[clamav-users] Heuristics.Limits.Exceeded FOUND
Micah Snyder (micasnyd)
micasnyd at cisco.com
Mon Apr 6 15:23:42 UTC 2020
Paul,
Are you seeing many files that take longer than 2 minutes to scan? We thought the default scan time limit was already quite high at 2 minutes.
-Micah
On 4/4/20, 1:47 AM, "clamav-users on behalf of Paul Kosinski via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:
"If one is overriding a default value by providing it on the command
line, you should know what you're doing. Guessing is never a good idea,
especially if (like here) the documentation is lacking."
"It was noted in the list of notable changes in 0.102.0 ... which Paul
*must* have read, otherwise he would *not* have known of the existence
of this parameter". Really?
Does issuing "clamscan --help", and reading its output of 700 words on
103 lines (according to wc), including one line about "--max-scantime",
constitute guessing? Who knew?
P.S. Up until 0.102.0, direct use of the clamscan command worked well
for files like the Firefox download. Starting with 0.102.0, clamscan
started giving Heuristic Limit errors. Since there was no indication as
to *which* Limit was hit, I read the "--help" to see what to do.
On Fri, 03 Apr 2020 23:30:57 +0200
Arjen de Korte via clamav-users <clamav-users at lists.clamav.net> wrote:
> Citeren Kris Deugau <kdeugau at vianet.ca>:
>
> > Arjen de Korte via clamav-users wrote:
> >> Citeren Paul Kosinski via clamav-users
> >> <clamav-users at lists.clamav.net>:
> >
> >>> However, applying clamscan to this file (which was slightly
> >>> renamed by my download script to be more readable) results in the
> >>> following output:
> >>>
> >>> clamscan --alert-exceeds-max=yes --max-scantime=999
> >>> --max-scansize=4090M --max-filesize=4090M --max-files=30000
> >>> --max-recursion=30 --pcre-match-limit=999999999
> >>> --pcre-max-filesize=999999999 firefox-68.6.1-esr-64.tar.bz2
> >>>
> >
> >> Before writing this whole rant, you have not considered checking
> >> which of the options might have triggered this? You've reduced
> >> the --max-scantime from the default 120 seconds to under 1 second
> >> and still wonder why this breaks? Really?
> >
> > That option seems to be missing from the man page entirely:
> >
> > $ dpkg -l clamav
> > ii clamav 0.102.1+dfsg-0+deb10u2 amd64 [...]
> > $ zgrep scantime /usr/share/man/man1/clamscan.1.gz
> > $
> >
> >
> > and does not specify units in the --help text:
> >
> > $ clamscan --help
> > [...]
> > --max-scantime=#n Scan time longer than
> > this will be skipped and assumed clean
> > [...]
> >
> > Absent any documentation, I would reasonably assume this to be in
> > seconds, not milliseconds.
> >
> > I have no idea if you're wrong about this being the cause, but
> > without diving into the source, Paul's use of that option looks
> > entirely reasonable to me.
>
> If one is overriding a default value by providing it on the
> commandline, you should know what you're doing. Guessing is never a
> good idea, especially if (like here) the documentation is lacking.
> It was noted in the list of notable changes in 0.102.0 (see
> https://blog.clamav.net/2019/10/clamav-01020-has-been-released.html)
> which Paul must have read, otherwise he would not have known of the
> existence of this parameter.
>
> > -kgd
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list