[clamav-users] Question About MaxFileSize

[Kenneth Porter]

--On Friday, June 09, 2023 6:40 PM -0400 Paul Kosinski via clamav-users 
<clamav-users at lists.clamav.net> wrote:

> I have on occasion heard of vulnerabilities in some archiving software,
> where the mere act of decompressing and extracting an archive can result
> in malicious code execution due to a bug in the archiving software. After
> all, such software can itself have the all too common lack of bounds
> checking (etc.) that could be exploited by a maliciously malformed
> archive.
>
> It could also be that lower level archive-like files such as ISOs and
> disk images could, by means of malicious structuring, trigger a total
> system compromise, because it might well involve the kernel. The way an
> ISO or disk image is typically used (on Linux, at least) is to create a
> "loop" device from the file, and then *mount* it as block device -- a
> clear kernel involvement.

Filesystems are also files, interpreted by kernel-level filesystem drivers. 
Some filesystems have a compression feature. Scanning ANY file exercises 
such code.

> Of course, scanning any file might conceivably trigger a ClamAV bug, and
> thus a compromise, but that is no reason to add another layer of
> vulnerability to things. (But it is a good reason not to run ClamAV as
> root.)

This is also a good reason to run it as a service in a sandbox with minimal 
capabilities. The client application (like a mail server) can feed the file 
to scan through a socket and rely on the service's sandbox to protect the 
client application.