What are the compressed and uncompressed sizes of the problem file ?
On Fri, 1 Oct 2021, Max Allan via clamav-users wrote:
Hi,
I have a requirement (from the business) to AV scan all docker
containers we create.
I started experimenting with tomcat:latest, which is handy because you
can follow along at home easily!
Someone else has already recommended a scan command :
clamscan <file> \
--infected \
--recursive=yes \
--alert-exceeds-max=yes \
--max-recursion=2000000 \
--max-dir-recursion=2000000 \
--max-files=2000000 \
--max-filesize=2000M \
--max-scansize=2000M \
--max-embeddedpe=2000M \
--max-htmlnormalize=2000M \
--max-htmlnotags=2000M \
--max-scriptnormalize=2000M \
--max-ziptypercg=2000M \
--max-partitions=2000000 \
--max-iconspe=2000000 \
--max-rechwp3=2000000 \
--pcre-match-limit=2000000 \
--pcre-recmatch-limit=2000000 \
--pcre-max-filesize=2000M -a
So, if you run the tomcat:latest container, apt update, apt install
clamav, freshclam and run that scan command against
/usr/local/openjdk-11/lib/src.zip you will probably get a failure :
/usr/local/openjdk-11/lib/src.zip: Heuristics.Limits.Exceeded FOUND
/usr/local/openjdk-11/lib/src.zip!(0)ZIP:jdk.zipfs/jdk/nio/zipfs/ZipInfo.java:
Heuristics.Limits.Exceeded FOUND
---------- SCAN SUMMARY -----------
Known viruses: 8570214
Engine version: 0.103.3
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 290.07 MB
Data read: 55.52 MB (ratio 5.22:1)
Time: 260.438 sec (4 m 20 s)
Start Date: 2021:10:01 13:39:47
End Date: 2021:10:01 13:44:07
However, if I extract that zip file to /src and then run clamscan on
/src then it passes without a problem :
----------- SCAN SUMMARY -----------
Known viruses: 8570214
Engine version: 0.103.3
Scanned directories: 2076
Scanned files: 18415
Infected files: 0
Data scanned: 333.04 MB
Data read: 170.92 MB (ratio 1.95:1)
Time: 320.573 sec (5 m 20 s)
Start Date: 2021:10:01 13:23:39
End Date: 2021:10:01 13:29:00
(There are indeed 18415 files in that .zip according to unzip -l)
Or even scan the single file :
clamscan ZipInfo.java --infected --recursive=yes
--alert-exceeds-max=yes --max-recursion=2000000
--max-dir-recursion=2000000 --max-files=2000000
--max-filesize=2000M --max-scansize=2000M --max-embeddedpe=2000M
--max-htmlnormalize=2000M --max-htmlnotags=2000M
--max-scriptnormalize=2000M --max-ziptypercg=2000M
--max-partitions=2000000 --max-iconspe=2000000
--max-rechwp3=2000000 --pcre-match-limit=2000000
--pcre-recmatch-limit=2000000 --pcre-max-filesize=2000M -a
----------- SCAN SUMMARY -----------
Known viruses: 8570214
Engine version: 0.103.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.01 MB (ratio 1.50:1)
Time: 68.326 sec (1 m 8 s)
Start Date: 2021:10:01 16:03:14
End Date: 2021:10:01 16:04:22
Clearly the content of src.zip (ZipInfo.java) IS scannable, when
extracted, but for some reason not scannable when it is in a zip
file... Is this a bug? Or am I specifying some options that are
causing it??
(clamscan -V
ClamAV 0.103.3/26309/Fri Oct 1 09:03:53 2021 )
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
