This one time, at band camp, Michael Gilbert said: > > Found in man 5 clamd.conf: > > > > ArchiveBlockMax > > Mark archives as viruses (e.g RAR.ExceededFileSize, > > Zip.ExceededFilesLimit) if ArchiveMaxFiles, ArchiveMaxFileSize, > > or ArchiveMaxRecursion limit is reached. > > Default: disabled > > > > It was enabled as the default in the Debian packages when the new > > option was introduced (but only for upgrade from a version before it was > > introduced), but removing or commetning the option should be respected > > across upgrade. If it is not, please file a bug report about that. > > i think that the 'ArchiveBlockMax' default setting is not 'disabled' > by default. the documentation may say that is so, but i think this is > an incorrect statement. > > 'ArchiveBlockMax' is not set, nor specified in my > /etc/clamav/clamd.conf, but when I do a clamscan, the code indicates > that these doom 3 zip files are nevertheless 'oversize.zip' infected.
clamscan does not read clamd.conf. If you are getting Oversized.Zip with clamscan, you'll need to use the appropriate switch to clamscan. Run it once with --debug, and you'll see what the compression rati, the file size, etc are. Adjust your command line arguments accordingly. > Stephen, can you point out the archivebomb detection code (files and > linenumbers). I would like to look at it to see if there is a better > way to accomplish the goal. libclamav/scanners.c 219-250 & 445-492. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
signature.asc
Description: Digital signature
