[clamav-users] About scanning files larger than 2 GB in size

Tsutomu Oyamada oyamada at promark-inc.com
Sun Jan 29 14:02:12 UTC 2023 

Thank you for the information.
I understand that files larger than 2GB will be treated as clean files without the "AlertExceedsMax yes" setting.
I want to wait for the day when I can properly scan files larger than 2GB.

T.O

On Thu, 26 Jan 2023 22:27:12 +0000
"Micah Snyder \(micasnyd\) via clamav-users" <clamav-users at lists.clamav.net> wrote:

> > Tsutomu Oyamada asked what actually happens when a large file is
> > scanned, not why the limit is there.
> 
> The default behavior is to treat the file as clean if any of the scan limits are exceeded (scan time, scan size, file size, etc).
> 
> If you want an alert if the limits are exceeded, then you can use the following options:
> For ClamD, set "AlertExceedsMax yes" in the "clamd.conf" file.
> For ClamScan, use the "--alert-exceeds-max" option on the command line.
> 
> This will cause clamav to report one of the following signatures when the limits are exceeded:
>   - Heuristics.Limits.Exceeded.MaxFileSize
>   - Heuristics.Limits.Exceeded.MaxScanSize
>   - Heuristics.Limits.Exceeded.MaxFiles
>   - Heuristics.Limits.Exceeded.MaxRecursion
>   - Heuristics.Limits.Exceeded.MaxScanTime
>   - Heuristics.Limits.Exceeded.EmailLineFoldcnt
>   - Heuristics.Limits.Exceeded.EmailHeaderBytes
>   - Heuristics.Limits.Exceeded.EmailHeaders
>   - Heuristics.Limits.Exceeded.EmailMIMEPartsPerMessage
>   - Heuristics.Limits.Exceeded.EmailMIMEArguments
> and possibly more with the "Heuristics.Limits.Exceeded." prefix.
> 
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> 
> ________________________________
> From: Andrew C Aitchison <andrew at aitchison.me.uk>
> Sent: Wednesday, January 25, 2023 10:59 PM
> To: Micah Snyder (micasnyd) via clamav-users <clamav-users at lists.clamav.net>
> Cc: Micah Snyder (micasnyd) <micasnyd at cisco.com>
> Subject: Re: [clamav-users] About scanning files larger than 2 GB in size
> 
> On Thu, 26 Jan 2023, Micah Snyder (micasnyd) via clamav-users wrote:
> 
> > Paul is sort-of correct but the 2GB limit isn't artificial as he has implied.
> 
> Paul did not answer the original poster's question.
> Tsutomu Oyamada asked what actually happens when a large file is
> scanned, not why the limit is there.
> 
> > On Sun, 22 Jan 2023 05:40:18 +0900
> > Tsutomu Oyamada <oyamada at promark-inc.com> wrote:
> >
> >> How do I set up clamd?
> >> Setting MaxFileSize to "0" is unlimited, but internally files
> >> larger than 2GB in size cannot be scanned.  In this case, do you
> >> treat the file as clean without scanning it at all?
> 
> > ClamAV code contains a lot of signed and unsigned 32bit variables
> > that must be upgraded to 64bit variables to support larger files.
> > Before raising the limit, a tedious audit process must be completed
> > to ensure that all variables are upgraded in all modules.  We cannot
> > simply remove the limit and cross our fingers.
> 
> A static analyzer such as cppcheck, PVS-Studio or the ones built into
> gcc and clang may be useful tools in the tedious audit.
> 
> --
> Andrew C. Aitchison                      Kendal, UK
>                     andrew at aitchison.me.uk

More information about the clamav-users mailing list