search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.19k stars 684 forks source link

Clamscan on Windows does not skip large files (>2 GB) and outputs error reports cl_scandesc_callback: Can't fstat descriptor 3 instead #1315

Open basimar opened 1 month ago

basimar commented 1 month ago

Describe the bug

When running clamscan.exe (ClamAV 1.3.1/27344/Mon Jul 22 10:26:31 2024) on Windows (Windows Server 2019 Standard) with a large file (exceeding 2 GB), the following error is displayed:

`Scanning C:\Users\me\Documents\2500M.file LibClamAV Error: cl_scandesc_callback: Can't fstat descriptor 3 C:\Users\me\Documents\2500M.file: Can't get file status ERROR

----------- SCAN SUMMARY ----------- Known viruses: 8696388 Engine version: 1.3.1 Scanned directories: 0 Scanned files: 0 Infected files: 0 Total errors: 1 Data scanned: 0.00 MB Data read: 4192653.05 MB (ratio 0.00:1) Time: 34.731 sec (0 m 34 s) Start Date: 2024:07:23 11:43:11 End Date: 2024:07:23 11:43:45`

I'm aware of the maxFilesize limit of 2 GB in ClamAV (see https://github.com/Cisco-Talos/clamav/issues/344), but according to the documentation I would expect that ClamAV either reports the file as uninfected or (if --alert-exceeds-max is set to true) reports a Heuristics.Limits.Exceeded.MaxFileSize FOUND error.

I tried different combinations of --max-filesize, --max-scansize and --alert-exceeds-max, but I'm always getting the same error when the file is larger than 2 GB.

When running the same commands on Linux, everything works correctly, ClamAV reports the file either as uninfected or the heuristics error.

Is there any chance to get the same behavior in Windows? I'm fine with the 2 GB limit, but as I need to parse the output of ClamAV in our software, I would prefer getting the correct error message when trying to scan large files.

The same error was reported in https://github.com/Cisco-Talos/clamav/issues/479 (also on Windows)

How to reproduce the problem

The following commands all report the same error when running on a Windows system:

clamscan.exe -v -a --stdout --max-filesize=1000M --max-scansize=1000M --alert-exceeds-max=yes "C:\Users\me\Documents\2500M.file"

clamscan.exe -v -a --stdout --max-filesize=1000M --max-scansize=1000M --alert-exceeds-max=no "C:\Users\me\Documents\2500M.file"

clamscan.exe -v -a --stdout --max-filesize=0 --max-scansize=0 --alert-exceeds-max=yes "C:\Users\me\Documents\2500M.file"

micahsnyder commented 1 month ago

Thanks for the report @basimar

I was able to reproduce the issue:

❯ ~\clams\clamav-1.3.1.win.x64\clamscan.exe -v -a --stdout  --max-filesize=1000M --max-scansize=1000M --alert-exceeds-max=yes $HOME\Downloads\3gb-file
Loading:     0s, ETA:   0s [========================>]        1/1 sigs
Compiling:   0s, ETA:   0s [========================>]       10/10 tasks

Scanning C:\Users\micasnyd\Downloads\3gb-file
LibClamAV Error: cl_scandesc_callback: Can't fstat descriptor 3
C:\Users\micasnyd\Downloads\3gb-file: Can't get file status ERROR

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 1.3.1
Scanned directories: 0
Scanned files: 0
Infected files: 0
Total errors: 1
Data scanned: 0.00 MB
Data read: 4193280.00 MB (ratio 0.00:1)
Time: 0.013 sec (0 m 0 s)
Start Date: 2024:07:24 10:12:49
End Date:   2024:07:24 10:12:49

I'd really thought we'd ironed out all of the issues with the file size checks. 😞