One issue ClamAV currently has with scanning Zip archives is that ClamAV's
self-extracting zip detection logic has a flaw wherein it detects every file
within a zip as a new self-extracting zip. As a result, I believe (and I could
be wrong on this), that Clam ends up extracting and scanning every file in a
zip *twice*. I'm still brainstorming the best way to fix this -- but I suspect
this is a large part of why zip-based file formats take much longer than
expected to scan.
-Micah
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
On 4/7/20, 1:38 PM, "clamav-users on behalf of Paul Kosinski via clamav-users"
<clamav-users-boun...@lists.clamav.net on behalf of
clamav-users@lists.clamav.net> wrote:
I didn't want to screw around with my clamdscan (clamd.conf) settings,
so I ran my optioned-up clamscan command on a smaller and much less
complicated file. It took less than 11 seconds total time. (My previous
guess on clamscan's DB load time was apparently way off.)
This suggests that the ClamAV scanning process really does take a lot
of CPU to deal with a big, complicated file like a Firefox package:
time clamscan
--alert-exceeds-max=yes --max-scantime=999999 --max-scansize=4090M
--max-filesize=4090M --max-files=30000
--max-recursion=30 --pcre-match-limit=999999999
--pcre-max-filesize=999999999
audiofile.wav
audiofile.wav: OK
----------- SCAN SUMMARY -----------
Known viruses: 6804144
Engine version: 0.102.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 1.74 MB
Data read: 1.73 MB (ratio 1.01:1)
Time: 10.836 sec (0 m 10 s)
real 0m10.851s
user 0m10.439s
sys 0m0.412s
P.S. This is an actual audio intermediate file, not just random bytes.
On Mon, 6 Apr 2020 21:50:15 -0700
Al Varnell via clamav-users <clamav-users@lists.clamav.net> wrote:
> Much of that time is almost certainly being consumed by loading the
> signature database into RAM. How long does it take using clamdscan?
>
> Sent from my iPad
>
> -Al-
>
> On Apr 6, 2020, at 12:29, Paul Kosinski via clamav-users
> <clamav-users@lists.clamav.net> wrote:
> >
> > It *does* take more than 120 secs for the clamscan command to fully
> > scan the 62 MB Firefox installation file (.tar.bz2). Trying the scan
> > with the default clamscan limits results in 62 MB "Data read" but
> > *zero* "Data scanned"!
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
