Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Oversized zips with clamscan

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


dean.plant at roke

Aug 12, 2004, 7:58 AM

Post #1 of 8 (3747 views)
Permalink
Oversized zips with clamscan

I need to increase the ArchiveMaxCompressionRatio in clamscan as I have had
a few zips being incorrectly identified as oversized zips.

I first increased the ArchiveMaxCompressionRatio in clamav.conf but the zip
file was still incorrectly identified. From reading the changelog it looks
like that the ArchiveMaxCompressionRatio in clamav.conf is only applicable
to clamd and not clamscan, is this assumption correct? If this is correct
how do I increase the ratio in clamscan.

Thanks

Dean Plant



--

Visit our website at www.roke.co.uk

Roke Manor Research Ltd, Roke Manor, Romsey, Hampshire SO51 0ZN, UK.

The information contained in this e-mail and any attachments is confidential to
Roke Manor Research Ltd and must not be passed to any third party without
permission. This communication is for information only and shall not create or
change any contractual relationship.



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Clamav-users mailing list
Clamav-users [at] lists
https://lists.sourceforge.net/lists/listinfo/clamav-users


trog at uncon

Aug 12, 2004, 8:10 AM

Post #2 of 8 (3651 views)
Permalink
Re: Oversized zips with clamscan [In reply to]

On Thu, 2004-08-12 at 15:58, Plant, Dean wrote:
> I need to increase the ArchiveMaxCompressionRatio in clamscan as I have had
> a few zips being incorrectly identified as oversized zips.
>
> I first increased the ArchiveMaxCompressionRatio in clamav.conf but the zip
> file was still incorrectly identified. From reading the changelog it looks
> like that the ArchiveMaxCompressionRatio in clamav.conf is only applicable
> to clamd and not clamscan, is this assumption correct? If this is correct
> how do I increase the ratio in clamscan.

Reading the documentation would probably be a good way of finding out.
Don't you think? Do you?

--max-ratio=#n
Set maximum archive compression ratio limit. This option pro-
tects your system against DoS attacks (default: 200).


-trog
Attachments: signature.asc (0.18 KB)


tkojm at clamav

Aug 12, 2004, 8:16 AM

Post #3 of 8 (3620 views)
Permalink
Re: Oversized zips with clamscan [In reply to]

On Thu, 12 Aug 2004 15:58:30 +0100
"Plant, Dean" <dean.plant [at] roke> wrote:

> I need to increase the ArchiveMaxCompressionRatio in clamscan as I
> have had a few zips being incorrectly identified as oversized zips.
>
> I first increased the ArchiveMaxCompressionRatio in clamav.conf but
> the zip file was still incorrectly identified. From reading the
> changelog it looks like that the ArchiveMaxCompressionRatio in
> clamav.conf is only applicable to clamd and not clamscan, is this
> assumption correct? If this is correct how do I increase the ratio in
> clamscan.

Please use the --max-ratio option of clamscan (unfortunately it's not
listed in --help in stable versions).

--
oo ..... Tomasz Kojm <tkojm [at] clamav>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Thu Aug 12 17:15:50 CEST 2004


dean.plant at roke

Aug 12, 2004, 8:56 AM

Post #4 of 8 (3644 views)
Permalink
RE: Oversized zips with clamscan [In reply to]

Tomasz Kojm wrote:
> On Thu, 12 Aug 2004 15:58:30 +0100
> "Plant, Dean" <dean.plant [at] roke> wrote:
>
>> I need to increase the ArchiveMaxCompressionRatio in clamscan as I
>> have had a few zips being incorrectly identified as oversized zips.
>>
>> I first increased the ArchiveMaxCompressionRatio in clamav.conf but
>> the zip file was still incorrectly identified. From reading the
>> changelog it looks like that the ArchiveMaxCompressionRatio in
>> clamav.conf is only applicable to clamd and not clamscan, is this
>> assumption correct? If this is correct how do I increase the ratio in
>> clamscan.
>
> Please use the --max-ratio option of clamscan (unfortunately it's not
> listed in --help in stable versions).

Is there a variable to change the ratio at build time so I don't need to
pass the --max-ratio option?

Dean

--

Visit our website at www.roke.co.uk

Roke Manor Research Ltd, Roke Manor, Romsey, Hampshire SO51 0ZN, UK.

The information contained in this e-mail and any attachments is confidential to
Roke Manor Research Ltd and must not be passed to any third party without
permission. This communication is for information only and shall not create or
change any contractual relationship.



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Clamav-users mailing list
Clamav-users [at] lists
https://lists.sourceforge.net/lists/listinfo/clamav-users


cewatts at brainstorminternet

Aug 12, 2004, 9:06 AM

Post #5 of 8 (3678 views)
Permalink
Re: Oversized zips with clamscan [In reply to]

On Thu, 12 Aug 2004, Tomasz Kojm wrote:
> On Thu, 12 Aug 2004 <dean.plant [at] roke> wrote:
> > I need to increase the ArchiveMaxCompressionRatio in clamscan as I
> > have had a few zips being incorrectly identified as oversized zips.
> >
> > I first increased the ArchiveMaxCompressionRatio in clamav.conf but
> > the zip file was still incorrectly identified. From reading the
> > changelog it looks like that the ArchiveMaxCompressionRatio in
> > clamav.conf is only applicable to clamd and not clamscan, is this
> > assumption correct? If this is correct how do I increase the ratio in
> > clamscan.
>
> Please use the --max-ratio option of clamscan (unfortunately it's not
> listed in --help in stable versions).

I submitted a report yesterday about what looks like a bug in the
calculation of max-ratio. Doesn't seem to happen on all files, but I have
one that triggers it.

Info about my file:
blowfish# du -h 0704mm.zip unzipped/
152K 0704mm.zip
1.7M unzipped/

So a --max-ratio of 12 should be sufficient (right?), but isn't. Even a
--max-ratio of 93 isn't sufficient. The file isn't scanned correctly until
--max-ratio is 94 or above.

Testing with files I've *generated* that are compressible to certain
ratios, clam appears to Do The Right Thing. Perhaps my file, and Dean's
files, are broken in some interesting way?

#clamscan -V
clamscan / ClamAV version devel-20040811

blowfish# clamscan --max-ratio 12 0704mm.zip
0704mm.zip: Oversized.Zip FOUND

blowfish# clamscan --max-ratio 13 0704mm.zip
0704mm.zip: Oversized.Zip FOUND

blowfish# clamscan --max-ratio 93 0704mm.zip
0704mm.zip: Oversized.Zip FOUND

blowfish# clamscan --max-ratio 94 0704mm.zip
0704mm.zip: OK

I reported yesterday that this file was scanned correctly by 0.75.1, but I
think I was mistaken:

blowfish# clamscan -V
clamscan / ClamAV version 0.75.1

blowfish# clamscan --max-ratio 93 0704mm.zip
0704mm.zip: Oversized.Zip FOUND

blowfish# clamscan --max-ratio 94 0704mm.zip
0704mm.zip: OK

Perhaps I just mis-understand what argument --max-ratio expects?

--
Charlie Watts
Brainstorm Internet
970 247-1442 x113
cewatts [at] brainstorminternet
http://www.brainstorminternet.net/


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Clamav-users mailing list
Clamav-users [at] lists
https://lists.sourceforge.net/lists/listinfo/clamav-users


cewatts at brainstorminternet

Aug 12, 2004, 9:11 AM

Post #6 of 8 (3913 views)
Permalink
Re: Oversized zips with clamscan [In reply to]

On Thu, 12 Aug 2004, Charlie Watts wrote:

> On Thu, 12 Aug 2004, Tomasz Kojm wrote:
> > On Thu, 12 Aug 2004 <dean.plant [at] roke> wrote:
> > > I need to increase the ArchiveMaxCompressionRatio in clamscan as I
> > > have had a few zips being incorrectly identified as oversized zips.
> > >
> > > I first increased the ArchiveMaxCompressionRatio in clamav.conf but
> > > the zip file was still incorrectly identified. From reading the
> > > changelog it looks like that the ArchiveMaxCompressionRatio in
> > > clamav.conf is only applicable to clamd and not clamscan, is this
> > > assumption correct? If this is correct how do I increase the ratio in
> > > clamscan.
> >
> > Please use the --max-ratio option of clamscan (unfortunately it's not
> > listed in --help in stable versions).
>
> I submitted a report yesterday about what looks like a bug in the
> calculation of max-ratio. Doesn't seem to happen on all files, but I have
> one that triggers it.

Tomasz just suggested I may have a problem in my setup. I'm going to
test more here first - disregard me for now.

--
Charlie Watts
Brainstorm Internet
970 247-1442 x113
cewatts [at] brainstorminternet
http://www.brainstorminternet.net/


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Clamav-users mailing list
Clamav-users [at] lists
https://lists.sourceforge.net/lists/listinfo/clamav-users


tkojm at clamav

Aug 12, 2004, 9:27 AM

Post #7 of 8 (3710 views)
Permalink
Re: Oversized zips with clamscan [In reply to]

On Thu, 12 Aug 2004 10:06:40 -0600 (MDT)
Charlie Watts <cewatts [at] brainstorminternet> wrote:

> So a --max-ratio of 12 should be sufficient (right?), but isn't. Even
> a--max-ratio of 93 isn't sufficient. The file isn't scanned correctly
> until--max-ratio is 94 or above.

I see nothing strange in that, so what's the point ? The limit is
calculated on a per file basis and some files in the archive have big
compression ratios, e.g.

LibClamAV debug: Zip -> ACTINFO.MB, compressed: 44, normal: 4096, ratio:
91 (max: 200)

clamscan with its default max-ratio value of 200 doesn't mark it as
oversized archive.

--
oo ..... Tomasz Kojm <tkojm [at] clamav>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Thu Aug 12 18:20:19 CEST 2004


cewatts at brainstorminternet

Aug 12, 2004, 9:51 AM

Post #8 of 8 (3684 views)
Permalink
Re: Oversized zips with clamscan [In reply to]

On Thu, 12 Aug 2004, Tomasz Kojm wrote:

> I see nothing strange in that, so what's the point ? The limit is
> calculated on a per file basis and some files in the archive have big
> compression ratios, e.g.

That explains everything - per-file, rather than per-archive. Thank you
muchly. I was assuming per-archive.

> LibClamAV debug: Zip -> ACTINFO.MB, compressed: 44, normal: 4096, ratio:
> 91 (max: 200)
>
> clamscan with its default max-ratio value of 200 doesn't mark it as
> oversized archive.

Awesome. Thank you.

--
Charlie Watts
Brainstorm Internet
970 247-1442 x113
cewatts [at] brainstorminternet
http://www.brainstorminternet.net/


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Clamav-users mailing list
Clamav-users [at] lists
https://lists.sourceforge.net/lists/listinfo/clamav-users

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.