When you have "AlertExceedsMax yes" in your config, then exceeding scan limits are treated as alerts / infected regardless of if it finds any signature matches.
Respectfully, Val Valerie Snyder (she/they) ClamAV Development Talos Cisco Systems, Inc. ________________________________ From: clamav-users <[email protected]> on behalf of Paul Kosinski via clamav-users <[email protected]> Sent: Saturday, March 28, 2026 10:43 AM To: Andrew C Aitchison <[email protected]> Cc: Paul Kosinski <[email protected]>; [email protected] <[email protected]> Subject: Re: [clamav-users] Why are recent Firefox (for Windows) downloads ALL being found to contain ransomware? On Fri, 27 Mar 2026 12:23:35 +0000 (GMT) Andrew Aitchison via clamav-users <[email protected]> wrote: > I note that the scan takes around two minutes > which may be enough for a timeout such as ReadTimeout to kick in. ------------------------------------ ------------------------------------ If I reduce the max scan time limit for clamd to 30 secs, I get the following: ==================== Firefox Setup 115.34.0esr.exe: Heuristics.Limits.Exceeded.MaxScanTime FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 30.619 sec (0 m 30 s) Start Date: 2026:03:27 22:29:05 End Date: 2026:03:27 22:29:36 RC = 1 ==================== which is quite different from: ==================== Firefox Setup 115.34.0esr.exe: Win.Trojan.Spora-7724442-0 FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 87.618 sec (1 m 27 s) Start Date: 2026:03:27 22:41:03 End Date: 2026:03:27 22:42:31 RC = 1 ==================== P.S. In both cases I have used the verbose reporting option. It's interesting that the first case also shows 1 infected file -- perhaps it found the Trojan before it timed out? _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
