LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 07-07-2017, 09:34 AM   #1
Rosika
Member
 
Registered: Apr 2017
Distribution: Lubuntu 64 bit
Posts: 278

Rep: Reputation: Disabled
scanning larger files using "clamscan"


Hi altogether,

I want to scan larger files with "clamscan". I don´t know how big a file can be in order to be scanned.
Anyway I´ve learned that I cannot scan let´s say a 60MB-file directly.

E.g.:
Code:
clamscan /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3
yields amongst other info:
Quote:
Data scanned: 0.00 MB
The man pages say:
Quote:
−−max−filesize=#n: Extract and scan at most #n bytes from each archive
.
So this probably means that I have to pack my .mp3-file into an archive before being able to scan it.
I tested that by packing three .mp3-files (radio plays) into an archive and then scanning it:

Code:
clamscan --max-filesize=300M --max-scansize=300M /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes.tar.bz2
And that really worked.
Info:
Quote:
Data scanned: 180.76 MB
.

Well, my question is: Do I always have to pack larger files before being able to scan them? Is there really no direct way of doing this?
And what´s the limit in MB?

Thanks a lot in advance.

Greetings.
Rosika
 
Old 07-07-2017, 10:15 AM   #2
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 20 MATE
Posts: 8,048
Blog Entries: 5

Rep: Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917
Despite the wording of the man entry regarding "archive", did you try the --max-filesize / --max-scansize options on the file itself without putting it into an archive?
 
Old 07-07-2017, 10:25 AM   #3
Rosika
Member
 
Registered: Apr 2017
Distribution: Lubuntu 64 bit
Posts: 278

Original Poster
Rep: Reputation: Disabled
Hi hydrurga,

yes I did. Here´s the result:

Code:
----------- SCAN SUMMARY -----------
Known viruses: 6299803
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 61.81 MB (ratio 0.00:1)
Time: 23.704 sec (0 m 23 s)
So it didn´t scan the mp3-file directly. Such a shame.
 
Old 07-07-2017, 10:32 AM   #4
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.8.2003
Posts: 5,424

Rep: Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054
Maximum file sizes for various types are set in /etc/clamd.conf Here are the defaults:
Code:
#MaxScanSize 150M
#MaxFileSize 30M
#MaxRecursion 10
#MaxFiles 15000
#MaxEmbeddedPE 10M
#MaxHTMLNormalize 10M
#MaxHTMLNoTags 2M
#MaxScriptNormalize 5M
#MaxZipTypeRcg 1M
They can be changed there. Pay close attention to the preceding comments about each of them.

Or they can be overridden at the command line, but I think the man page reference is a bit misleading, the comments in clamd.conf for MaxFileSize don't also imply the file has to be an archive:
Code:
# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
So you should be able to use the command line override without first "packing" them...but maybe not
What values for the CLI overrides did you use when you followed hydrurga's suggestion? Please show us the command as executed as well as the result.

Edit: clamd.conf has no effect on clamscan. My Bad. man clamscan show the defaults and maximums for each option:
Code:
       --max-filesize=#n
              Extract and scan at most #n bytes from each archive. You may pass the value in kilobytes in format xK or xk, or megabytes in format xM or xm, where x is a number. This option protects your system
              against DoS attacks (default: 25 MB, max: <4 GB)

       --max-scansize=#n
              Extract  and scan at most #n bytes from each archive. The size the archive plus the sum of the sizes of all files within archive count toward the scan size. For example, a 1M uncompressed archive
              containing a single 1M inner file counts as 2M toward max-scansize. You may pass the value in kilobytes in format xK or xk, or megabytes in format xM or xm, where x is a number. This option  pro-
              tects your system against DoS attacks (default: 100 MB, max: <4 GB)

Last edited by scasey; 07-07-2017 at 10:52 AM.
 
Old 07-07-2017, 10:37 AM   #5
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 20 MATE
Posts: 8,048
Blog Entries: 5

Rep: Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917
It looks as if clamscan is reading the mp3 fine, but has decided not to scan it, perhaps because it or mp3's in general are excluded or on a whitelist.

A quick web search provides a couple of hints that mp3s may not be scanned by clamscan, but I can't find anything conclusive yet.
 
1 members found this post helpful.
Old 07-07-2017, 10:39 AM   #6
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 20 MATE
Posts: 8,048
Blog Entries: 5

Rep: Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917
Quote:
Originally Posted by scasey View Post
Maximum file sizes for various types are set in /etc/clamd.conf
As far as I know, clamd.conf is only used as a configuration file for the clamd daemon, and doesn't affect clamscan.
 
Old 07-07-2017, 10:46 AM   #7
Rosika
Member
 
Registered: Apr 2017
Distribution: Lubuntu 64 bit
Posts: 278

Original Poster
Rep: Reputation: Disabled
Hi altogether,

my original command was
Code:
clamscan --max-filesize=300M --max-scansize=300M wdr3hoerspiel_2016-12-21_sherlockholmesunddasgeheimnisdesweissenbandesteil1_wdr3.mp3
The filesize is 61,8 MB.

Well, it didn´t occur to me that the mp3-file might be excluded from scanning due to its very nature. That could be one clue.
 
Old 07-07-2017, 10:54 AM   #8
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.8.2003
Posts: 5,424

Rep: Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054
Quote:
Originally Posted by hydrurga View Post
It looks as if clamscan is reading the mp3 fine, but has decided not to scan it, perhaps because it or mp3's in general are excluded or on a whitelist.

A quick web search provides a couple of hints that mp3s may not be scanned by clamscan, but I can't find anything conclusive yet.
Me either, except for a couple of references that mp3 files are non-executable. I agree, not conclusive. File types can be excluded on the command line, but the OP isn't doing that.
 
Old 07-07-2017, 10:55 AM   #9
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.8.2003
Posts: 5,424

Rep: Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054
Quote:
Originally Posted by hydrurga View Post
As far as I know, clamd.conf is only used as a configuration file for the clamd daemon, and doesn't affect clamscan.
Yup. My Bad. My post edited.
 
Old 07-07-2017, 11:10 AM   #10
Rosika
Member
 
Registered: Apr 2017
Distribution: Lubuntu 64 bit
Posts: 278

Original Poster
Rep: Reputation: Disabled
O.K., at least for now there seems nothing can be done to scan the respective file directly.
At first I thought that it was due to its larger size. But the mp3-nature could also be the reason. I have to admit I haven´t thought of that possibility.

Well at least the workaround of packing it first works.

By the way, a tar.bz2-file can be scanned and a zip-file as well.

Thanks a lot anyway.
Rosika
 
Old 07-07-2017, 11:22 AM   #11
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 20 MATE
Posts: 8,048
Blog Entries: 5

Rep: Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917
I'm not sure that the workaround does work, Rosika. The "scanning" in that case could refer to the unpacking of the archive.

To test the "clamscan doesn't scan mp3's" theory, why don't you try scanning a large executable or other file (of at least the size of the mp3)?
 
Old 07-07-2017, 11:47 AM   #12
Rosika
Member
 
Registered: Apr 2017
Distribution: Lubuntu 64 bit
Posts: 278

Original Poster
Rep: Reputation: Disabled
Hi hydrurga,

o.k., new theory to be tested....

And there..... you´re right:
I tested a .flv-file (64 MB).
First:
Code:
clamscan BBC_Radio_4_Drama_James_Bond_Thunderball.flv 
BBC_Radio_4_Drama_James_Bond_Thunderball.flv: OK

----------- SCAN SUMMARY -----------
Known viruses: 6299803
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 64.04 MB (ratio 0.00:1)
Time: 9.804 sec (0 m 9 s)
Didn´t work.

Then:
Code:
clamscan --max-filesize=1000M --max-scansize=1000M BBC_Radio_4_Drama_James_Bond_Thunderball.flv 
BBC_Radio_4_Drama_James_Bond_Thunderball.flv: OK

----------- SCAN SUMMARY -----------
Known viruses: 6299803
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 129.27 MB
Data read: 64.04 MB (ratio 2.02:1)
Time: 17.926 sec (0 m 17 s)
This time it worked perfectly. (Though it´s a bit odd that more data is scanned than read).

So it seems to be a matter of mp.3.
Tnx.
Rosika
 
Old 07-07-2017, 01:24 PM   #13
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 20 MATE
Posts: 8,048
Blog Entries: 5

Rep: Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917
Thanks for testing that, Rosika.

So, it appears, in this case anyway, although it may well also be the general case, that clamscan doesn't check mp3's and that, although the man page refers to "archives", --max-filesize and/or --max-scansize don't apply only to archives.

FLV files contain compressed data - that's perhaps the reason that more data was scanned than was read, although I have no idea to be honest. It is interesting though.
 
Old 07-07-2017, 05:57 PM   #14
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009
You can try:
Code:
$ dd if=./file | clamscan -
 
Old 07-08-2017, 10:08 AM   #15
Rosika
Member
 
Registered: Apr 2017
Distribution: Lubuntu 64 bit
Posts: 278

Original Poster
Rep: Reputation: Disabled
@ hydrurga,

thanks for the additional info regarding FLV-files.

@ AwesomeMachine:

thanks for the tip.
Yet I don´t understand completely (as I´m a newbie to linux, more or less).

As far as I know dd is a command for bitwise copying.
if = input file.

But what about the dot in front of the slash?
And what about the hyphen after "clamscan"? What does that do?

I was tempted to type
Code:
dd if=/home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 | clamscan -
but I´m not sure whether that´s correct.
 
  


Reply

Tags
clamscan


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Question on "qscan" (used by "qpxtool" for scanning DVD/CD burn quality) haertig Linux - Software 1 02-10-2013 07:16 PM
ls files "larger than" a filename eulaersi Linux - General 4 11-06-2012 02:01 PM
PHP: Some problem with the exec to execute the "clamscan" jrhau520 Programming 5 06-01-2011 03:01 AM
How can I know which of my files is infected after scanning with clamscan? glore2002 Slackware 3 09-25-2008 11:03 AM
"X-MS" cant open because "x-Multimedia System" cant access files at "smb&qu ponchy5 Linux - Networking 0 03-29-2004 11:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration