This one time, at band camp, Antonio Fiol said: > I am using clamd in STREAM mode in every case. > > I have found a way of fooling the scanner to give a false > negative: > > If the user sends a BIG file (bigger than the limit) with a virus near > the end (outside the limit), it will get cut, and the virus will not be > found. > > IMO, the scanner should detect this as an exceptional situation, and > react by saying: > stream: ERROR:Size-limit-exceeded FOUND > > Or any other informative string.
Upstream's response is that you should set your MTA limits for message size to be the same as your settings for stream size, so that you can just reject over size messages outright. Apparently that means they don't want to accept your patch :( The logic is that the Archive related options and ArchiveBlockMax are to prevent against archive bombs. But it is trivially easy to control the size of the data being fed to clamav, unlike knowing in advance the content that will go through. Take care, -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
pgpnTXXb2fitY.pgp
Description: PGP signature
