On Mon, 6 Jan 2025, Marijus Gudiskis via clamav-users wrote:
I would like to know the reasoning behind these limits and why are they are
relatively conservative:
* MaxFileSize 25M
* MaxScanSize 100M
Do you think this limit would still be safe?:
* MaxFileSize 500M
* MaxScanSize 2000M
If I understand correctly the limits are to protect against zip bombs but if
you have a zip bomb that is 20MB it can balloon to 2GB, so we should mainly
care about MaxScanSize?
I think these limits are as much about performance.
IIUC very little malware (if any) is stored a long way into a file,
so increasing the limit is unlikely to find any more problems,
but will slow down scanning anything large.
Note: the above doesn't apply the same way in archives like .tar or .zip
files or disk images - .iso or UDF etc. These can have malware anywhere
inside, but they are scanned *recursively*, so the limit may only
apply to the inner file.
Also there is an absolute 31-bit (so 2GB, not 4GB) limit due to the
current implementation. However some work has been done to
exempt archives and disk images from this.
There are also time limits on scanning; you may need to change these too.
Also, is ClamAV constant memory when it comes to scanning for viruses?
Sorry, I don't know.
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
