New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
scripts: improve CLAMAV_MESSAGE_SIZE_LIMIT
usage
#3332
Conversation
The second part is of special importance! See <https://askubuntu.com/a/1448525>, which explains that the maximum scan size is important as well. We previously just set the maximum file size, which actually is pretty insecure as we silently not scan mile bigger than `MaxScanSize`. This is corrected now.
I added this to the Rspmd tracking project, but this is primarily about ClamAV. |
"s/^MaxFileSize.*/MaxFileSize ${CLAMAV_MESSAGE_SIZE_LIMIT}/" \ | ||
|
||
# do a short sanity checks; ClamAV stops scanning at more that 4GB file size | ||
if [[ $(numfmt --from=si "${CLAMAV_MESSAGE_SIZE_LIMIT}") -gt $(numfmt --from=si 4G) ]] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry, for catching this now. i think clamav is not using the SI system for their limit variables.
i think the M / G in the clamav variables is actually MiB / GiB, so this check is not correct as it checks for 4000000000 instead of 4294967296.
Could it be that the correct check would involve:
if [[ $(numfmt --from=iec "${CLAMAV_MESSAGE_SIZE_LIMIT}") -gt $(numfmt --from=iec 4G) ]]
edit: but i could not find a clear documentation for that. only https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html where it states that the internal max file size was still 2 GiB for 0.103.5
edit: my initial assumtion was wrong 4000M seems to be 4G (si) in clamav. however when testing with clamscan an actual 4G file does not get scanned:
docker run --rm mailserver/docker-mailserver:latest bash -c 'set -ex; dd if=/dev/zero bs=1000 count=$(numfmt --from=si 4M) of=zero.txt && du -hs zero.txt && clamscan --max-filesize=4000M --max-scansize=4000M --alert-exceeds-max zero.txt'
++ numfmt --from=si 4M
+ dd if=/dev/zero bs=1000 count=4000000 of=zero.txt
4000000+0 records in
4000000+0 records out
4000000000 bytes (4.0 GB, 3.7 GiB) copied, 3.90953 s, 1.0 GB/s
+ du -hs zero.txt
3.8G zero.txt
+ clamscan --max-filesize=4000M --max-scansize=4000M --alert-exceeds-max zero.txt
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/zero.txt: Heuristics.Limits.Exceeded.MaxFileSize FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8664779
Engine version: 0.103.8
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 3814.70 MB (ratio 0.00:1)
Time: 12.713 sec (0 m 12 s)
Start Date: 2023:05:15 08:07:48
End Date: 2023:05:15 08:08:01
where a 2G file does get scanned:
docker run --rm mailserver/docker-mailserver:latest bash -c 'set -ex; dd if=/dev/zero bs=1000 count=$(numfmt --from=si 2000K) of=zero.txt && du -hs zero.txt && clamscan --max-filesize=4000M --max-scansize=4000M --alert-exceeds-max zero.txt'
++ numfmt --from=si 2000K
+ dd if=/dev/zero bs=1000 count=2000000 of=zero.txt
2000000+0 records in
2000000+0 records out
2000000000 bytes (2.0 GB, 1.9 GiB) copied, 1.9642 s, 1.0 GB/s
+ du -hs zero.txt
1.9G zero.txt
+ clamscan --max-filesize=4000M --max-scansize=4000M --alert-exceeds-max zero.txt
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/zero.txt: OK
----------- SCAN SUMMARY -----------
Known viruses: 8664779
Engine version: 0.103.8
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 4062.65 MB
Data read: 1907.35 MB (ratio 2.13:1)
Time: 343.906 sec (5 m 43 s)
Start Date: 2023:05:15 08:09:26
End Date: 2023:05:15 08:15:10
Description
Addes sanity check for ClamAV size & adjusted MaxScanSize. The second part is of special importance! See https://askubuntu.com/a/1448525, which explains that the maximum scan size is important as well. We previously just set the maximum file size, which actually is pretty insecure as we silently not scan mile bigger than
MaxScanSize
. This is corrected now.Type of change
Checklist:
docs/
)