[clamav-users] Question About MaxFileSize

Paul Kosinski clamav-users at iment.com
Fri Jun 9 21:40:52 UTC 2023 

I must say I strongly disagree with the approach of feeding files contained in a big archive file one at a time to ClamAV. That's because an archive is *itself* a file.

I have on occasion heard of vulnerabilities in some archiving software, where the mere act of decompressing and extracting an archive can result in malicious code execution due to a bug in the archiving software. After all, such software can itself have the all too common lack of bounds checking (etc.) that could be exploited by a maliciously malformed archive.

It could also be that lower level archive-like files such as ISOs and disk images could, by means of malicious structuring, trigger a total system compromise, because it might well involve the kernel. The way an ISO or disk image is typically used (on Linux, at least) is to create a "loop" device from the file, and then *mount* it as block device -- a clear kernel involvement.

Of course, scanning any file might conceivably trigger a ClamAV bug, and thus a compromise, but that is no reason to add another layer of vulnerability to things. (But it is a good reason not to run ClamAV as root.)

Paul Kosinski



On Thu, 8 Jun 2023 20:55:25 +0000
"Micah Snyder \(micasnyd\) via clamav-users" <clamav-users at lists.clamav.net> wrote:

> I agree with you.  I suspect the majority of cases today is when people have a large archive of files to scan.
> 
> I think best case scenario for people with a need to scan files larger than the present internal 2GB limit is that archives larger than 2GB are decompressed and then the files inside are scanned, but without actually scanning the very large outer archive.
> 
> The way to do this as things work today is to script something around clamscan or clamdscan that if the file is too large, handle some assorted file types:
> 
>   1.  if file is a tar.gz, un-tar.gz it and then scan the files within.
>   2.  if file is a zip, un-zip it and then scan the files within.
>   3.  etc.
> 
> I think everyone would like if clamav could do this automatically for select archive types. And I think the advantage would be that we would perhaps keep the extracted files in memory, or else at least delete the temp files as we go without extracting all of it to disk before starting to scan.
> 
> However, it would be far easier to make a shell script or a python script that wraps clamscan/clamdscan and uses native tools like "tar", "unzip", etc.
> 
> Regards,
> Micah
> 
> 
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.

More information about the clamav-users mailing list