micahsnyder
commented
2 years ago Thanks for the report @hebelal. I did some initial triage and confirmed that this is a bug. I haven't identified exactly where it's going wrong but I see that during the scan it is exceeding the max scan-size, and then skipping scans of subsequent files. It should have reported an alert the it exceeds the max but it does not.
Interestingly, it does alert when using the --gen-json option that we use for file analysis (not something you want to use all the time).
Anyways... I will create a jira task in our internal clam development backlog for this report so we can prioritize work on fixing this.
rnkab
Hi,
Description: We're using the latest clamav docker image (0.105). Our clamd.conf only has default values except for: "AlertExceedsMax yes". We now want to scan a very high compressed zip file with clamd. There are files up to 1GB in this zip file howver the zip itself is only a few kb small. On virustotal 4/47 scan engines even rate this file as virus (but not clamav): https://www.virustotal.com/gui/file/8666412e0882da27cbc7b876f337dc6b004f876d7a1cad372a247fb868223450 So the expectation is that we receive an "Heuristics.Limits.Exceeded" like described here: https://github.com/Cisco-Talos/clamav/blob/4f3fd4e4173a45eed4ae9e628cc60fc22472227e/etc/clamd.conf.sample#L650-L654 However we do not get any heurisitic message, but instead the same response as for every other file without virus.
Reproduce:
Attachments: recursive_zip.zip