> Tsutomu Oyamada asked what actually happens when a large file is
> scanned, not why the limit is there.
The default behavior is to treat the file as clean if any of the scan limits
are exceeded (scan time, scan size, file size, etc).
If you want an alert if the limits are exceeded, then you can use the following
options:
For ClamD, set "AlertExceedsMax yes" in the "clamd.conf" file.
For ClamScan, use the "--alert-exceeds-max" option on the command line.
This will cause clamav to report one of the following signatures when the
limits are exceeded:
- Heuristics.Limits.Exceeded.MaxFileSize
- Heuristics.Limits.Exceeded.MaxScanSize
- Heuristics.Limits.Exceeded.MaxFiles
- Heuristics.Limits.Exceeded.MaxRecursion
- Heuristics.Limits.Exceeded.MaxScanTime
- Heuristics.Limits.Exceeded.EmailLineFoldcnt
- Heuristics.Limits.Exceeded.EmailHeaderBytes
- Heuristics.Limits.Exceeded.EmailHeaders
- Heuristics.Limits.Exceeded.EmailMIMEPartsPerMessage
- Heuristics.Limits.Exceeded.EmailMIMEArguments
and possibly more with the "Heuristics.Limits.Exceeded." prefix.
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: Andrew C Aitchison <and...@aitchison.me.uk>
Sent: Wednesday, January 25, 2023 10:59 PM
To: Micah Snyder (micasnyd) via clamav-users <clamav-users@lists.clamav.net>
Cc: Micah Snyder (micasnyd) <micas...@cisco.com>
Subject: Re: [clamav-users] About scanning files larger than 2 GB in size
On Thu, 26 Jan 2023, Micah Snyder (micasnyd) via clamav-users wrote:
> Paul is sort-of correct but the 2GB limit isn't artificial as he has implied.
Paul did not answer the original poster's question.
Tsutomu Oyamada asked what actually happens when a large file is
scanned, not why the limit is there.
> On Sun, 22 Jan 2023 05:40:18 +0900
> Tsutomu Oyamada <oyam...@promark-inc.com> wrote:
>
>> How do I set up clamd?
>> Setting MaxFileSize to "0" is unlimited, but internally files
>> larger than 2GB in size cannot be scanned. In this case, do you
>> treat the file as clean without scanning it at all?
> ClamAV code contains a lot of signed and unsigned 32bit variables
> that must be upgraded to 64bit variables to support larger files.
> Before raising the limit, a tedious audit process must be completed
> to ensure that all variables are upgraded in all modules. We cannot
> simply remove the limit and cross our fingers.
A static analyzer such as cppcheck, PVS-Studio or the ones built into
gcc and clang may be useful tools in the tedious audit.
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
