8

I use ClamAV on Ubuntu 14.04, does it scan compressed files? I looked in its documentation but couldn't find anything. Also does it detect viruses that affect Microsoft Windows?

Braiam
  • 67,791
  • 32
  • 179
  • 269
hasanghaforian
  • 711

2 Answers2

7

1. Yes, it does, and by default as you can see from man clamscan, it is turned on (the * indicates the default option):

   --scan-archive[=yes(*)/no]
          Scan  archives  supported  by  libclamav.  If  you turn off this
          option, the original files will still be  scanned,  but  without
          unpacking and additional processing.

2. The more important question you should be asking is "Does ClamAV scan for viruses that affect Linux as well?", because the majority of viruses ClamAV detects are Windows viruses.

1

It does, but it has very conservative limits that in practice make it silently skip archive files.

See this thread: https://lists.clamav.net/pipermail/clamav-users/2021-December/012177.html

Below are some QUICK EXPERIMENTAL options that I hoped would give clamscan a more intuitive behavior in a single-user use case.

clamscan \
  --archive-verbose \
  --alert-exceeds-max=yes \
  --alert-encrypted=yes \
  --max-filesize=4095M \
  --max-scansize=4095M \
  --max-files=$[1000*1000] \
  --max-recursion=512 \
  --max-embeddedpe=256M \
  --max-htmlnormalize=256M \
  --max-htmlnotags=256M \
  --max-scriptnormalize=256M \
  --max-ziptypercg=16M \
  --pcre-max-filesize=4095M

However, I've found the behaviour to be spotty even then:

  • You can't set any limits to 4 GB or more
  • --archive-verbose doesn't actually print out archive members
  • scanning the same set of infected files as a
    • ... plain directory: a ~ dozen matches in various files are produced,
    • ... 946 MB .zip file: just one match in a single file inside the archive is reported, the rest are silently skipped
    • ... 2.1 GB .tar file: NO matches at all are produced, not even a "Heuristics.Limits.Exceeded" warning

Unfortunately I don't have time to debug this thoroughly ATM.

It seems like clamav's main focus on (mail) server scanning has led to some restrictive behavior & hardcoded limits that cannot even be overriden by runtime parameters.

ppar
  • 111