Hi there, On Mon, 4 Oct 2021, Max Allan via clamav-users wrote:
... if the AV scanner has stopped scanning before everything was scanned, it MAY be infected and I cannot allow the file in.
As a result of collecting statistics on mail servers for some years, my estimate of probability that ClamAV, out of the box, will detect some random threat is on the order of a few percent. Even if you used all the available scanning products on the planet the probability will not be much better than 80%. See some of my other posts to this list for tables of numbers. More succinctly if you rely just on scanning for protection, then by about the fifth threat that you scan the game will probably be over. So I hope you're not saying that a clean scan result will mean that you allow the file in without further ado.
So I ask again, why does it hit a limit when in a .zip file but not when the zip is expanded, when all the limits are clearly much higher than anything it will encounter?
I don't know, but I haven't carefully examined your command line - I feel that it's insanely long, and quite possibly asking for trouble. Have you read the warnings in the documentation about increased limits? It isn't always obvious what ClamAV does under the hood when it scans things like archives, but to help with any investigation you can for example increase the debug log message verbosity and tell ClamAV to keep any temporary files instead of deleting them after the scan. Sometimes I've rebuilt ClamAV simply to add a debug message to find out what's going on. Having the source code helps a lot of course. :) Obviously I haven't seen any of the files that you're scanning. If you can let me have one which you think will exhibit this behaviour I'll be happy to give it a once-over when I get a minute. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
