On Thu, Apr 17, 2014 at 12:22 AM, Dennis Peterson <denni...@inetnw.com>wrote:
> On 4/15/14, 7:36 AM, Steven Morgan wrote: > >> Good news, it works. We are considering a --warn-on-limit-exceeded option >> to cover messaging in these types of cases. >> >> Steve >> >> >> >> I've found an interesting inconsistency when scanning archives. I tested > this on an xz compressed tar file (the ClamAV distro) and the library error > handler informed me the file size was too large, it then scanned what it > could, and failed to find the ClamAV test file. I then did the same thing > on a gzip compressed tar file and it silently failed to find the test file. > When I put in appropriate sizes for max filesize and max scansize the test > file was found in the xz compressed file and the gzip file.I wonder why I > was informed of the size problem with the xz tar file and not the gzip tar > file? Perhaps xz is not included as a library feature and gzip is? > > dp > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > Though inconsistent, it is less interesting then it may appear. The scanning behavior is the same. Both return a clean disposition if limits are reached and no signatures alert, including a message at debug level describing which limit was exceeded. The only difference is that the xz scan (written more recently) also logs a warning at the point when the limit is reached in the middle of scanning the archive, and the gz scan (written less recently) does not. Dave R. -- --- Dave Raynor Vulnerability Research Team _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
