Clamd max file size Solaris 10

UNIX Solaris
1

Hi,

I've compiled a 64-bit version of ClamAV 0.98.7 on my Solaris 10 SPARC server. I have a selection of files all containing the eicar signature but clamd is only picking up the signature in the files <2GB.

I have the following set in clamd.conf, to remove file size checking:

MaxScanSize 0
MaxFileSize 0

I'm scanning a 2.2GB file (containing the eicar string) with the following command:

clamdscan --stream --verbose /var/crash/bigfile

this returns:

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 375.965 sec (6 m 15 s)

A 1.4GB file (containing the eicar string) returns:

/var/crash/mediumfile: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 274.180 sec (4 m 34 s)

Other info that may be relevant:
SunOS myhost 5.10 Generic_147440-09 sun4v sparc SUNW,SPARC-Enterprise-T5120

Any help/suggestions much appreciated :slight_smile:

2

I suggest that you try:

OnAccessMaxFileSize= "4294967295"

in the clamd.conf file.

14.6 Using ClamAV (Sun Java System Messaging Server 6.3 Administration Guide)

2 Likes
3

Thanks for the suggestion. Unfortunately it still fails to pick up the signature in the larger file.
I'd also tried setting this value to "0" (No limit) but the result was the same

4

Based on this post, I did some poking in the clamav source code.

I'm not impressed.

There are way too many instances of 64-to-32 bit truncations in the code - for example, read() is assumed to return int and not the correct ssize_t.

Running Solaris Studio 12.4 lint on just the C files in source tree's libclamav directory:

bash 4.1$ lint -errchk=%all -errhdr=%user -m64 -I.. -I../clamd -I../libclamav -I../win32 a*.c [c-z]*.c 2>&1 | grep "assignment of 64-bit integer" | wc -l
    398

The blob.c file causes lint to fail with an error, so I used a*.c [c-z]*.c to quickly exclude *.c files that start with b.

And there are 398 instances in just libclamav/*.c where a 64-bit value is truncated. There are also a lot of other problems, too.

It's no surprise at all that clamav has problems with files larger than 2 GB.

And that's just from using lint on the C files. I'd bet the results of compiling the C++ portions with Solaris Studio's C++ compiler and the "-m64 -xport64" command-line options are downright scary.

5

Thanks for the post. Fortunately, it transpires the files were only >2GB when they were uncompressed. We are now scanning the smaller compressed file with CSW's ClamAV package (32-bit) - this works fine.

It was fairly tricky to get this to compile as 64-bit in the first place so I'm not surprised there were issues with the source.

Thanks again for taking the time :b: