clamav-users June 2008 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] Virus Caught that is a false po

Re: [Clamav-users] Virus Caught that is a false positive

From: Simon Hollingshead <simon.hollingshead_at_nospam>
Date: Sun Jun 22 2008 - 19:09:21 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>


As can be found at the FAQ [http://www.clamav.org/support/faq/] :

Whenever a file exceeds ArchiveMaxCompressionRatio (see clamd.conf man page), itís considered a logic bomb and marked as Oversized.zip . Try increasing your ArchiveMaxCompressionRatio setting.

~SimonH

On 22/Jun/2008, at 19:34, Philippe Faure wrote:

> Hello,
>
> Running
> clamscan -V
> ClamAV 0.92.1.
> freshclam -V
> ClamAV 0.92.1/7532/Sun Jun 22 09:52:49 2008
>
> I have run Norton Antivirus (corporate edition) and clamscan on the
> same compressed and un-compressed files.
>
> Norton does not find any virus within either compressed or
> un-compressed files.
>
> While clamscan reports the following:
>
> "camrela_backup/Movies_on_CD_DVD_40_e-version.zip: Oversized.Zip FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 324768
> Engine version: 0.92.1
> Scanned directories: 131
> Scanned files: 2328
> Infected files: 1
> Data scanned: 304.39 MB
> Time: 107.562 sec (1 m 47 s)
> "
>
> The command that I ran was: clamscan -ri carmela_backup
>
> To start of with there is no Oversized.zip file in the zipped file?
> Is this a false positive, or does clamscan just not like the size of
> the compressed file? I have even larger compressed files which
> clamscan does not complain about.
>
> Here is the clamd config file:
>
> LocalSocket /var/run/clamav/clamd.ctl
> FixStaleSocket true
> User clamav
> AllowSupplementaryGroups true
> ScanMail true
> ScanArchive true
> ArchiveMaxRecursion 5
> ArchiveMaxFiles 1000
> ArchiveMaxFileSize 10M
> ArchiveMaxCompressionRatio 250
> ArchiveLimitMemoryUsage false
> ArchiveBlockEncrypted false
> MaxDirectoryRecursion 15
> FollowDirectorySymlinks false
> FollowFileSymlinks false
> ReadTimeout 180
> MaxThreads 12
> MaxConnectionQueueLength 15
> StreamMaxLength 10M
> LogSyslog false
> LogFacility LOG_LOCAL6
> LogClean false
> LogVerbose false
> PidFile /var/run/clamav/clamd.pid
> DatabaseDirectory /var/lib/clamav
> TemporaryDirectory /tmp
> SelfCheck 3600
> Foreground false
> Debug false
> ScanPE true
> ScanOLE2 true
> ScanHTML true
> DetectBrokenExecutables false
> MailFollowURLs false
> ArchiveBlockMax false
> ExitOnOOM false
> LeaveTemporaryFiles false
> AlgorithmicDetection true
> ScanELF true
> IdleTimeout 30
> MailMaxRecursion 64
> PhishingSignatures true
> PhishingScanURLs true
> PhishingRestrictedScan true
> PhishingAlwaysBlockSSLMismatch false
> PhishingAlwaysBlockCloak false
> DetectPUA false
> LogFile /var/log/clamav/clamav.log
> LogTime true
> LogFileUnlock false
> LogFileMaxSize 0
>
> Here is the freshclam config file:
> DatabaseOwner clamav
> UpdateLogFile /var/log/clamav/freshclam.log
> LogVerbose false
> LogSyslog false
> LogFacility LOG_LOCAL6
> LogFileMaxSize 0
> LogTime no
> Foreground false
> Debug false
> MaxAttempts 5
> DatabaseDirectory /var/lib/clamav/
> DNSDatabaseInfo current.cvd.clamav.net
> AllowSupplementaryGroups false
> PidFile /var/run/clamav/freshclam.pid
> ConnectTimeout 30
> ReceiveTimeout 30
> ScriptedUpdates yes
> # Check for new database 6 times a day
> Checks 6
> DatabaseMirror db.local.clamav.net
> DatabaseMirror database.clamav.net
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

Simon Hollingshead
simon.hollingshead@googlemail.com

Messages sent from this email are digitally signed by Thawte. Please do not be worried if you see an attachment named smime.p7s, this is the cryptographic signature.



Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml