A virtual machine. This made me look at the default allocated RAM, which was 512 bytes. Now increased to 2GB, it is working.
Thanks. Scott On Thu, Apr 11, 2013 at 12:35 PM, Shawn Webb <sw...@sourcefire.com> wrote: > What OS and what architecture are you running (32bit Linux, 64bit Linux, > etc.)? How much physical memory do you have installed? > > > On Thu, Apr 11, 2013 at 12:32 PM, Scott Ehrlich <sc...@ehrlichtronics.com > >wrote: > > > Set it to just above the size and got, via --debug: > > > > For the mbox file... > > > > libclamav Warning: fmap: map allocation failed > > libclamav Error: CRITICAL: fmap() failed > > /path/to/mbox-file: Cannot allocate memory ERROR > > > > The file is about 1.6 GB. > > > > Thanks. > > > > Scott > > > > On Thu, Apr 11, 2013 at 12:20 PM, Shawn Webb <sw...@sourcefire.com> > wrote: > > > > > Hey Scott, > > > > > > Can you try setting --max-filesize to a value larger than the size of > the > > > file you're trying to scan? > > > > > > Thanks, > > > > > > Shawn > > > > > > > > > On Thu, Apr 11, 2013 at 12:10 PM, Scott Ehrlich < > > sc...@ehrlichtronics.com > > > >wrote: > > > > > > > According to --debug, when it hit the mbox file, for clamscan, I got: > > > > > > > > libclamav: cli_updatelimits: filesize exceeded (allowed: abc, needed: > > > xyz) > > > > > > > > How to fix this? > > > > > > > > Thanks. > > > > > > > > Scott > > > > > > > > On Thu, Apr 11, 2013 at 9:59 AM, Shawn Webb <sw...@sourcefire.com> > > > wrote: > > > > > > > > > Interesting. Can you send me the log file from clamscan or clamd > > > > (whichever > > > > > you're using to scan the file)? I'll take a look at it ASAP. If you > > > > could, > > > > > please add --debug and --verbose to the scan. > > > > > > > > > > > > > > > On Thu, Apr 11, 2013 at 9:50 AM, Scott Ehrlich < > > > sc...@ehrlichtronics.com > > > > > >wrote: > > > > > > > > > > > I'm getting these results with a 1.5 GB file (thus, less than 2 > > GB). > > > > > > > > > > > > What is the best way to scan it? > > > > > > > > > > > > Thanks. > > > > > > > > > > > > Scott > > > > > > > > > > > > On Thu, Apr 11, 2013 at 9:42 AM, Shawn Webb < > sw...@sourcefire.com> > > > > > wrote: > > > > > > > > > > > > > Hey Scott, > > > > > > > > > > > > > > The bug is that ClamAV 0.97 doesn't support scanning large > files > > > > under > > > > > > > Linux. Files greater than 2GB in size need to be handled > > specially > > > > > under > > > > > > > Linux. We've added large file support to 0.98. You will need to > > > > upgrade > > > > > > to > > > > > > > 0.98. We don't have a firm release date for 0.98. > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > Shawn > > > > > > > > > > > > > > > > > > > > > On Thu, Apr 11, 2013 at 9:34 AM, Scott Ehrlich < > > > > > sc...@ehrlichtronics.com > > > > > > > >wrote: > > > > > > > > > > > > > > > What is the current status of large-size mbox file scanning, > > > then? > > > > > > Does > > > > > > > it > > > > > > > > work, or do I need to wait for 0.98 for successful scanning? > > > > > > > > > > > > > > > > If I need to wait, approximately when do you think? > > > > > > > > > > > > > > > > If it _does_ work now, what are the needed switches/options > to > > > make > > > > > it > > > > > > > > work? > > > > > > > > > > > > > > > > Thanks. > > > > > > > > > > > > > > > > Scott > > > > > > > > > > > > > > > > On Thu, Apr 11, 2013 at 9:32 AM, Shawn Webb < > > > sw...@sourcefire.com> > > > > > > > wrote: > > > > > > > > > > > > > > > > > Hey Scott, > > > > > > > > > > > > > > > > > > This is a known bug in ClamAV 0.97. We've addressed and > fixed > > > it > > > > in > > > > > > > 0.98. > > > > > > > > > Development is ongoing on 0.98 and there isn't a firm > release > > > > date, > > > > > > > yet. > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > Shawn > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Apr 11, 2013 at 9:13 AM, Scott Ehrlich < > > > > > > > sc...@ehrlichtronics.com > > > > > > > > > >wrote: > > > > > > > > > > > > > > > > > > > Making more progress - > > > > > > > > > > > > > > > > > > > > using --scan-mail=yes and --max-scansize=3000M the mbox > > file > > > is > > > > > > being > > > > > > > > > > "seen", but, as I discovered, and someone posted on a > page > > > > > > somewhere, > > > > > > > > > there > > > > > > > > > > is a discrepency between "Data scanned" and "Data read". > > > Data > > > > > > > Scanned > > > > > > > > > > shows about 0. Data Read shows a more appropriate large > > > value > > > > > > (multi > > > > > > > > > > megabyte). > > > > > > > > > > > > > > > > > > > > I then tried to play with --max-filesize= 0, or 1, or > > 3000M, > > > > and > > > > > > now > > > > > > > > get > > > > > > > > > > "fmap - map allocation failed" for the mbox file. > > > > > > > > > > > > > > > > > > > > Thus, it appears to "see" the mbox file, but, based on > the > > > Data > > > > > > > scanned > > > > > > > > > > field above, there is no strong evidence to claim it is > > being > > > > > > > properly > > > > > > > > > > scanned. > > > > > > > > > > > > > > > > > > > > I also tried --tempdir=/path/to/lot-of-space and that > > didn't > > > > seem > > > > > > to > > > > > > > do > > > > > > > > > any > > > > > > > > > > good. > > > > > > > > > > > > > > > > > > > > Again, clamscan 0.97.7. > > > > > > > > > > > > > > > > > > > > Ideas are welcome. Switches from successful test results > > > also > > > > > > > welcome. > > > > > > > > > > > > > > > > > > > > Thanks. > > > > > > > > > > > > > > > > > > > > Scott > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Apr 10, 2013 at 8:01 PM, A K Varnell < > > > > alvarn...@mac.com> > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Apr 10, 2013, at 4:59 PM, A K Varnell < > > > alvarn...@mac.com> > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > On Apr 10, 2013, at 4:41 PM, Scott Ehrlich < > > > > > > > > sc...@ehrlichtronics.com > > > > > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > >> You may be correct, though recalling my command-line > > > > > options, > > > > > > > > > > including > > > > > > > > > > > >> verbose mode, the mbox file is very large, yet the > > scan > > > > took > > > > > > > just > > > > > > > > a > > > > > > > > > > few > > > > > > > > > > > >> seconds. > > > > > > > > > > > > > > > > > > > > > > > > Then you'll need to change: > > > > > > > > > > > > > > > > > > > > > > > > --max-filesize=#n > > > > > > > > > > > > Extract and scan at most #n kilobytes > from > > > > each > > > > > > > > archive. > > > > > > > > > > > You may > > > > > > > > > > > > pass the value in megabytes in format xM > > or > > > > xm, > > > > > > > where > > > > > > > > > x > > > > > > > > > > > is a > > > > > > > > > > > > number. This option protects your > > system > > > > > > against > > > > > > > > DoS > > > > > > > > > > > attacks > > > > > > > > > > > > (default: 25 MB, max: <4 GB) > > > > > > > > > > > > > > > > > > > > > > Sorry, wrong reference: > > > > > > > > > > > > > > > > > > > > > > --max-scansize=#n > > > > > > > > > > > Extract and scan at most #n kilobytes > from > > > > each > > > > > > > > scanned > > > > > > > > > > > file. > > > > > > > > > > > You may pass the value in megabytes in > > > format > > > > xM > > > > > > or > > > > > > > > xm, > > > > > > > > > > > where x > > > > > > > > > > > is a number. This option protects > your > > > > > system > > > > > > > > > against > > > > > > > > > > > DoS > > > > > > > > > > > attacks (default: 100 MB, max: <4 GB) > > > > > > > > > > > > > > > > > > > > > > -Al- > > > > > > > > > > > > > > > > > > > > > > >> ... > > > > > > > > > > > >> Scott > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > > >> On Wed, Apr 10, 2013 at 5:41 PM, Steven Morgan < > > > > > > > > > > smor...@sourcefire.com > > > > > > > > > > > >wrote: > > > > > > > > > > > >> > > > > > > > > > > > >>> Scott, > > > > > > > > > > > >>> > > > > > > > > > > > >>> Looking at the code, I think the option is > > 'scan-mail'. > > > > It > > > > > > > > defaults > > > > > > > > > > as > > > > > > > > > > > yes, > > > > > > > > > > > >>> so you shouldn't need to do anything special, just > > > > clamscan > > > > > > > > > > > /path/to/mbox/. > > > > > > > > > > > >>> > > > > > > > > > > > >>> Let us know if that is not working. > > > > > > > > > > > >>> > > > > > > > > > > > >>> Steve > > > > > > > > > > > >>> > > > > > > > > > > > >>> On Wed, Apr 10, 2013 at 4:46 PM, Scott Ehrlich < > > > > > > > > > > > sc...@ehrlichtronics.com > > > > > > > > > > > >>>> wrote: > > > > > > > > > > > >>> > > > > > > > > > > > >>>> I just compiled clamav 0.97.7 on SANS SIFT Linux. > > > > > > > > > > > >>>> > > > > > > > > > > > >>>> Reviewing the README file and google, it appears > > that > > > > > > clamscan > > > > > > > > > > should > > > > > > > > > > > be > > > > > > > > > > > >>>> able to review/scan mbox files, but any attempt at > > > using > > > > > > > --mbox, > > > > > > > > > > such > > > > > > > > > > > as > > > > > > > > > > > >>>> clamscan --mbox or clamscan -d /tmp/virdir --mbox > > > > > > > > > /path/to/mboxfile, > > > > > > > > > > > >>>> reports an error with the --mbox switch. > > > > > > > > > > > >>>> > > > > > > > > > > > >>>> I reviewed the configuration file, and there was > > > nothing > > > > > for > > > > > > > > mbox > > > > > > > > > > > >>> support. > > > > > > > > > > > >>>> > > > > > > > > > > > >>>> Am I missing something? > > > > > > > > > > > >>>> > > > > > > > > > > > >>>> Thanks. > > > > > > > > > > > >>>> > > > > > > > > > > > >>>> Scott > > > > > > > > > > > >>>> _______________________________________________ > > > > > > > > > > > >>>> Help us build a comprehensive ClamAV guide: visit > > > > > > > > > > > http://wiki.clamav.net > > > > > > > > > > > >>>> http://www.clamav.net/support/ml > > > > > > > > > > > >>>> > > > > > > > > > > > >>> _______________________________________________ > > > > > > > > > > > >>> Help us build a comprehensive ClamAV guide: visit > > > > > > > > > > > http://wiki.clamav.net > > > > > > > > > > > >>> http://www.clamav.net/support/ml > > > > > > > > > > > >>> > > > > > > > > > > > >> _______________________________________________ > > > > > > > > > > > >> Help us build a comprehensive ClamAV guide: visit > > > > > > > > > > > http://wiki.clamav.net > > > > > > > > > > > >> http://www.clamav.net/support/ml > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > Help us build a comprehensive ClamAV guide: visit > > > > > > > > > > http://wiki.clamav.net > > > > > > > > > > > > http://www.clamav.net/support/ml > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > Help us build a comprehensive ClamAV guide: visit > > > > > > > > > http://wiki.clamav.net > > > > > > > > > > > http://www.clamav.net/support/ml > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > Help us build a comprehensive ClamAV guide: visit > > > > > > > > http://wiki.clamav.net > > > > > > > > > > http://www.clamav.net/support/ml > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > Help us build a comprehensive ClamAV guide: visit > > > > > > > http://wiki.clamav.net > > > > > > > > > http://www.clamav.net/support/ml > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > Help us build a comprehensive ClamAV guide: visit > > > > > > http://wiki.clamav.net > > > > > > > > http://www.clamav.net/support/ml > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Help us build a comprehensive ClamAV guide: visit > > > > > http://wiki.clamav.net > > > > > > > http://www.clamav.net/support/ml > > > > > > > > > > > > > _______________________________________________ > > > > > > Help us build a comprehensive ClamAV guide: visit > > > > http://wiki.clamav.net > > > > > > http://www.clamav.net/support/ml > > > > > > > > > > > _______________________________________________ > > > > > Help us build a comprehensive ClamAV guide: visit > > > http://wiki.clamav.net > > > > > http://www.clamav.net/support/ml > > > > > > > > > _______________________________________________ > > > > Help us build a comprehensive ClamAV guide: visit > > http://wiki.clamav.net > > > > http://www.clamav.net/support/ml > > > > > > > _______________________________________________ > > > Help us build a comprehensive ClamAV guide: visit > http://wiki.clamav.net > > > http://www.clamav.net/support/ml > > > > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > > http://www.clamav.net/support/ml > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
