[SOLVED] scanning larger files using "clamscan"

Rosika · 07-07-2017, 09:34 AM

Hi altogether,

I want to scan larger files with "clamscan". I don´t know how big a file can be in order to be scanned.
Anyway I´ve learned that I cannot scan let´s say a 60MB-file directly.

E.g.:

Code:

clamscan /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3

yields amongst other info:

Quote:

Data scanned: 0.00 MB

The man pages say:

Quote:

−−max−filesize=#n: Extract and scan at most #n bytes from each archive

.
So this probably means that I have to pack my .mp3-file into an archive before being able to scan it.
I tested that by packing three .mp3-files (radio plays) into an archive and then scanning it:

Code:

clamscan --max-filesize=300M --max-scansize=300M /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes.tar.bz2

And that really worked.
Info:

Quote:

Data scanned: 180.76 MB

.

Well, my question is: Do I always have to pack larger files before being able to scan them? Is there really no direct way of doing this?
And what´s the limit in MB?

Thanks a lot in advance.

Greetings.
Rosika

hydrurga · 07-07-2017, 10:15 AM

Despite the wording of the man entry regarding "archive", did you try the --max-filesize / --max-scansize options on the file itself without putting it into an archive?

Rosika · 07-07-2017, 10:25 AM

Hi hydrurga,

yes I did. Here´s the result:

Code:

----------- SCAN SUMMARY -----------
Known viruses: 6299803
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 61.81 MB (ratio 0.00:1)
Time: 23.704 sec (0 m 23 s)

So it didn´t scan the mp3-file directly. Such a shame.

scasey · 07-07-2017, 10:32 AM

Maximum file sizes for various types are set in /etc/clamd.conf Here are the defaults:

Code:

#MaxScanSize 150M
#MaxFileSize 30M
#MaxRecursion 10
#MaxFiles 15000
#MaxEmbeddedPE 10M
#MaxHTMLNormalize 10M
#MaxHTMLNoTags 2M
#MaxScriptNormalize 5M
#MaxZipTypeRcg 1M

They can be changed there. Pay close attention to the preceding comments about each of them.

Or they can be overridden at the command line, but I think the man page reference is a bit misleading, the comments in clamd.conf for MaxFileSize don't also imply the file has to be an archive:

Code:

# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.

So you should be able to use the command line override without first "packing" them...but maybe not

What values for the CLI overrides did you use when you followed hydrurga's suggestion? Please show us the command as executed as well as the result.

Edit: clamd.conf has no effect on clamscan. My Bad. man clamscan show the defaults and maximums for each option:

Code:

       --max-filesize=#n
              Extract and scan at most #n bytes from each archive. You may pass the value in kilobytes in format xK or xk, or megabytes in format xM or xm, where x is a number. This option protects your system
              against DoS attacks (default: 25 MB, max: <4 GB)

       --max-scansize=#n
              Extract  and scan at most #n bytes from each archive. The size the archive plus the sum of the sizes of all files within archive count toward the scan size. For example, a 1M uncompressed archive
              containing a single 1M inner file counts as 2M toward max-scansize. You may pass the value in kilobytes in format xK or xk, or megabytes in format xM or xm, where x is a number. This option  pro-
              tects your system against DoS attacks (default: 100 MB, max: <4 GB)

hydrurga · 07-07-2017, 10:37 AM

It looks as if clamscan is reading the mp3 fine, but has decided not to scan it, perhaps because it or mp3's in general are excluded or on a whitelist.

A quick web search provides a couple of hints that mp3s may not be scanned by clamscan, but I can't find anything conclusive yet.

hydrurga · 07-07-2017, 10:39 AM

Quote:

Originally Posted by scasey

Maximum file sizes for various types are set in /etc/clamd.conf

As far as I know, clamd.conf is only used as a configuration file for the clamd daemon, and doesn't affect clamscan.

Rosika · 07-07-2017, 10:46 AM

Hi altogether,

my original command was

Code:

clamscan --max-filesize=300M --max-scansize=300M wdr3hoerspiel_2016-12-21_sherlockholmesunddasgeheimnisdesweissenbandesteil1_wdr3.mp3

The filesize is 61,8 MB.

Well, it didn´t occur to me that the mp3-file might be excluded from scanning due to its very nature. That could be one clue.

scasey · 07-07-2017, 10:54 AM

Quote:

Originally Posted by hydrurga

It looks as if clamscan is reading the mp3 fine, but has decided not to scan it, perhaps because it or mp3's in general are excluded or on a whitelist.

A quick web search provides a couple of hints that mp3s may not be scanned by clamscan, but I can't find anything conclusive yet.

Me either, except for a couple of references that mp3 files are non-executable. I agree, not conclusive. File types can be excluded on the command line, but the OP isn't doing that.

scasey · 07-07-2017, 10:55 AM

Quote:

Originally Posted by hydrurga

As far as I know, clamd.conf is only used as a configuration file for the clamd daemon, and doesn't affect clamscan.

Yup. My Bad. My post edited.

Rosika · 07-07-2017, 11:10 AM

O.K., at least for now there seems nothing can be done to scan the respective file directly.
At first I thought that it was due to its larger size. But the mp3-nature could also be the reason. I have to admit I haven´t thought of that possibility.

Well at least the workaround of packing it first works.

By the way, a tar.bz2-file can be scanned and a zip-file as well.

Thanks a lot anyway.
Rosika

hydrurga · 07-07-2017, 11:22 AM

I'm not sure that the workaround does work, Rosika. The "scanning" in that case could refer to the unpacking of the archive.

To test the "clamscan doesn't scan mp3's" theory, why don't you try scanning a large executable or other file (of at least the size of the mp3)?

Rosika · 07-07-2017, 11:47 AM

Hi hydrurga,

o.k., new theory to be tested....

And there..... you´re right:
I tested a .flv-file (64 MB).
First:

Code:

clamscan BBC_Radio_4_Drama_James_Bond_Thunderball.flv 
BBC_Radio_4_Drama_James_Bond_Thunderball.flv: OK

----------- SCAN SUMMARY -----------
Known viruses: 6299803
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 64.04 MB (ratio 0.00:1)
Time: 9.804 sec (0 m 9 s)

Didn´t work.

Then:

Code:

clamscan --max-filesize=1000M --max-scansize=1000M BBC_Radio_4_Drama_James_Bond_Thunderball.flv 
BBC_Radio_4_Drama_James_Bond_Thunderball.flv: OK

----------- SCAN SUMMARY -----------
Known viruses: 6299803
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 129.27 MB
Data read: 64.04 MB (ratio 2.02:1)
Time: 17.926 sec (0 m 17 s)

This time it worked perfectly. (Though it´s a bit odd that more data is scanned than read).

So it seems to be a matter of mp.3.
Tnx.
Rosika

hydrurga · 07-07-2017, 01:24 PM

Thanks for testing that, Rosika.

So, it appears, in this case anyway, although it may well also be the general case, that clamscan doesn't check mp3's and that, although the man page refers to "archives", --max-filesize and/or --max-scansize don't apply only to archives.

FLV files contain compressed data - that's perhaps the reason that more data was scanned than was read, although I have no idea to be honest. It is interesting though.

AwesomeMachine · 07-07-2017, 05:57 PM

You can try:

Code:

$ dd if=./file | clamscan -

Rosika · 07-08-2017, 10:08 AM

@ hydrurga,

thanks for the additional info regarding FLV-files.

@ AwesomeMachine:

thanks for the tip.
Yet I don´t understand completely (as I´m a newbie to linux, more or less).

As far as I know dd is a command for bitwise copying.
if = input file.

But what about the dot in front of the slash?
And what about the hyphen after "clamscan"? What does that do?

I was tempted to type

Code:

dd if=/home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 | clamscan -

but I´m not sure whether that´s correct.