Citeren Paul Kosinski via clamav-users <clamav-users@lists.clamav.net>:
I am puzzled (and dismayed) by the following behavior of ClamAV. When I
scan some archive files, I often get "Heuristics.Limits.Exceeded FOUND".
This makes me wonder about ClamAV's utility in protecting our systems
against malware.
I'm not talking about archive files downloaded from questionable
sources, or incredibly large files (like DVD ISO files). I'm talking
about files like the latest 64-bit Linux Firefox ESR binary file (65
MB) downloaded from "http://ftp.mozilla.org/pub/firefox/releases/";.
Although this file passed its GPG signature verification, and its
SHA512 checksum test, I still like to use ClamAV for additional
checking (since even reputable distribution sites have been known to
have been compromised).
However, applying clamscan to this file (which was slightly renamed by
my download script to be more readable) results in the following output:
clamscan --alert-exceeds-max=yes --max-scantime=999
--max-scansize=4090M --max-filesize=4090M --max-files=30000
--max-recursion=30 --pcre-match-limit=999999999
--pcre-max-filesize=999999999 firefox-68.6.1-esr-64.tar.bz2
firefox-68.6.1-esr-64.tar.bz2: Heuristics.Limits.Exceeded FOUND
This is in spite of the extra options I added to relax the "Limits".
So I decided that since the Firefox tar.bz2 file passed its GPG and
SHA512 tests, I would expand the into a temp directory and clamscan
the result. (Which files are those used directly to run Firefox):
clamscan --alert-exceeds-max=yes --max-scantime=999
--max-scansize=4090M --max-filesize=4090M --max-files=30000
--max-recursion=30 --pcre-match-limit=999999999
--pcre-max-filesize=999999999 -r firefox | grep -v ' OK'
firefox/removed-files: Empty file
firefox/chrome.manifest: Empty file
firefox/browser/chrome.manifest: Empty file
firefox/browser/omni.ja: Heuristics.Limits.Exceeded FOUND
firefox/omni.ja: Heuristics.Limits.Exceeded FOUND
The 'empty' files are Mozilla's doing, but the fact that the ".ja"
files (which are "Mozilla archive" files -- basically jar/zip), were
flagged bothered me. A lot.
So what should I do to have confidence in ClamAV's utility in such
situations?
Before writing this whole rant, you have not considered checking which
of the options might have triggered this? You've reduced the
--max-scantime from the default 120 seconds to under 1 second and
still wonder why this breaks? Really?
The version of clamscan I am using is 0.102.1 (built from source), and
I only started using the "--alert-exceeds-max=yes" option recently.
Thanks,
Paul Kosinski
P.S. I hope everybody is staying healthy.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
