On 2009-07-27 21:19, Michael Rogers wrote: > The clamd.conf manpage gives dire warnings about "severe damage to the > system" if MaxScanSize and MaxFileSize are disabled or set too high. >
Here are some scenarios: The partition that has $TMPDIR might get filled if limits are disabled, preventing further files from being scanned, and preventing the operation of any program that needs space on $TMPDIR. Scanning a file without limits is not guaranteed to finish in a reasonable amount of time, so you could exhaust the scanning threads one by one in clamd, until all further scans to timeout/refuse connection because all threads are busy scanning something that will never finish scanning, or will finish after a very long time. Think of scanning a small file that unpacks to a thousand files, each being a few gigabytes, and each unpacking to even more files, otherwise known as a zip-bomb, rar-bomb, ... That sort of file can easily fill all the space on any disk. You are somewhat protected from this if you leave the MaxFiles setting unchanged, but not completely. Clamd might exhaust physical memory, causing the kernel's OOM killer to trigger if you have overcommit enabled (default), which will kill clamd (or some other unrelated process) to free up memory. If you have swap space configured, then due to the increased memory usage, the system might start swapping, and if your swap space is excessively large, it can slow everything down before memory is exhausted. Its not different from allowing any other program unconstrained amount of resources. Try writing a program that does malloc in a loop, or opens a file and writes to it in an infinite loop. To sum up, it is not recommended to turn off limits in a production environment. > Could anyone please give me a bit more information about what kind of > damage might be involved, and how to choose safe non-default values for > these settings? > You should have enough space to scan MaxThreads * MaxFileSize * MaxRecursion files, and enough processing power to process MaxScanSize*MaxFiles bytes in a reasonable amount of time, in a worst case scenario. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
