On 3/28/07, Trog <[EMAIL PROTECTED]> wrote:
I suggest you do the following:
o Scan the file manually with the --leave-temps
I have done this now. The 3,8 MB file unpacked in 78 directories (e.g.
clamav-ee4dca88cff9ffa2) and totalled over 500 files!
o Have a look in your tmp dir and see what files clam actually pulled out of
your powerpoint file. There may be something surprising in there (and there may
not)
I can't see anything special there, just a lot of binary files. It
must be the unarchiving and scanning of all the expanded bits that
consume all the resources. Quite a difference between a single 3,8 MB
file and 500+ files totalling 255 MB.
PowerPoint is very bad for hiding extra files inside the ppt files.
Horrible. I looked at the document in Powerpoint and it was just an
ordinary presentation with less than 100 slides.
I tried to use "--max-space" and "--max-files" but found them not to
work - at least with OLE2. When I set --max-space=50000 for example it
still scanned 173 MB and took 7 minutes, I expected it to cut at 50
MB. The PPT unpacked in many small files so it shouldn't be a problem
to stop between files when the limit is reached but neither
--max-space or --max-files worked as expected. Only when I tested with
--max-files=1 it scanned just 3,7 MB of data and finished in less than
3 seconds. Maybe --max-files=1 means it just scans the archive
itself..? Everything above 1 scanned the whole archive. Maybe those
options are just for zips, ..?
I see no alternative to using --no-ole2.
--
/peter
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
