[clamav-users] Scanning a zip file fails, extract it, scan with the same options and it passes

Laurent S. 110ef9e3086d8405c2929e34be5b4340 at protonmail.ch
Fri Oct 1 17:04:20 UTC 2021 

Dear Max Allan,

Heuristics.Limits.Exceeded doesn't mean the file is infected, but it's
only a warning telling you that something went above the limits you set.
It give the warning this way because of --alert-exceeds-max=yes

ClamAV managed to go search into those files in each case as you can see
from the scan summaries. It will count the zip as a single file.

I would recommend against copy-pasting all those parameters without
having given proper thought into what you are doing.

Best regards,
Laurent

On 01.10.21 18:09, Max Allan via clamav-users wrote:
> Hi,
> I have a requirement (from the business) to AV scan all docker
> containers we create.
> I started experimenting with tomcat:latest, which is handy because you
> can follow along at home easily!
> Someone else has already recommended a scan command :
>
> clamscan <file> \
>    --infected \
>    --recursive=yes \
>    --alert-exceeds-max=yes \
>    --max-recursion=2000000 \
>    --max-dir-recur
sion=2000000 \
>    --max-files=2000000 \
>    --max-filesize=2000M \
>    --max-scansize=2000M \
>    --max-embeddedpe=2000M \
>    --max-htmlnormalize=2000M \
>    --max-htmlnotags=2000M \
>    --max-scriptnormalize=2000M \
>    --max-ziptypercg=2000M \
>    --max-partitions=2000000 \
>    --max-iconspe=2000000 \
>    --max-rechwp3=2000000 \
>    --pcre-match-limit=2000000 \
>    --pcre-recmatch-limit=2000000 \
>    --pcre-max-filesize=2000M -a
>
> So, if you run the tomcat:latest container, apt update, apt install
> clamav, freshclam and run that scan command against
> /usr/local/openjdk-11/lib/src.zip you will probably get a failure :
>
> /usr/local/openjdk-11/lib/src.zip: Heuristics.Limits.Exceeded FOUND
> /usr/local/openjdk-11/lib/src.zip!(0)ZIP:jdk.zipfs/jdk/nio/zipfs/ZipInfo.java:
> Heuristics.Limits.Exceeded FOUND
> ---------- SCAN SUMMARY -----------
> Known viruses: 8570214
> Engine version: 0.103.3
> Scanned directories: 0
> Scanned files: 1
>
Infected files: 1
> Data scanned: 290.07 MB
> Data read: 55.52 MB (ratio 5.22:1)
> Time: 260.438 sec (4 m 20 s)
> Start Date: 2021:10:01 13:39:47
> End Date:   2021:10:01 13:44:07
>
>
> However, if I extract that zip file to /src and then run clamscan on
> /src then it passes without a problem :
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8570214
> Engine version: 0.103.3
> Scanned directories: 2076
> Scanned files: 18415
> Infected files: 0
> Data scanned: 333.04 MB
> Data read: 170.92 MB (ratio 1.95:1)
> Time: 320.573 sec (5 m 20 s)
> Start Date: 2021:10:01 13:23:39
> End Date:   2021:10:01 13:29:00
>
> (There are indeed 18415 files in that .zip according to unzip -l)
>
> Or even scan the single file :
>
> clamscan ZipInfo.java   --infected   --recursive=yes
> --alert-exceeds-max=yes   --max-recursion=2000000
> --max-dir-recursion=2000000   --max-files=2000000
> --max-filesize=2000M   --max-scansize=2000M   --max-embeddedpe=2000M
> -
-max-htmlnormalize=2000M   --max-htmlnotags=2000M
> --max-scriptnormalize=2000M   --max-ziptypercg=2000M
> --max-partitions=2000000   --max-iconspe=2000000
> --max-rechwp3=2000000   --pcre-match-limit=2000000
> --pcre-recmatch-limit=2000000   --pcre-max-filesize=2000M -a
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8570214
> Engine version: 0.103.3
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.01 MB
> Data read: 0.01 MB (ratio 1.50:1)
> Time: 68.326 sec (1 m 8 s)
> Start Date: 2021:10:01 16:03:14
> End Date:   2021:10:01 16:04:22
>
>
>
> Clearly the content of src.zip  (ZipInfo.java) IS scannable, when
> extracted, but for some reason not scannable when it is in a zip
> file... Is this a bug? Or am I specifying some options that are
> causing it??
>
> (clamscan -V
> ClamAV 0.103.3/26309/Fri Oct  1 09:03:53 2021 )
>
> _______________________________________________
>
> clamav-users mailing list
> clam
av-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - 110ef9e3086d8405c2929e34be5b4340 at protonmail.ch - d23fa0a8.asc
Type: application/pgp-keys
Size: 3204 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20211001/ff80df95/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 855 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20211001/ff80df95/attachment.sig>

More information about the clamav-users mailing list