ClamAV is both an email/attachment scanner and a file system scanner. It is
pointless to set the email scanner to scan files larger than your MTA is
configured to accept. Secondarily, the interface between the MTA and ClamAV
frequently has a max filesize parameter, too. This is to prevent DOS'ing your
own system. This means only that the clamd.conf file used for file scanning is
possibly inappropriate for use as an email scanner. And there is absolutely no
reason people cannot run multiple instances of clamd on a system so long as each
has its own clamdxx.conf and port/socket/log settings.
dp
On 7/26/16 9:26 AM, Kevin Lin wrote:
The filesize limit can be dynamically set for clamscan with the
"--max-filesize=xxM" option. clamd.conf can be used to change the clamd
filesize limit with "MaxFileSize".
Excerpt from clamscan help:
----
--max-filesize=#n Files larger than this will be
skipped and assumed clean
--max-scansize=#n The maximum amount of data to scan
for each container file (**)
--max-files=#n The maximum number of files to
scan for each container file (**)
----
Excerpt from clamd.conf manpage:
----
MaxScanSize SIZE
Sets the maximum amount of data to be scanned for each input
file. Archives and other containers are recursively extracted and scanned
up to this value. The size of an archive plus the sum of the sizes of all
files within archive count toward the scan size. For example, a 1M
uncompressed archive containing a single 1M inner file counts as 2M toward
the max scan size. Warning: disabling this limit or setting it too
high may result
in severe damage to the system.
Default: 100M
MaxFileSize SIZE
Files larger than this limit won't be scanned. Affects the
input file itself as well as files contained inside it (when the input file
is an archive, a document or some other kind of container). Warning:
disabling this limit or setting it too high may result in severe damage to
the system.
Default: 25M
...
MaxFiles NUMBER
Number of files to be scanned within an archive, a document,
or any other kind of container. Warning: disabling this limit or setting it
too high may result in severe damage to the system.
Default: 10000
----
As said earlier, be careful with expanding the engine limits as scanning
oversized files can be dangerous.
-Kevin
On Tue, Jul 26, 2016 at 2:10 AM, Al Varnell <alvarn...@mac.com> wrote:
You might be able to re-compile the ClamAV source and configure it with
--maxfilesize=xxM, but the limit is there to prevent severe system damage
that can result from attempting to scan over-sized files. I know in the
case of OS X there is no known malware that exceed the established limits.
-Al-
Thanks for your questions and suggestions.
I had a look via the --debug method, and found the following in the
clamAV call:-
LibClamAV debug: cli_updatelimits: filesize exceeded (allowed: 26214400,
needed: 104096320)
<snip>
Is there somewhere in the clamAV config I can set the cli_updatelimits:
filesize to be larger?
In the install dir I only see clamd.conf and freshclam.conf:
TCPSocket 3310
MaxThreads 2
LogFile C:\working\clam_av_logs\clamd.txt
DatabaseDirectory C:\Program Files\clamav-amd64-0.99.2\db
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
