Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

MaxScanSize and MaxFileSize

  

 
ClamAV users RSS feed   Index | Next | Previous | View Threaded


mrogers at limewire

Jul 27, 2009, 11:19 AM

Post #1 of 4 (953 views)
Permalink
MaxScanSize and MaxFileSize
The clamd.conf manpage gives dire warnings about "severe damage to the
system" if MaxScanSize and MaxFileSize are disabled or set too high.
Could anyone please give me a bit more information about what kind of
damage might be involved, and how to choose safe non-default values for
these settings?

Thanks,
Michael
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwintorok at gmail

Jul 27, 2009, 12:01 PM

Post #2 of 4 (878 views)
Permalink
Re: MaxScanSize and MaxFileSize [In reply to]
On 2009-07-27 21:19, Michael Rogers wrote:
> The clamd.conf manpage gives dire warnings about "severe damage to the
> system" if MaxScanSize and MaxFileSize are disabled or set too high.
>

Here are some scenarios:

The partition that has $TMPDIR might get filled if limits are disabled,
preventing further files from being scanned,
and preventing the operation of any program that needs space on $TMPDIR.

Scanning a file without limits is not guaranteed to finish in a
reasonable amount of time, so you could exhaust the scanning threads one
by one
in clamd, until all further scans to timeout/refuse connection because
all threads are busy scanning something that will never finish scanning,
or will finish after a very long time. Think of scanning a small file
that unpacks to a thousand files, each being a few gigabytes, and each
unpacking
to even more files, otherwise known as a zip-bomb, rar-bomb, ... That
sort of file can easily fill all the space on any disk.
You are somewhat protected from this if you leave the MaxFiles setting
unchanged, but not completely.


Clamd might exhaust physical memory, causing the kernel's OOM killer to
trigger if you have overcommit enabled (default),
which will kill clamd (or some other unrelated process) to free up memory.

If you have swap space configured, then due to the increased memory
usage, the system might start swapping,
and if your swap space is excessively large, it can slow everything down
before memory is exhausted.


Its not different from allowing any other program unconstrained amount
of resources.
Try writing a program that does malloc in a loop, or opens a file and
writes to it in an infinite loop.

To sum up, it is not recommended to turn off limits in a production
environment.

> Could anyone please give me a bit more information about what kind of
> damage might be involved, and how to choose safe non-default values for
> these settings?
>

You should have enough space to scan MaxThreads * MaxFileSize *
MaxRecursion files, and enough processing power to process
MaxScanSize*MaxFiles bytes in a reasonable amount of time, in a worst
case scenario.

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


mrogers at limewire

Jul 27, 2009, 1:00 PM

Post #3 of 4 (879 views)
Permalink
Re: MaxScanSize and MaxFileSize [In reply to]
Török Edwin wrote:
> Its not different from allowing any other program unconstrained amount
> of resources.
> Try writing a program that does malloc in a loop, or opens a file and
> writes to it in an infinite loop.
>
> To sum up, it is not recommended to turn off limits in a production
> environment.

Edwin,

Thanks for the explanation - I'll leave the settings at their defaults.
It would be nice to be able to warn the user when a file hasn't been
fully scanned, though - is there a way to distinguish between clean
files and files that weren't fully scanned?

Thanks,
Michael
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwintorok at gmail

Jul 27, 2009, 1:10 PM

Post #4 of 4 (889 views)
Permalink
Re: MaxScanSize and MaxFileSize [In reply to]
On 2009-07-27 23:00, Michael Rogers wrote:
> Török Edwin wrote:
>
>> Its not different from allowing any other program unconstrained amount
>> of resources.
>> Try writing a program that does malloc in a loop, or opens a file and
>> writes to it in an infinite loop.
>>
>> To sum up, it is not recommended to turn off limits in a production
>> environment.
>>
>
> Edwin,
>
> Thanks for the explanation - I'll leave the settings at their defaults.
> It would be nice to be able to warn the user when a file hasn't been
> fully scanned, though - is there a way to distinguish between clean
> files and files that weren't fully scanned?
>

No, that was the old Oversized.Zip, that is no longer supported. Nobody
objected to dropping that feature.

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.