search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.24k stars 687 forks source link

clamscan needs 5 minutes on an item with a long pathname #607

Open ggaussling opened 2 years ago

ggaussling commented 2 years ago

Hi,

I encountered, that clamscan needs very long time and maybe slows down on long pathnames? Could this be the case?

It took for example 5 minutes on this folder and the three items

C:\Windows\winsxs\wow64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_11.2.9600.19155_none_00128aa86b7d1181\mshtml.dll: OK
C:\Windows\winsxs\wow64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_11.2.9600.19155_none_00128aa86b7d1181\mshtml.tlb: OK
C:\Windows\winsxs\wow64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_11.2.9600.19155_none_00128aa86b7d1181\wow64_Microsoft-Windows-IE-HTMLRendering.ptxml: OK

Alternativly it may got problems on .ptxml files?

CPU and RAM was available, though.

This Computer is old and uses a HDD.

Lenovo IdeaPad N581
Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz
Intel Ivy Bridge rev. 09
Intel HM76 rev. 04
4 GBytes DDR3 RAM 798.7 MHz (1:6)
HDD: ST500LM012 HN-M500MBB, 465.8GB, 5400RPM, SATA AHCI
C:\Windows\system32>clamconf -n
Checking configuration files in C:\Program Files\ClamAV

Config file: clamd.conf
-----------------------
LogFile = "C:\Programme\ClamAV\clamd.log"
PidFile = "C:\Programme\ClamAV\clamd.pid"
DatabaseDirectory = "C:\Programme\ClamAV\database"
TCPSocket = "3310"
TCPAddr = "localhost"

Config file: freshclam.conf
---------------------------
PidFile = "C:\Programme\ClamAV\freshclam.pid"
DatabaseDirectory = "C:\Programme\ClamAV\database"
UpdateLogFile = "C:\Programme\ClamAV\freshclam.log"
DatabaseMirror = "database.clamav.net"
NotifyClamd = "C:\Programme\ClamAV\clamd.conf"

clamav-milter.conf not found

Software settings
-----------------
Version: 0.105.0
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 JSON RAR

Database information
--------------------
Database directory: C:\Programme\ClamAV\database
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 16:21:51 2021
daily.cvd: version 26557, sigs: 1985004, built on Mon May 30 10:05:44 2022
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 14:32:42 2021
Total number of signatures: 8632523

Platform information
--------------------
uname: Microsoft Windows 6.1 SP1.0 Build 7601
OS: Windows, ARCH: AMD64, CPU: AMD64
zlib version: 1.2.12 (1.2.12), compile flags: 65
platform id: 0x10259696080000000000077c

Build information
-----------------
Microsoft Visual C++: (0.7.124)
sizeof(void*) = 8
Engine flevel: 150, dconf: 150

C:\Windows\system32>
micahsnyder commented 2 years ago

@ggaussling I doubt it's because of the long pathname, but you could always make a copy in a shorter directory with a different filename to test and be certain. clamscan itself takes quite a long time to start up these days because the database has been growing unchecked for a while (we're working on that).

DLL and TLB files are both PE files and these are known to take a longer time to scan if there are a lot of functions in them. I'm not familiar with any scan time issues with *.ptxml files though. But it could be that this specific file takes a very long time to scan for some reason.

I found these files on a Windows 7 x64 VM. I see that mshtml.dll is pretty big for a DLL, roughly 20MB:

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          8/3/2019   9:21 PM   20291584 mshtml.dll
-a---          8/3/2019   9:15 PM    2724864 mshtml.tlb
-a---         2/11/2018   6:05 PM       3228 wow64_Microsoft-Windows-IE-HTMLRendering.ptxml

I suspect the long scan time is from scanning mshtml.dll and is unrelated to the long pathname.