7

We have a Linux VM running Xubuntu with ClamAV installed.

We would like to scan files larger than 4Gigs, using the clamscan command preferably. I can use the --max-filesize=x and --max-scansize=x options perfectly. Looking on the clamscan man page, Clam only lets you set these parameters to less than 4Gig file sizes.

I can also set these to 'unlimited' by using 0, but if the file is larger than 4Gigs it will still have no data scanned.

Example:

----------- SCAN SUMMARY -----------
Known viruses: 4297615
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 58082.25 MB (ratio 0.00:1)
Time: 12.325 sec (0 m 12 s)

As you can see we are trying to scan some pretty large files ±75Gigs.

Is there a way to use clamscan to virus scan files larger than 4Gigs? Or is there another command line tool to achieve what I am after.

slm
  • 9,959
  • 10
  • 49
  • 57
Huckleberry Finn
  • 201
  • 2
  • 6
  • Is your Xubunt a 64-bit version? If so, make sure your `clamscan` is also 64-bit with `file $(which clamscan)`; if not, then I don't know of any way to open files over 4GB with 32-bit software. – AFH Mar 21 '16 at 16:44
  • Thanks for the reply. **"/usr/bin/clamscan: ELF 64-bit LSB executable"** It's all 64-bit unfortunately. Any other ideas? – Huckleberry Finn Mar 21 '16 at 17:51
  • 1
    There is no way to scan arbitrarily large files, in clamav or in many other commercial AVes. There are technical difficulties (saturation of the filesystem on which `/tmp` resides or of virtual memory), and one very good basic reason: do you really believe that multi-GB-sized files are a good vehicle of infection? – MariusMatutiae Mar 21 '16 at 17:59
  • For what it's worth, I just scanned a 13GB VM disc on 64-bit Ubuntu 15.04 and I got similar results to you; however, if I used `clamscan - – AFH Mar 22 '16 at 00:35
  • Marius - I agree large files are not good transport vehicle's, however we have a unique scenario where there's potential for it. Thank you for testing AFH. If there is no easy-ish way, then I may consider using another platform to handle the Virus-Scanning. Issue is that it's required by a client of ours, ugh! Thank you both for the replies! – Huckleberry Finn Mar 22 '16 at 10:14
  • 4
    If anyone has more information regarding the specific problem with scanning large files I'd like to hear it. Simply saying large "files are clean" doesn't cut it. We need to know the precise technical limitations so we can know what defaults are safe to change and under which circumstances. – jorfus Dec 02 '16 at 19:57

2 Answers2

2

I ended up using savscan by Sophos.

This command line tool was able to achieve what I was after, with no configuration needed and it's free!

Mokubai
  • 89,133
  • 25
  • 207
  • 233
Huckleberry Finn
  • 201
  • 2
  • 6
  • From Sophos documentation... it does have a limit as well. Note: The threat detection engine only scans archived files that are up to 8GB (when decompressed). This is because it supports the POSIX ustar archive format, which does not accommodate larger files. – Arian Faurtosh Apr 02 '21 at 03:58
0

As other AVs have similar limitations, one not ideal solution is to copy 1GB chunks of files and scan each chunk. One could overlap chunks by a few MB but there is no solution for linking randomly all over the file. Maybe be a better than nothing solution though.

user1133275
  • 282
  • 2
  • 9