I must say I strongly disagree with the approach of feeding files contained in a big archive file one at a time to ClamAV. That's because an archive is *itself* a file.
I have on occasion heard of vulnerabilities in some archiving software, where the mere act of decompressing and extracting an archive can result in malicious code execution due to a bug in the archiving software. After all, such software can itself have the all too common lack of bounds checking (etc.) that could be exploited by a maliciously malformed archive. It could also be that lower level archive-like files such as ISOs and disk images could, by means of malicious structuring, trigger a total system compromise, because it might well involve the kernel. The way an ISO or disk image is typically used (on Linux, at least) is to create a "loop" device from the file, and then *mount* it as block device -- a clear kernel involvement. Of course, scanning any file might conceivably trigger a ClamAV bug, and thus a compromise, but that is no reason to add another layer of vulnerability to things. (But it is a good reason not to run ClamAV as root.) Paul Kosinski On Thu, 8 Jun 2023 20:55:25 +0000 "Micah Snyder \(micasnyd\) via clamav-users" <clamav-users@lists.clamav.net> wrote: > I agree with you. I suspect the majority of cases today is when people have > a large archive of files to scan. > > I think best case scenario for people with a need to scan files larger than > the present internal 2GB limit is that archives larger than 2GB are > decompressed and then the files inside are scanned, but without actually > scanning the very large outer archive. > > The way to do this as things work today is to script something around > clamscan or clamdscan that if the file is too large, handle some assorted > file types: > > 1. if file is a tar.gz, un-tar.gz it and then scan the files within. > 2. if file is a zip, un-zip it and then scan the files within. > 3. etc. > > I think everyone would like if clamav could do this automatically for select > archive types. And I think the advantage would be that we would perhaps keep > the extracted files in memory, or else at least delete the temp files as we > go without extracting all of it to disk before starting to scan. > > However, it would be far easier to make a shell script or a python script > that wraps clamscan/clamdscan and uses native tools like "tar", "unzip", etc. > > Regards, > Micah > > > Micah Snyder > ClamAV Development > Talos > Cisco Systems, Inc. _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
