Having built ClamAV 0.102.1 a few days ago, I stumbled on the following unfortunate behavior (which is probably not related to 0.102.1), and have a suggestion to remedy it.
I recently did a backup from a Win 7 Pro machine to a directory on our CIFS server and decided to try running ClamAV on the large set of ZIP files which resulted, and I used clamdscan for efficiency. (All the ZIP files within ClamAV's inherent 4 GB size limit.) I was shocked to find that 24 out of the 715 ZIP files were flagged as containing viruses, in spite of the fact that the Win 7 machine runs Microsoft Security Essentials and it never found any problems in the files which comprise the backup ZIPs. So I figured that ClamAV probably had a few virus patterns that MSE didn't have, or the two AV updates were out of sync. So I ran MSE explicitly on one of the files in question, and it still didn't find anything. OK, different virus DBs for MSE and ClamAV. Then I ran clamscan on that same file (#177). Now *it* didn't find the virus that the clamdscan had found. OK again, slightly different ClamAV DB since they were run on different days. Finally, I ran clamdscan again on that file (after stopping and restarting clamd to make sure it had the same DB as clamscan). This time, again, it found the same virus, whether or not I used the "--fdpass" option (just in case that made a difference). Why did this happen? It seems to be because clamscan does not respect the options in clamd.conf, in particular those relating to max file size and max scan size. The 4 console outputs below illustrate this. The first is a simple clamscan (which finds no virus), the next are 2 clamdscans (with and without "--fdpass") and the 4th is a clamscan with explicit max options (to correspond to the clamd maxes). Notice that this last clamscan now detects the virus that both clamds detected. Currently clamscan doesn't even give a warning (e.g., an error message) if it scans no data at all. Note how the 1st clamscan (with default maxes) reported "Backup files 177.zip: OK". It took me a while to see that it also said "Data scanned 0.00 MB", which makes the "OK" claim extremely questionable. To mitigate this kind of misleading behavior, where clamscan apparently uses some built-in maxes, I would suggest that either clamscan should respect the relevant options in clamd.conf if they are made explicit, or, better yet, have its own clamscan.conf which allows overriding the any built-in defaults. (A separate clamscan.conf file could then also make clear what the defaults are, and the extra time to process it would be trivial compared to the time spent loading the virus DBs.) ============================================ imes>/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148$ clamscan -v Backup\ files\ 177.zip Scanning Backup files 177.zip Backup files 177.zip: OK ----------- SCAN SUMMARY ----------- Known viruses: 6659621 Engine version: 0.102.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 199.59 MB (ratio 0.00:1) Time: 8.917 sec (0 m 8 s) ============================================ imes>/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148$ /opt/clamav/bin/clamdscan -v --fdpass Backup\ files\ 177.zip /Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148/Backup files 177.zip: Win.Trojan.Agent-1367203 FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 2.010 sec (0 m 2 s) ============================================ imes>/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148$ /opt/clamav/bin/clamdscan -v Backup\ files\ 177.zip /Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148/Backup files 177.zip: Win.Trojan.Agent-1367203 FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 1.964 sec (0 m 1 s) ============================================ imes>/Backup8/IME8/Backup Set 2020-01-01 104148/Backup Files 2020-01-01 104148$ /opt/clamav/bin/clamscan --max-filesize=1000M --max-scansize=1000M -v Backup\ files\ 177.zip Scanning Backup files 177.zip Backup files 177.zip: Win.Trojan.Agent-1367203 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6659621 Engine version: 0.102.1 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 4.05 MB Data read: 199.59 MB (ratio 0.02:1) Time: 12.085 sec (0 m 12 s) ============================================ P.S. Why ClamAV finds viruses that MSE doesn't find is a separate question. Perhaps MSE has size limits that they don't even tell us about? _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
