[clamav-users] Heuristics.Limits.Exceeded FOUND

Fri Apr 10 19:58:35 UTC 2020

One issue ClamAV currently has with scanning Zip archives is that ClamAV's self-extracting zip detection logic has a flaw wherein it detects every file within a zip as a new self-extracting zip.  As a result, I believe (and I could be wrong on this), that Clam ends up extracting and scanning every file in a zip *twice*.  I'm still brainstorming the best way to fix this -- but I suspect this is a large part of why zip-based file formats take much longer than expected to scan. 

-Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

On 4/7/20, 1:38 PM, "clamav-users on behalf of Paul Kosinski via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:

    I didn't want to screw around with my clamdscan (clamd.conf) settings,
    so I ran my optioned-up clamscan command on a smaller and much less
    complicated file. It took less than 11 seconds total time. (My previous
    guess on clamscan's DB load time was apparently way off.)

    This suggests that the ClamAV scanning process really does take a lot
    of CPU to deal with a big, complicated file like a Firefox package:

      time clamscan
           --alert-exceeds-max=yes --max-scantime=999999 --max-scansize=4090M --max-filesize=4090M --max-files=30000
           --max-recursion=30 --pcre-match-limit=999999999 --pcre-max-filesize=999999999
        audiofile.wav

      audiofile.wav: OK

      ----------- SCAN SUMMARY -----------
      Known viruses: 6804144
      Engine version: 0.102.1
      Scanned directories: 0
      Scanned files: 1
      Infected files: 0
      Data scanned: 1.74 MB
      Data read: 1.73 MB (ratio 1.01:1)
      Time: 10.836 sec (0 m 10 s)

      real    0m10.851s
      user    0m10.439s
      sys     0m0.412s

    P.S. This is an actual audio intermediate file, not just random bytes.

    On Mon, 6 Apr 2020 21:50:15 -0700
    Al Varnell via clamav-users <clamav-users at lists.clamav.net> wrote:

    > Much of that time is almost certainly being consumed by loading the
    > signature database into RAM. How long does it take using clamdscan?
    > 
    > Sent from my iPad
    > 
    > -Al-
    > 
    > On Apr 6, 2020, at 12:29, Paul Kosinski via clamav-users
    > <clamav-users at lists.clamav.net> wrote:
    > > 
    > > It *does* take more than 120 secs for the clamscan command to fully
    > > scan the 62 MB Firefox installation file (.tar.bz2). Trying the scan
    > > with the default clamscan limits results in 62 MB "Data read" but
    > > *zero* "Data scanned"!  

    _______________________________________________

    clamav-users mailing list
    clamav-users at lists.clamav.net
    https://lists.clamav.net/mailman/listinfo/clamav-users

    Help us build a comprehensive ClamAV guide:
    https://github.com/vrtadmin/clamav-faq

    http://www.clamav.net/contact.html#ml