Thanks Laurent, The results say : "Infected files: 1". Therefore our automated systems cannot differentiate between this file being infected and not. And if the AV scanner has stopped scanning before everything was scanned, it MAY be infected and I cannot allow the file in.
If it went above a limit, which limit do I need to increase to make it scan. There is only one extra level of zip nesting and none of the files are large. So I can presumably increase one of those limits by "1" to count for the extra level of nesting perhaps. But I increased the limits related to recursion massively and it still fails. All of those limits are far, far bigger than the content (mostly 2GB and hundreds of thousands of files). And content that it CAN scan when extracted, so clearly there is nothing there that is beyond a limit. I do not want files beyond a limit to remain unscanned, I want them all to be scanned. And I can achieve that manually by extracting the .zip. But it fails to scan when the zip still compressed. It is not feasible to have an automated AV system uncompress every zip file it finds outside of the scan solution and feed in all found zip files as exclusions from the scan. So I ask again, why does it hit a limit when in a .zip file but not when the zip is expanded, when all the limits are clearly much higher than anything it will encounter? Max On Fri, 1 Oct 2021 at 18:06, Laurent S. via clamav-users <[email protected]> wrote: > > Dear Max Allan, > > Heuristics.Limits.Exceeded doesn't mean the file is infected, but it's > only a warning telling you that something went above the limits you set. > It give the warning this way because of --alert-exceeds-max=yes > > ClamAV managed to go search into those files in each case as you can see > from the scan summaries. It will count the zip as a single file. > > I would recommend against copy-pasting all those parameters without > having given proper thought into what you are doing. > > Best regards, > Laurent > > On 01.10.21 18:09, Max Allan via clamav-users wrote: > > Hi, > > I have a requirement (from the business) to AV scan all docker > > containers we create. > > I started experimenting with tomcat:latest, which is handy because you > > can follow along at home easily! > > Someone else has already recommended a scan command : > > > > clamscan <file> \ > > --infected \ > > --recursive=yes \ > > --alert-exceeds-max=yes \ > > --max-recursion=2000000 \ > > --max-dir-recur > sion=2000000 \ > > --max-files=2000000 \ > > --max-filesize=2000M \ > > --max-scansize=2000M \ > > --max-embeddedpe=2000M \ > > --max-htmlnormalize=2000M \ > > --max-htmlnotags=2000M \ > > --max-scriptnormalize=2000M \ > > --max-ziptypercg=2000M \ > > --max-partitions=2000000 \ > > --max-iconspe=2000000 \ > > --max-rechwp3=2000000 \ > > --pcre-match-limit=2000000 \ > > --pcre-recmatch-limit=2000000 \ > > --pcre-max-filesize=2000M -a > > > > So, if you run the tomcat:latest container, apt update, apt install > > clamav, freshclam and run that scan command against > > /usr/local/openjdk-11/lib/src.zip you will probably get a failure : > > > > /usr/local/openjdk-11/lib/src.zip: Heuristics.Limits.Exceeded FOUND > > /usr/local/openjdk-11/lib/src.zip!(0)ZIP:jdk.zipfs/jdk/nio/zipfs/ZipInfo.java: > > Heuristics.Limits.Exceeded FOUND > > ---------- SCAN SUMMARY ----------- > > Known viruses: 8570214 > > Engine version: 0.103.3 > > Scanned directories: 0 > > Scanned files: 1 > > > Infected files: 1 > > Data scanned: 290.07 MB > > Data read: 55.52 MB (ratio 5.22:1) > > Time: 260.438 sec (4 m 20 s) > > Start Date: 2021:10:01 13:39:47 > > End Date: 2021:10:01 13:44:07 > > > > > > However, if I extract that zip file to /src and then run clamscan on > > /src then it passes without a problem : > > > > ----------- SCAN SUMMARY ----------- > > Known viruses: 8570214 > > Engine version: 0.103.3 > > Scanned directories: 2076 > > Scanned files: 18415 > > Infected files: 0 > > Data scanned: 333.04 MB > > Data read: 170.92 MB (ratio 1.95:1) > > Time: 320.573 sec (5 m 20 s) > > Start Date: 2021:10:01 13:23:39 > > End Date: 2021:10:01 13:29:00 > > > > (There are indeed 18415 files in that .zip according to unzip -l) > > > > Or even scan the single file : > > > > clamscan ZipInfo.java --infected --recursive=yes > > --alert-exceeds-max=yes --max-recursion=2000000 > > --max-dir-recursion=2000000 --max-files=2000000 > > --max-filesize=2000M --max-scansize=2000M --max-embeddedpe=2000M > > - > -max-htmlnormalize=2000M --max-htmlnotags=2000M > > --max-scriptnormalize=2000M --max-ziptypercg=2000M > > --max-partitions=2000000 --max-iconspe=2000000 > > --max-rechwp3=2000000 --pcre-match-limit=2000000 > > --pcre-recmatch-limit=2000000 --pcre-max-filesize=2000M -a > > > > ----------- SCAN SUMMARY ----------- > > Known viruses: 8570214 > > Engine version: 0.103.3 > > Scanned directories: 0 > > Scanned files: 1 > > Infected files: 0 > > Data scanned: 0.01 MB > > Data read: 0.01 MB (ratio 1.50:1) > > Time: 68.326 sec (1 m 8 s) > > Start Date: 2021:10:01 16:03:14 > > End Date: 2021:10:01 16:04:22 > > > > > > > > Clearly the content of src.zip (ZipInfo.java) IS scannable, when > > extracted, but for some reason not scannable when it is in a zip > > file... Is this a bug? Or am I specifying some options that are > > causing it?? > > > > (clamscan -V > > ClamAV 0.103.3/26309/Fri Oct 1 09:03:53 2021 ) > > > > _______________________________________________ > > > > clamav-users mailing list > > clam > [email protected] > > https://lists.clamav.net/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > > _______________________________________________ > > clamav-users mailing list > [email protected] > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
