This one time, at band camp, Michael Gilbert said: > > Please run clamscan with --debug, as I asked earlier. If you can't > > interpret the results, send them on and I'll help. To repeat, you are > > tripping the _builtin_default_ for one of the many limits in libclamav. > > They are there for a good reason, but they can all be overidden. If you > > send me the debug output, I can help you find settings that work for > > your scenario. > > using '--debug', it looks like there is an all black image > (uncompressed 768 kB, compressed 809 B, ratio 902) in the archive that > is (validly) triggering the 'oversized.zip' flag (default ratio 250). > i tried the scan again with '--max-ratio=0' to bypass the ratio > detection routine, which did not detect anything wrong with the > archive as i expect. > > i think that the '--max-ratio' and '--max-dir-recursion' checks should > not be enabled by default. they should be enabled with the > '--block-max' flag as is the current case with the '--max-space', > '--max-recursion', and '--max-files' options. all of these options > seem very related, and hence should funtion similarly (only checked > when the user sets the '--block-max' flag). let me know if this sound > reasonable.
It is currently set at clamscan/manager.c, starting around line 132. Each of these options have a built in default. Since the point of the clamav suite is to scan unknown executable code from hostile parties, I think these make sense. If you are scanning relatively trusted files then you can be a little more lenient, and arrange the limits as you feel you need to for your environment. It's easy enought to change the code in scanners.c to check for BLOCKMAX, but I'm just not sure it's the right thing to do. I will talk with upstream and see i they think it should be giverned by that argument as well. As I said, I'm not convinced that it's the right thing to do. > this may be what you are trying to do in the code (i think --block-max > option corresponds to the limits variable); however, the conditional > statement on line 452 in libclamav/scanners.c seems to be executed > whether or not --block-max is set on the command line. --block-max sets BLOCKMAX for that bit of code. You are correct, it is not checked there. > anyway, let me know if you need any more details. Thanks, that's pretty much what I figured was going on. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
signature.asc
Description: Digital signature
