[clamav-users] Heuristics.Limits.Exceeded FOUND

Paul Kosinski clamav-users at iment.com
Sat Apr 4 05:47:03 UTC 2020 

"If one is overriding a default value by providing it on the command
line, you should know what you're doing. Guessing is never a good idea,
especially if (like here) the documentation is lacking."

"It was noted in the list of notable changes in 0.102.0 ... which Paul
*must* have read, otherwise he would *not* have known of the existence
of this parameter". Really?

Does issuing "clamscan --help", and reading its output of 700 words on
103 lines (according to wc), including one line about "--max-scantime",
constitute guessing?  Who knew?

P.S. Up until 0.102.0, direct use of the clamscan command worked well
for files like the Firefox download. Starting with 0.102.0, clamscan
started giving Heuristic Limit errors. Since there was no indication as
to *which* Limit was hit, I read the "--help" to see what to do.


On Fri, 03 Apr 2020 23:30:57 +0200
Arjen de Korte via clamav-users <clamav-users at lists.clamav.net> wrote:

> Citeren Kris Deugau <kdeugau at vianet.ca>:
> 
> > Arjen de Korte via clamav-users wrote:  
> >> Citeren Paul Kosinski via clamav-users
> >> <clamav-users at lists.clamav.net>:  
> >  
> >>> However, applying clamscan to this file (which was slightly
> >>> renamed by my download script to be more readable) results in the
> >>> following output:
> >>>
> >>> clamscan --alert-exceeds-max=yes --max-scantime=999  
> >>> --max-scansize=4090M --max-filesize=4090M --max-files=30000  
> >>> --max-recursion=30 --pcre-match-limit=999999999  
> >>> --pcre-max-filesize=999999999    firefox-68.6.1-esr-64.tar.bz2
> >>>  
> >  
> >> Before writing this whole rant, you have not considered checking  
> >> which of the options might have triggered this? You've reduced
> >> the --max-scantime from the default 120 seconds to under 1 second
> >> and still wonder why this breaks? Really?  
> >
> > That option seems to be missing from the man page entirely:
> >
> > $ dpkg -l clamav
> > ii  clamav         0.102.1+dfsg-0+deb10u2          amd64 [...]
> > $ zgrep scantime /usr/share/man/man1/clamscan.1.gz
> > $
> >
> >
> > and does not specify units in the --help text:
> >
> > $ clamscan --help
> > [...]
> >     --max-scantime=#n                    Scan time longer than
> > this will be skipped and assumed clean
> > [...]
> >
> > Absent any documentation, I would reasonably assume this to be in  
> > seconds, not milliseconds.
> >
> > I have no idea if you're wrong about this being the cause, but  
> > without diving into the source, Paul's use of that option looks  
> > entirely reasonable to me.  
> 
> If one is overriding a default value by providing it on the  
> commandline, you should know what you're doing. Guessing is never a  
> good idea, especially if (like here) the documentation is lacking.
> It was noted in the list of notable changes in 0.102.0 (see  
> https://blog.clamav.net/2019/10/clamav-01020-has-been-released.html)  
> which Paul must have read, otherwise he would not have known of the  
> existence of this parameter.
> 
> > -kgd

More information about the clamav-users mailing list