[clamav-users] [EXT] Re: clamscan tar archive
G.W. Haywood
clamav at jubileegroup.co.uk
Tue Dec 21 14:47:20 UTC 2021
Hi there,
On Tue, 21 Dec 2021, Hart, Steven A. via clamav-users wrote:
> Looks like I got it. I was unfamiliar with how to search through
> the ClamAV users archives but now I found a previous post suggesting
> to up the max-filesize and max-scansize. Doing that worked for me.
> It's just odd that a tarball that is extremely small, still needs
> these parameters set to work.
>
> Thanks for the help! Problem appears to be resolved for me.
> ...
I was in the middle of replying when your post came in. :)
Yes, the default limits are a bit conservative. It's mainly about
preventing denial of service, which with something that can scan an
entire filesystem recursively for ten million different threats is
pretty easy to accomplish. You might find that some of the logging
helps, you can increase the verbosity. Also I saw you were using the
clamscan '-i' switch, which silences some output for clean files but
sometimes that output can be useful.
> ...
> ----------- SCAN SUMMARY -----------
> Known viruses: 8584449
> Engine version: 0.103.4
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 333.34 MB (ratio 0.00:1)
> Time: 10.408 sec (0 m 10 s)
> ...
According to the report you seem to have read quite a lot of data but
not scanned very much so that's a clue. But be warned that the 'Data
scanned' and 'Data read' values are by (compiled in) default limited
to (I think) 4kbyte blocks so they can be a bit misleading. Sometimes
I've patched the source to increase the granularity but there might be
a performance implication.
As always, be aware that just because ClamAV doesn't find anything it
doesn't necessarily mean that there's nothing there to be found.
--
73,
Ged.
More information about the clamav-users
mailing list