Nigel Horne wrote:
I've captured a copy of an email that looks like it's causing clamav to loop.
Thank you for the sample which I have looked at.
The email has several sizable zip files attached to each of which contains a number of word documents. Since each of the files MUST be individually scanned (encoded, unencoded zipped and unzipped), clamAV has a lot of work to do, and you need to be more patient with Russian Doll stress tests such as this.
Whilst the email is only 5MB in size, the total amount of data which need to be scanned is 137.58 MB, of which 132MB needs to be created by the various mechanisms mentioned above.
It seems to me that you may not have looked carefully at your settings in clamd.conf, which could be leading you to a DoS attack.
Hi,
Thanks for taking the time to look at it Nigel, but I'm really unsure about what options in the clamd.conf file I could change.
As you said, the zip files themselves are quite small, so lowering ArchiveMaxFileSize isn't really an option. There is no recursion of zip files or directories going on, so those options don't help.
If you have any ideas at what I could look for, I'd appreciate the learning experience.
Regards,
Rick _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
