[clamav-users] Scanning a large file through HTTP

Thu Apr 8 11:07:27 UTC 2021

Hi there,

On Wed, 7 Apr 2021, Paul Kosinski via clamav-users wrote:

> Seems to me that this behavior, advertising a 4GB limit while
> silently imposing a 2GB limit and reporting "OK" for anything in
> between, is a *major* security flaw: ClamAV *must* report that the
> file was too big to deal with (however worded).

Don't get too excited about it.  When ClamAV says "OK" it really means
"I didn't find anything in there", which if you're unlucky it will say
for maybe two out of three infected files anyway.  Getting bent out of
shape about a couple of files which happen to give that result because
they're huge and the scanner gives up on them is simply not seeing the
Big Picture.

You will have problems if you believe everything ClamAV (or indeed any
other virus scanner) tells you.  No scanner will give you an accurate
result every time.  The best anyone can hope for, with ANY scanner and
ANY profile of data, is probably four out of five, so if you're seeing
thousands of malicious samples every day, and all you do is trust your
virus scanners to be right every time, you'll be accepting hundreds of
malicious samples daily at least.

My take on it is that the way to use ClamAV is to try to have it give
you an estimate of the credibility the data sources rather than to try
to whack all the moles, which is usually a fruitless exercise and will
inevitably lead to failure.

> Thus I've taken to using clamscan rather than clamdscan (slow though
> that is), because at least it reports how many bytes were read, and
> how many scanned, so I can see what's going on.

You can easily put something together which gives you that information
but still uses clamd.  If anyone wants to take a project and run with
it I'll be happy to post some Perl code which sends a stream to clamd.
It would take care of the ugly inter-process communications, leaving
our hero to make it somehow useful.  Perhaps on the development list,
or the ClamAV Bugzilla.

> P.S. Recently I've downloaded some MP3s from Amazon and scanned them
> (as I do everything I download -- except updates from my Linux
> distros). But for a reason I saw on this list -- but can't remember
> -- MP3s are fully read, but not scanned. Is this going to be
> remedied?

See this thread:

https://marc.info/?l=clamav-users&m=150039601417286&w=2

See also the messages in 2014 from Steve Basford on Jul. 8 and Sep 17,
and Douglas Goddard on Sep 25:

https://marc.info/?l=clamav-users&w=2&r=1&s=MP3&q=b

See also

https://bugzilla.clamav.net/show_bug.cgi?id=11582

which tells me that there's plenty of work still to do but it isn't at
the top of anybody's priority list.  The bottom line seems to be that
MP3 viruses are, if not non-existent, relatively rare and there's more
to be achieved looking for things which masquerade as MP3 but aren't.

-- 

73,
Ged.