Hi Gareth,
Sorry about the delay in response.
No this is not expected behavior. Inconsistencies in the actual max file size
is a known issue, particularly on Windows and 32bit systems. The issues noted
in this bug report in particular are probably the leading causes:
https://bugzilla.clamav.net/show_bug.cgi?id=12251.
I suspect that 2GB may be the max file size that can be consistently scanned by
ClamAV at this time.
As this is a bug, there is no other mechanism to force an error message to
occur when it fails to scan the entire file. I hope we'll be able to find time
to resolve the large file issue soon, and I apologize for the inconvenience.
Micah
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
On 2/25/19, 9:36 AM, "clamav-users on behalf of Gareth Williams via
clamav-users" <clamav-users-boun...@lists.clamav.net on behalf of
clamav-users@lists.clamav.net> wrote:
Hello,
We have been using ClamAV for several months, and are noticing some strange
behaviour when scanning files (and archives) above a certain size.
The documentation states:
--max-filesize=#n can be anything up to 4GB
--max-scansize=#n can be anything up to 4GB
We are however experiencing different behaviour:
Scanning a file of ~3GB in size results in no scan taking place, but
reporting the file is OK anyway.
COMMAND:
clamscan --max-scansize=4000M --max-filesize=4000M -rav --block-max=yes
--max-recursion=5 --max-dir-recursion=4 Users.xml
OUTPUT:
Scanning Users.xml
Users.xml: OK
----------- SCAN SUMMARY -----------
Known viruses: 6813534
Engine version: 0.101.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB <=================
Data read: 2955.02 MB (ratio 0.00:1)
Time: 12.935 sec (0 m 12 s)
As this file is less than 4GB, we would have expected this to have been
scanned properly.
We have also noted erratic behaviour when scanning archive files. For
example:
COMMAND:
clamscan --max-scansize=4000M --max-filesize=4000M -rav --block-max=yes
--max-recursion=5 --max-dir-recursion=4 stackoverflow.com-Users.7z
OUTPUT:
Scanning stackoverflow.com-Users.7z
Scanning stackoverflow.com-Users.7z!7Z:Users.xml
stackoverflow.com-Users.7z: OK
----------- SCAN SUMMARY -----------
Known viruses: 6813534
Engine version: 0.101.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 413.86 MB
Data read: 410.01 MB (ratio 1.01:1)
Time: 28.029 sec (0 m 28 s)
This archive contains the same file as in the first example, and it does
not appear to extract the file from the archive. It simply scan the archive
itself. We have observed other cases where archives are extracted and scanned
fully by clamscan.
Questions:
- Is this expected behaviour for clamscan?
- Is there another, lower, limit on file sizes which can actually be
scanned in practice?
- Is there a way to force clamscan to error if a file has not actually been
scanned?
Regards,
Gareth
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
