 
> https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
> 
> It is indeed a rather obscure option and missing from man pages.
> 
> Good luck,
> Reio

More information about the clamav-users mailing list