Use ClamAV to scan large files

4

1

We have a Linux VM running Xubuntu with ClamAV installed.

We would like to scan files larger than 4Gigs, using the clamscan command preferably. I can use the --max-filesize=x and --max-scansize=x options perfectly. Looking on the clamscan man page, Clam only lets you set these parameters to less than 4Gig file sizes.

I can also set these to 'unlimited' by using 0, but if the file is larger than 4Gigs it will still have no data scanned.

Example:

----------- SCAN SUMMARY -----------
Known viruses: 4297615
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 58082.25 MB (ratio 0.00:1)
Time: 12.325 sec (0 m 12 s)

As you can see we are trying to scan some pretty large files ±75Gigs.

Is there a way to use clamscan to virus scan files larger than 4Gigs? Or is there another command line tool to achieve what I am after.

Huckleberry Finn

Posted 2016-03-21T16:21:40.870

Reputation: 171

Is your Xubunt a 64-bit version? If so, make sure your clamscan is also 64-bit with file $(which clamscan); if not, then I don't know of any way to open files over 4GB with 32-bit software. – AFH – 2016-03-21T16:44:48.127

Thanks for the reply. "/usr/bin/clamscan: ELF 64-bit LSB executable" It's all 64-bit unfortunately. Any other ideas? – Huckleberry Finn – 2016-03-21T17:51:43.333

1There is no way to scan arbitrarily large files, in clamav or in many other commercial AVes. There are technical difficulties (saturation of the filesystem on which /tmp resides or of virtual memory), and one very good basic reason: do you really believe that multi-GB-sized files are a good vehicle of infection? – MariusMatutiae – 2016-03-21T17:59:59.277

For what it's worth, I just scanned a 13GB VM disc on 64-bit Ubuntu 15.04 and I got similar results to you; however, if I used clamscan - <FilePath it took 90 times longer, with high resource use. In both cases it reported zero data scanned, but the first call said 13GB read, while the second said 144MB. I didn't set any parameters besides the file name or -. Make what you will of these results. – AFH – 2016-03-22T00:35:59.103

Marius - I agree large files are not good transport vehicle's, however we have a unique scenario where there's potential for it. Thank you for testing AFH. If there is no easy-ish way, then I may consider using another platform to handle the Virus-Scanning. Issue is that it's required by a client of ours, ugh! Thank you both for the replies! – Huckleberry Finn – 2016-03-22T10:14:22.967

1If anyone has more information regarding the specific problem with scanning large files I'd like to hear it. Simply saying large "files are clean" doesn't cut it. We need to know the precise technical limitations so we can know what defaults are safe to change and under which circumstances. – jorfus – 2016-12-02T19:57:01.067

Answers

2

I ended up using savscan by Sophos.

This command line tool was able to achieve what I was after, with no configuration needed and it's free!

Huckleberry Finn

Posted 2016-03-21T16:21:40.870

Reputation: 171

Vulgar language is not acceptable here so please mind what you write, you may want to read our guidelines. If you wish to mark your answer as accepted then there will be a tick mark on the left hand side of your answer, it may be a day or so before you can mark your own answers as correct.

– Mokubai – 2016-04-25T17:04:26.807

Vulgarity begins when imagination succumbs to the explicit. -- Doris Day – Huckleberry Finn – 2016-04-27T12:01:52.427

Asked: 2016-03-21T16:21:40.870

Viewed: 2 984 times

Active: 2017-08-01T03:01:59.383