micahsnyder
commented
2 months ago Interesting! Thanks for the report. This should definitely cause an error. I think ideally we'd check it on startup rather than having every scan fail.
Open Xulunix opened 2 months ago
micahsnyder
commented
2 months ago Interesting! Thanks for the report. This should definitely cause an error. I think ideally we'd check it on startup rather than having every scan fail.
Xulunix
commented
2 months ago Thanks for the reply. Checking on startup and returning an error wouldn't hurt for sure. However a scan should still fail if creating temp files is not possible. for example due to no space left on the device.
micahsnyder
commented
2 months ago Agreed
Describe the bug
I'm using libclamav to integrate virus scanning into a custom application. During tests i noticed, that cl_scanfile_callback() returns clean if the scanner fails to create a temporary directory to scan an archive. This leads to files being marked as 'clean' if the configured tmpdir (CL_ENGINE_TMPDIR) becomes unavailable. I've tested the location becoming read-only and an invalid/non-existing path. Both resulted in 'CL_CLEAN'. Shouldn't be the default behavior be something other than clean in that case? From my point of view, silently skipping the scan and returning a clean result without scan seems dangerous to me.
The same behavior applies to clamscan, example below.
Is observing the log message callback the only/intended way to handle such errors during a scan?
How to reproduce the problem
Configure the temporary directory to an invalid or read-only path. Scan an archive Scan is skipped, clean-result returned.