[Pkg-clamav-devel] Bug#787249: Bug#787249: clamav-daemon: clamdscan scans less than clamscan; worsened in latest release

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Sat May 30 13:06:33 UTC 2015 

Control: found -1 0.98.7+dfsg-1

Hi Marc,

On 30.05.2015 13:31, Marc SCHAEFER wrote:
> since the last clamav-daemon LTS update, clamdscan gets one test less than
> clamscan:
> 
> despam at shakotay:~$ bin/test_clamdscan.sh 
> 8c8
> < /usr/share/clamav-testfiles/clam_cache_emax.tgz: OK
> ---
>> /usr/share/clamav-testfiles/clam_cache_emax.tgz: ClamAV-Test-File FOUND
> 49c49
> < Infected files: 38
> ---
>> Infected files: 39
> 
> despam at shakotay:~$ clamscan /usr/share/clamav-testfiles/clam_cache_emax.tgz
> /usr/share/clamav-testfiles/clam_cache_emax.tgz: ClamAV-Test-File FOUND

I can reproduce this in with the version in stretch as well.

> However, the problem already existed in previous releases, because my
> test script contains a lot of OKs. It just got worse by one case.

However, I can't reproduce these other cases.

> Could this be due to some PATH issue in the daemon, not finding some
> archivers ?

Very unlikely, as libclamav doesn't open any archivers, it has them
built in.

> #! /bin/bash
> 
> clamdscan /usr/share/clamav-testfiles/* \
>    | egrep -v '^Time: ' \
>    | diff - <(cat <<"EOF"
> /usr/share/clamav-testfiles/clam.7z: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.arj: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam-aspack.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.bin-be.cpio: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.bin-le.cpio: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.bz2.zip: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.cab: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam_cache_emax.tgz: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.chm: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.d64.zip: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.ea05.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.ea06.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.exe.binhex: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.exe.bz2: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.exe.html: OK
> /usr/share/clamav-testfiles/clam.exe.mbox.base64: OK
> /usr/share/clamav-testfiles/clam.exe.mbox.uu: OK

Both clamscan and clamdscan detect these for me:
  /usr/share/clamav-testfiles/clam.exe.html: ClamAV-Test-File FOUND
  /usr/share/clamav-testfiles/clam.exe.mbox.base64: ClamAV-Test-File FOUND
  /usr/share/clamav-testfiles/clam.exe.mbox.uu: ClamAV-Test-File FOUND

> /usr/share/clamav-testfiles/clam.exe.rtf: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.exe.szdd: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam-fsg.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.impl.zip: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam_IScab_ext.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam_IScab_int.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam_ISmsi_ext.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam_ISmsi_int.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.mail: OK

This works here too:
  /usr/share/clamav-testfiles/clam.mail: ClamAV-Test-File FOUND

> /usr/share/clamav-testfiles/clam-mew.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.newc.cpio: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam-nsis.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.odc.cpio: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.ole.doc: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.pdf: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam-pespin.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam-petite.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.ppt: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.sis: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.tar.gz: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.tnef: OK

  /usr/share/clamav-testfiles/clam.tnef: ClamAV-Test-File FOUND

> /usr/share/clamav-testfiles/clam-upack.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam-upx.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam-v2.rar: OK
> /usr/share/clamav-testfiles/clam-v3.rar: OK

For these two to be detected, one has to install libclamunrar6 from non-free.

> /usr/share/clamav-testfiles/clam-wwpack.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam-yc.exe: ClamAV-Test-File FOUND
> /usr/share/clamav-testfiles/clam.zip: ClamAV-Test-File FOUND
> 
> ----------- SCAN SUMMARY -----------
> Infected files: 39
> EOF
> )

I found the reason, why clam_cache_emax.tgz is not detected by clamdscan:
It hits the MaxRecursion limit of 10, while it needs 17 recursions.

Thus I think we should probably increase the default recursion limit,
e.g. to 20.

> 
> -- Package-specific info:
> --- configuration ---
> Checking configuration files in /etc/clamav
> 
> Config file: clamd.conf
> -----------------------
> MaxRecursion = "10"

Set this to 20 and restart clamav-daemon. Then clam_cache_emax.tgz should
be detected.

Can you confirm this?

However, I don't know, why it worked previously.

Best regards,
Andreas

More information about the Pkg-clamav-devel mailing list