> Found in man 5 clamd.conf: > > ArchiveBlockMax > Mark archives as viruses (e.g RAR.ExceededFileSize, > Zip.ExceededFilesLimit) if ArchiveMaxFiles, ArchiveMaxFileSize, > or ArchiveMaxRecursion limit is reached. > Default: disabled > > It was enabled as the default in the Debian packages when the new > option was introduced (but only for upgrade from a version before it was > introduced), but removing or commetning the option should be respected > across upgrade. If it is not, please file a bug report about that.
i think that the 'ArchiveBlockMax' default setting is not 'disabled' by default. the documentation may say that is so, but i think this is an incorrect statement. 'ArchiveBlockMax' is not set, nor specified in my /etc/clamav/clamd.conf, but when I do a clamscan, the code indicates that these doom 3 zip files are nevertheless 'oversize.zip' infected. even if i set 'ArchiveBlockMax 0' or 'ArchiveBlockMax disabled' in the conf file, clamscan still indicates the zip files are 'oversize.zip' infected. something else curious is that i scanned a 337MB 'oversize.zip' file, and when clamscan finished, it said that it scanned a total of 13.48MB. for the 398MB file, 16.27MB were scanned, and for the 277MB file, 13.67MB were scanned. is there an overflow occuring on your file size integer? or has clamav mistakenly detected an archivebomb by reading only part of the file? Stephen, can you point out the archivebomb detection code (files and linenumbers). I would like to look at it to see if there is a better way to accomplish the goal. Regards, Mike Gilbert
