search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.38k stars 704 forks source link

INSTREAM: Size limit reached error in every files #942

Closed lerminou closed 8 months ago

lerminou commented 1 year ago

Describe the bug

I use Clamav in a docker in a Kubernetes cluster. When my python application performs an INSTREAM analyse I always have the **INSTREAM: Size limit reached, But my file is around 170Ko and I forced the limit to 500M

Wer use the clamd python library (v1.0.2): https://pypi.org/project/clamd/

How to reproduce the problem

Replace this text with specific steps needed to reproduce the issue. clamconf -n Config

Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
LogTime = "yes"
PidFile = "/tmp/clamd.pid"
TemporaryDirectory = "/tmp"
LocalSocket = "/tmp/clamd.sock"
LocalSocketGroup = "2000"
TCPSocket = "3310"
StreamMaxLength = "524288000"
Foreground = "yes"
Debug = "yes"
DetectPUA = "yes"
ExcludePUA = "NetTool", "PWTool"
AlertBrokenExecutables = "yes"
MaxScanSize = "157286400"
MaxFileSize = "31457280"
MaxRecursion = "10"
MaxFiles = "15000"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
MaxPartitions = "128"
MaxIconsPE = "200"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "10000"
DisableCertCheck = "yes"

Config file: freshclam.conf
---------------------------
LogTime = "yes"
PidFile = "/tmp/freshclam.pid"
DatabaseMirror = "clamav-updates.xxx"
PrivateMirror = "clamav-updates.xxx"

Config file: clamav-milter.conf
-------------------------------
LogFile = "/var/log/clamav/milter.log"
LogTime = "yes"
PidFile = "/tmp/clamav-milter.pid"
User = "clamav"
ClamdSocket = "unix:/tmp/clamd.sock", "unix:/tmp/clamd.sock", "unix:/tmp/clamd.sock", "unix:/tmp/clamd.sock", "unix:/tmp/clamd.sock"
MilterSocket = "inet:7357"

Software settings
-----------------
Version: 1.0.1
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR 

Database information
--------------------
Database directory: /var/lib/clamav
daily.cld: version 26929, sigs: 2036479, built on Mon Jun  5 07:34:01 2023
bytecode.cld: version 334, sigs: 91, built on Wed Feb 22 21:33:21 2023
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
Total number of signatures: 8683997

Platform information
--------------------
uname: Linux 4.18.0-372.19.1.el8_6.x86_64 #1 SMP Mon Jul 18 11:14:02 EDT 2022 x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.13 (1.2.13), compile flags: a9
platform id: 0x0a21a1a108000000000c0201

Build information
-----------------
GNU C: 12.2.1 20220924 (12.2.1)
sizeof(void*) = 8
Engine flevel: 161, dconf: 161

Attachments


Mon Jun 5 13:11:53 2023 -> Received POLLIN\|POLLHUP on fd 10
--
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Moved partial command: 4104
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> mode == MODE_STREAM
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Processed 20 bytes of chunkdata, pos 0
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Got chunksize: 1024
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Quota Remaining: 524242944
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Processed 1024 bytes of chunkdata, pos 24
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Got chunksize: 1024
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Quota Remaining: 524241920
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Processed 1024 bytes of chunkdata, pos 1052
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Got chunksize: 1024
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Quota Remaining: 524240896
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Processed 1024 bytes of chunkdata, pos 2080
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Got chunksize: 1024
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Quota Remaining: 524239872
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Processed 996 bytes of chunkdata, pos 3108
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> fds_poll_recv: timeout after 119 seconds
Mon, Jun 5 2023 3:11:53 pm | Mon Jun 5 13:11:53 2023 -> Received POLLIN\|POLLHUP on fd 10
Mon, Jun 5 2023 3:11:53 pm | WARNING: Mon Jun 5 13:11:53 2023 -> INSTREAM: Size limit reached, (requested: 3345442920, max: 524237824)
micahsnyder commented 8 months ago

@lerminou sorry you did not receive a response.

Our team does not make the clamd python library or have experience using it to interact with clamd. It sounds like a bug in the way this library is performing scans with the INSTREAM command. You may need to contact the developers of this python module to seek help. I'm going to close this ticket since I do not believe it to be a bug in clamd itself.

Out of curiosity, did you ever resolve this issue?