[clamav-users] Inquiry about ClamAV's clamdscan scan timeout

Micah Snyder (micasnyd) micasnyd at cisco.com
Fri Aug 26 20:31:30 UTC 2022 

Hi Nozomi Tachibanaki,

You may add this option to your clamd.conf​ to enable alerts when the scan limits are exceeded: AlertExceedsMax yes​

It should cause signature alerts like these when one of the limits causes the scan to end early:
    - Heuristics.Limits.Exceeded.MaxFileSize​ FOUND
    - Heuristics.Limits.Exceeded.MaxScanSize​​ FOUND
    - Heuristics.Limits.Exceeded.MaxFiles​​ FOUND
    - Heuristics.Limits.Exceeded.MaxRecursion​​ FOUND
    - Heuristics.Limits.Exceeded.MaxScanTime​​ FOUND

If you do enable this, just keep in mind that when these alerts happen that it does not mean there is anything wrong with the file, just that the scan was incomplete because it exceeded one of the scan limits.

These heuristic alerts should work most of the time, although I am actively working on improvements to error handling and alert reporting as I work on overhauling the allmatch-mode feature (for reporting more than one signature alert). I am hopeful that my current work will make these scan limit alerts even more reliable in the future.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

________________________________
From: clamav-users <clamav-users-bounces at lists.clamav.net> on behalf of Tachibanaki Nozomi (橘木 希美) <nozomi.tachibanaki at jp.ricoh.com>
Sent: Tuesday, August 23, 2022 10:23 PM
To: clamav-users at lists.clamav.net <clamav-users at lists.clamav.net>
Cc: Hino Shogo (日野 翔豪) <Shogo.Hino at jp.ricoh.com>; Sugawara Masatomo (菅原 正大) <masatomo.sugawara at jp.ricoh.com>
Subject: [clamav-users] Inquiry about ClamAV's clamdscan scan timeout


Dear Sir or Madam,



I am Tachibanaki from Ricoh IT Solutions Co., Ltd..

Thank you for your recent response to my inquiry.



The purpose of this email is to inquire about ClamAV's clamdscan scan timeout.



  1.  Is there any way to check when a scan timeout occurs? (e.g., display a message, etc.)
  2.  I scanned a ZIP file(1.7GB) containing a test virus file with clamdscan and it exited successfully without detecting any virus. Is this a specification?

The scan.conf settings are as follows:

・ReadTimeout 120

・MaxScanTime 120000

・MaxScanSize 2048M

・MaxFileSize 2048M

・MaxZipTypeRcg 2048M



I look forward to hearing from you soon.

Yours sincerely,





Nozomi Tachibanaki






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220826/35c8eabc/attachment.htm>

More information about the clamav-users mailing list