clamav icon indicating copy to clipboard operation
clamav copied to clipboard

Published 20 hours ago verified publisher icon Cisco-Talos

Heuristics.Limits.Exceeded.MaxScanSize for file way smaller than MaxScanSize

Open michaelwittig opened this issue 1 year ago • 3 comments

Hi!

I recently received a Heuristics.Limits.Exceeded.MaxScanSize for a file that is much smaller than my MaxScanSize (4294967295) limit using clamd. The file is a 670 MB (more accurately 636631040 bytes) text file. The file has a .txt extension but actually contains a large bash script.

clamscan --debug (full output).

[...]
LibClamAV debug: cl_scandesc_callback: File too large (636631040 bytes), ignoring
[...]

I can scan files larger than 670 MB. Just this one file is special. I saw other issues where the file was matching against signatures but my case looks different (no matching at all).

Unfortunately, I can not share the file. Any ideas what could cause this?

clamconf output:

Checking configuration files in /etc

Config file: clamd.d/scan.conf
------------------------------
AlertExceedsMax = "yes"
PreludeEnable disabled
PreludeAnalyzerName disabled
LogFile disabled
LogFileUnlock disabled
LogFileMaxSize = "1048576"
LogTime disabled
LogClean disabled
LogSyslog = "yes"
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate disabled
ExtendedDetectionInfo disabled
PidFile disabled
TemporaryDirectory disabled
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/run/clamd.scan/clamd.sock"
LocalSocketGroup disabled
LocalSocketMode disabled
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "200"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "10"
ReadTimeout = "120"
CommandReadTimeout = "30"
SendBufTimeout = "500"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "600"
ConcurrentDatabaseReload disabled
DisableCache disabled
VirusEvent disabled
ExitOnOOM disabled
AllowAllMatchScan = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamscan"
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "10000"
BytecodeUnsigned disabled
BytecodeMode = "Auto"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
ScanPE = "yes"
ScanELF = "yes"
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
HeuristicAlerts = "yes"
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
AlertBrokenExecutables disabled
AlertBrokenMedia disabled
AlertEncrypted = "yes"
StructuredCCOnly disabled
AlertEncryptedArchive disabled
AlertEncryptedDoc disabled
AlertOLE2Macros disabled
AlertPhishingSSLMismatch disabled
AlertPhishingCloak disabled
AlertPartitionIntersection disabled
ScanPDF = "yes"
ScanSWF = "yes"
ScanXMLDOCS = "yes"
ScanHWP3 = "yes"
ScanArchive = "yes"
ForceToDisk disabled
MaxScanTime disabled
MaxScanSize = "4294967295"
MaxFileSize = "4294967295"
MaxRecursion = "160"
MaxFiles disabled
MaxEmbeddedPE = "104857600"
MaxHTMLNormalize = "104857600"
MaxHTMLNoTags = "20971520"
MaxScriptNormalize = "52428800"
MaxZipTypeRcg = "10485760"
MaxPartitions = "500"
MaxIconsPE = "1000"
MaxRecHWP3 = "160"
PCREMatchLimit = "1000000"
PCRERecMatchLimit = "20000"
PCREMaxFileSize = "262144000"
OnAccessMountPath disabled
OnAccessIncludePath disabled
OnAccessExcludePath disabled
OnAccessExcludeRootUID disabled
OnAccessExcludeUID disabled
OnAccessExcludeUname disabled
OnAccessMaxFileSize = "5242880"
OnAccessDisableDDD disabled
OnAccessPrevention disabled
OnAccessExtraScanning disabled
OnAccessCurlTimeout = "5000"
OnAccessMaxThreads = "5"
OnAccessRetryAttempts disabled
OnAccessDenyOnError disabled
DevACOnly disabled
DevACDepth disabled
DevPerformance disabled
DevLiblog disabled
DisableCertCheck disabled
AlgorithmicDetection = "yes"
BlockMax disabled
PhishingAlwaysBlockSSLMismatch disabled
PhishingAlwaysBlockCloak disabled
PartitionIntersection disabled
OLE2BlockMacros disabled
ArchiveBlockEncrypted disabled

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "1048576"
LogTime disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate disabled
PidFile disabled
DatabaseDirectory = "/var/lib/clamav"
Foreground disabled
Debug disabled
UpdateLogFile disabled
DatabaseOwner = "clamupdate"
Checks = "12"
DNSDatabaseInfo = "no"
DatabaseMirror = "https://bucketav-clamav-mirror-eu-west-2.s3.eu-west-2.amazonaws.com"
PrivateMirror disabled
MaxAttempts = "3"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
ExcludeDatabase disabled
DatabaseCustomURL disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamd.d/scan.conf"
OnUpdateExecute = "/bin/touch /tmp/freshclam.done"
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "30"
ReceiveTimeout disabled
Bytecode = "yes"

mail/clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.10
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information
--------------------
Database directory: /var/lib/clamav
daily.cvd: version 27161, sigs: 2051323, built on Sun Jan 21 09:38:57 2024
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
bytecode.cvd: version 334, sigs: 91, built on Wed Feb 22 21:33:21 2023
Total number of signatures: 8698841

Platform information
--------------------
uname: Linux 4.14.326-245.539.amzn2.x86_64 #1 SMP Tue Sep 26 09:59:02 UTC 2023 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.7 (1.2.7), compile flags: a9
platform id: 0x0a2181810800000000040805

Build information
-----------------
GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44) (4.8.5)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1  -m64 -mtune=generic -fno-strict-aliasing   -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1  -m64 -mtune=generic
LDFLAGS: -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed  -lprelude
Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1  -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1  -m64 -mtune=generic' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 129, dconf: 129

michaelwittig avatar Jan 22 '24 19:01 michaelwittig

ClamAV normalizes text files and then scans boths versions, so the total amount of data scanned may be significantly higher than the files being scanned. I wouldn't expect a 670 MB text file to end up scanning more than 4GB. That does seem a little strange. Perhaps it is finding some attached content and extracting that and scanning that as well.

I'm not sure I would consider this to be a bug. But if you want to investigate more -- can you attach the output from running clamscan with these additional options: --debug --gen-json

micahsnyder avatar Jan 30 '24 15:01 micahsnyder

I'm running into a similar issue trying to upgrade ClamAV from the 0.x LTS to 1.x. Note that ClamAV 1.0.5 reports this as MaxScanSize while ClamAV 1.3.1 flags this as MaxFileSize and no warning is emitted on 0.103.8.

The file I'm scanning is an arm64 binary of size 28Mb. Looking at the output of --debug --gen-json the following looks interesting (snippets, full debug output below):

$ clamscan -d db/daily.cvd --alert-exceeds-max=yes --max-filesize=2048M --max-scansize=0 --max-scantime=0 --max-recursion=40 arm64-binary --debug --gen-json
[...]
// Seems to correctly classify the file as "executable"
LibClamAV debug: ELF: File type: Executable
LibClamAV debug: ELF: Machine type: Unknown (0xb7)
[...]
// The overall file finishes without a finding
LibClamAV debug: Descriptor[3]: Continuing after file scan resulted with: No viruses detected
[...]
// Within the binary, ClamAV seems to detect a RAR-SFX signature?
LibClamAV debug: Matched signature for file type ZIP-SFX at 19076080
LibClamAV debug: Matched signature for file type RAR-SFX at 19076520
LibClamAV debug: Matched signature for file type RAR-SFX at 19076520
LibClamAV debug: Matched signature for file type HTML data at 20077476
LibClamAV debug: Matched signature for file type HTML data
LibClamAV debug: Matched signature for file type HTML data
[...]
unrar_open: Opened archive: /var/folders/ln/vqtgf6r50jj7llpd28yrv60d082fsw/T//20240730_210831-scantemp.fe25d32168/clamav-d4aed806711af70417a1e533c7ea5fc1.tmp
unrar_peek_file_header:   Name:
unrar_peek_file_header:   Directory?:    0
unrar_peek_file_header:   Target Dir:    0
unrar_peek_file_header:   RAR Version:   3
unrar_peek_file_header:   Packed Size:   8719941959316996884
unrar_peek_file_header:   Unpacked Size: 9080236526577124131
// Seems to detect a RAR entry of an insane size
LibClamAV debug: RAR: Next file is too large (9080236526577124131 bytes); it would exceed max scansize.  Skipping to next file.
[...]

/Volumes/git/sandbox/clamav-debug/arm64-binary: Heuristics.Limits.Exceeded.MaxFileSize FOUND
----------- SCAN SUMMARY -----------
Scanned files: 1
Infected files: 1
Data scanned: 29.86 MB
Data read: 28.04 MB (ratio 1.06:1)

My interpretation is that ClamAV wrongfully identifies the binary as a RAR archive and then reads inaccurate size metadata?

Full debug log

Using ClamAV 1.3.1

$ clamscan -d db/daily.cvd --alert-exceeds-max=yes --max-filesize=2048M --max-scansize=0 --max-scantime=0 --max-recursion=40 arm64-binary --debug --gen-json

LibClamAV debug: searching for unrar, user-searchpath: /opt/homebrew/Cellar/clamav/1.3.1/lib
LibClamAV debug: searching for unrar: /opt/homebrew/Cellar/clamav/1.3.1/lib/libclamunrar_iface.dylib.12.0.2 not found
LibClamAV debug: searching for unrar: /opt/homebrew/Cellar/clamav/1.3.1/lib/libclamunrar_iface.dylib.12 not found
LibClamAV debug: unrar support loaded from /opt/homebrew/Cellar/clamav/1.3.1/lib/libclamunrar_iface.dylib
LibClamAV debug: Initialized 1.3.1 engine
LibClamAV debug: Initializing phishcheck module
LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$
LibClamAV debug: Phishcheck module initialized
LibClamAV debug: Bytecode initialized in interpreter mode
LibClamAV debug: clean_cache_init: Requested cache size: 65536. Actual cache size: 65536. Trees: 256. Nodes per tree: 256.
LibClamAV debug: in cli_cvdload()
LibClamAV debug: cli_versig: Digital signature is correct.
LibClamAV debug: in cli_tgzload()
LibClamAV debug: daily.info loaded
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: in cli_tgzload()
LibClamAV debug: daily.cfg loaded
LibClamAV debug: daily.ign loaded
LibClamAV debug: daily.ign2 loaded
LibClamAV debug: Initializing engine matching structures
LibClamAV debug: Loaded 158 filetype definitions
LibClamAV debug: daily.ftm loaded
LibClamAV debug: daily.hdb loaded
LibClamAV debug: daily.hdu skipped
LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 64
LibClamAV debug: hashtab.c: new capacity: 128
LibClamAV debug: Table 0x102c4eae8 size after grow: 128
LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 128
LibClamAV debug: hashtab.c: new capacity: 256
LibClamAV debug: Table 0x102c4eae8 size after grow: 256
LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 256
LibClamAV debug: hashtab.c: new capacity: 512
LibClamAV debug: Table 0x102c4eae8 size after grow: 512
LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 512
LibClamAV debug: hashtab.c: new capacity: 1024
LibClamAV debug: Table 0x102c4eae8 size after grow: 1024
LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 1024
LibClamAV debug: hashtab.c: new capacity: 2048
LibClamAV debug: Table 0x102c4eae8 size after grow: 2048
LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 2048
LibClamAV debug: hashtab.c: new capacity: 4096
LibClamAV debug: Table 0x102c4eae8 size after grow: 4096
LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 4096
LibClamAV debug: hashtab.c: new capacity: 8192
LibClamAV debug: Table 0x102c4eae8 size after grow: 8192
LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 8192
LibClamAV debug: hashtab.c: new capacity: 16384
LibClamAV debug: Table 0x102c4eae8 size after grow: 16384
LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 16384
LibClamAV debug: hashtab.c: new capacity: 32768
LibClamAV debug: Table 0x102c4eae8 size after grow: 32768
LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 32768
LibClamAV debug: hashtab.c: new capacity: 65536
LibClamAV debug: Table 0x102c4eae8 size after grow: 65536
LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 65536
LibClamAV debug: hashtab.c: new capacity: 131072
LibClamAV debug: Table 0x102c4eae8 size after grow: 131072
LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 131072
LibClamAV debug: hashtab.c: new capacity: 262144
LibClamAV debug: Table 0x102c4eae8 size after grow: 262144
LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eb28, because it has exceeded maxfill, old size: 64
LibClamAV debug: hashtab.c: new capacity: 128
LibClamAV debug: Table 0x102c4eb28 size after grow: 128
LibClamAV debug: daily.hsb loaded
LibClamAV debug: daily.hsu skipped
LibClamAV debug: hashtab.c:Growing hashtable 0x10827bc00, because it has exceeded maxfill, old size: 64
LibClamAV debug: hashtab.c: new capacity: 128
LibClamAV debug: Table 0x10827bc00 size after grow: 128
LibClamAV debug: hashtab.c:Growing hashtable 0x10827bc00, because it has exceeded maxfill, old size: 128
LibClamAV debug: hashtab.c: new capacity: 256
LibClamAV debug: Table 0x10827bc00 size after grow: 256
LibClamAV debug: hashtab.c:Growing hashtable 0x10827bc00, because it has exceeded maxfill, old size: 256
LibClamAV debug: hashtab.c: new capacity: 512
LibClamAV debug: Table 0x10827bc00 size after grow: 512
LibClamAV debug: hashtab.c:Growing hashtable 0x10827bc00, because it has exceeded maxfill, old size: 512
LibClamAV debug: hashtab.c: new capacity: 1024
LibClamAV debug: Table 0x10827bc00 size after grow: 1024
LibClamAV debug: hashtab.c:Growing hashtable 0x10827bc00, because it has exceeded maxfill, old size: 1024
LibClamAV debug: hashtab.c: new capacity: 2048
LibClamAV debug: Table 0x10827bc00 size after grow: 2048
LibClamAV debug: hashtab.c:Growing hashtable 0x10827bc00, because it has exceeded maxfill, old size: 2048
LibClamAV debug: hashtab.c: new capacity: 4096
LibClamAV debug: Table 0x10827bc00 size after grow: 4096
LibClamAV debug: hashtab.c:Growing hashtable 0x10827bc00, because it has exceeded maxfill, old size: 4096
LibClamAV debug: hashtab.c: new capacity: 8192
LibClamAV debug: Table 0x10827bc00 size after grow: 8192
LibClamAV debug: daily.mdb loaded
LibClamAV debug: daily.mdu skipped
LibClamAV debug: daily.msb loaded
LibClamAV debug: daily.msu skipped
LibClamAV debug: Initializing engine matching structures
LibClamAV debug: daily.ndb loaded
LibClamAV debug: daily.ndu skipped
LibClamAV debug: Initializing engine matching structures
LibClamAV debug: daily.ldb loaded
LibClamAV debug: daily.ldu skipped
LibClamAV debug: daily.idb loaded
LibClamAV debug: hashtab.c:Growing hashtable 0x13a3529e8, because it has exceeded maxfill, old size: 64
LibClamAV debug: hashtab.c: new capacity: 128
LibClamAV debug: Table 0x13a3529e8 size after grow: 128
LibClamAV debug: hashtab.c:Growing hashtable 0x13a3529e8, because it has exceeded maxfill, old size: 128
LibClamAV debug: hashtab.c: new capacity: 256
LibClamAV debug: Table 0x13a3529e8 size after grow: 256
LibClamAV debug: hashtab.c:Growing hashtable 0x13a3529e8, because it has exceeded maxfill, old size: 256
LibClamAV debug: hashtab.c: new capacity: 512
LibClamAV debug: Table 0x13a3529e8 size after grow: 512
LibClamAV debug: hashtab.c:Growing hashtable 0x13a3529e8, because it has exceeded maxfill, old size: 512
LibClamAV debug: hashtab.c: new capacity: 1024
LibClamAV debug: Table 0x13a3529e8 size after grow: 1024
LibClamAV debug: daily.fp loaded
LibClamAV debug: daily.sfp loaded
LibClamAV debug: Loading regex_list
LibClamAV debug: daily.pdb loaded
LibClamAV debug: Loading regex_list
LibClamAV debug: daily.wdb loaded
LibClamAV debug: Number of certs: 29
LibClamAV debug: daily.crb loaded
LibClamAV debug: daily.cdb loaded
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: db-2-98/daily.cvd loaded
LibClamAV debug: Using filter for trie 0
LibClamAV debug: Matcher[0]: GENERIC: AC sigs: 3704 (reloff: 8, absoff: 0) BM sigs: 4 (reloff: 0, absoff: 1) PCREs: 17 (reloff: 0, absoff: 0) maxpatlen 8000
LibClamAV debug: Using filter for trie 1
LibClamAV debug: Matcher[1]: PE: AC sigs: 1172099 (reloff: 19, absoff: 0) BM sigs: 2 (reloff: 2, absoff: 0) PCREs: 17 (reloff: 0, absoff: 0) maxpatlen 3501
LibClamAV debug: Matcher[2]: OLE2: AC sigs: 15821 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 11 (reloff: 0, absoff: 0) maxpatlen 3548 (ac_only mode)
LibClamAV debug: Matcher[3]: HTML: AC sigs: 428 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 4 (reloff: 0, absoff: 0) maxpatlen 244 (ac_only mode)
LibClamAV debug: Using filter for trie 4
LibClamAV debug: Matcher[4]: MAIL: AC sigs: 171 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 169 (reloff: 0, absoff: 0) maxpatlen 23 (ac_only mode)
LibClamAV debug: Matcher[5]: GRAPHICS: AC sigs: 14 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 1 (reloff: 0, absoff: 0) maxpatlen 32 (ac_only mode)
LibClamAV debug: Matcher[6]: ELF: AC sigs: 17798 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 320 (ac_only mode)
LibClamAV debug: Using filter for trie 7
LibClamAV debug: Matcher[7]: ASCII: AC sigs: 1902 (reloff: 17, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 28 (reloff: 0, absoff: 0) maxpatlen 256 (ac_only mode)
LibClamAV debug: Matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[9]: MACH-O: AC sigs: 3048 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 273 (ac_only mode)
LibClamAV debug: Matcher[10]: PDF: AC sigs: 163 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 6 (reloff: 0, absoff: 0) maxpatlen 388 (ac_only mode)
LibClamAV debug: Matcher[11]: FLASH: AC sigs: 20 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 34 (ac_only mode)
LibClamAV debug: Matcher[12]: JAVA: AC sigs: 146 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 7 (reloff: 0, absoff: 0) maxpatlen 95 (ac_only mode)
LibClamAV debug: Matcher[13]: INTERNAL: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[14]: OTHER: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Building regex list
LibClamAV debug: Using filter for trie 0
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Building regex list
LibClamAV debug: Using filter for trie 0
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Dynamic engine configuration settings:
LibClamAV debug: --------------------------------------
LibClamAV debug: Module PE: On
LibClamAV debug:    * Submodule     PARITE:     On
LibClamAV debug:    * Submodule       KRIZ:     On
LibClamAV debug:    * Submodule    MAGISTR:     On
LibClamAV debug:    * Submodule    POLIPOS:     On
LibClamAV debug:    * Submodule    MD5SECT:     On
LibClamAV debug:    * Submodule        UPX:     On
LibClamAV debug:    * Submodule        FSG:     On
LibClamAV debug:    * Submodule    SWIZZOR:     ** Off **
LibClamAV debug:    * Submodule     PETITE:     On
LibClamAV debug:    * Submodule     PESPIN:     On
LibClamAV debug:    * Submodule         YC:     On
LibClamAV debug:    * Submodule     WWPACK:     On
LibClamAV debug:    * Submodule     NSPACK:     On
LibClamAV debug:    * Submodule        MEW:     On
LibClamAV debug:    * Submodule      UPACK:     On
LibClamAV debug:    * Submodule     ASPACK:     On
LibClamAV debug:    * Submodule    CATALOG:     On
LibClamAV debug:    * Submodule      CERTS:     On
LibClamAV debug:    * Submodule  MATCHICON:     On
LibClamAV debug:    * Submodule     IMPTBL:     On
LibClamAV debug: Module ELF: On
LibClamAV debug: Module MACHO: On
LibClamAV debug: Module ARCHIVE: On
LibClamAV debug:    * Submodule        RAR:     On
LibClamAV debug:    * Submodule        ZIP:     On
LibClamAV debug:    * Submodule       GZIP:     On
LibClamAV debug:    * Submodule       BZIP:     On
LibClamAV debug:    * Submodule        ARJ:     On
LibClamAV debug:    * Submodule       SZDD:     On
LibClamAV debug:    * Submodule        CAB:     On
LibClamAV debug:    * Submodule        CHM:     On
LibClamAV debug:    * Submodule       OLE2:     On
LibClamAV debug:    * Submodule        TAR:     On
LibClamAV debug:    * Submodule       CPIO:     On
LibClamAV debug:    * Submodule     BINHEX:     On
LibClamAV debug:    * Submodule        SIS:     On
LibClamAV debug:    * Submodule       NSIS:     On
LibClamAV debug:    * Submodule     AUTOIT:     On
LibClamAV debug:    * Submodule    ISHIELD:     On
LibClamAV debug:    * Submodule       7zip:     On
LibClamAV debug:    * Submodule    ISO9660:     On
LibClamAV debug:    * Submodule        DMG:     On
LibClamAV debug:    * Submodule        XAR:     On
LibClamAV debug:    * Submodule    HFSPLUS:     On
LibClamAV debug:    * Submodule         XZ:     On
LibClamAV debug:    * Submodule     PASSWD:     On
LibClamAV debug:    * Submodule        MBR:     On
LibClamAV debug:    * Submodule        GPT:     On
LibClamAV debug:    * Submodule        APM:     On
LibClamAV debug:    * Submodule        EGG:     On
LibClamAV debug:    * Submodule        UDF:     On
LibClamAV debug: Module DOCUMENT: On
LibClamAV debug:    * Submodule       HTML:     On
LibClamAV debug:    * Submodule        RTF:     On
LibClamAV debug:    * Submodule        PDF:     On
LibClamAV debug:    * Submodule     SCRIPT:     On
LibClamAV debug:    * Submodule HTMLSKIPRAW:    On
LibClamAV debug:    * Submodule     JSNORM:     On
LibClamAV debug:    * Submodule        SWF:     On
LibClamAV debug:    * Submodule      OOXML:     On
LibClamAV debug:    * Submodule      MSPML:     On
LibClamAV debug:    * Submodule        HWP:     On
LibClamAV debug:    * Submodule    ONENOTE:     On
LibClamAV debug: Module MAIL: On
LibClamAV debug:    * Submodule       MBOX:     On
LibClamAV debug:    * Submodule       TNEF:     On
LibClamAV debug: Module OTHER: On
LibClamAV debug:    * Submodule  UUENCODED:     On
LibClamAV debug:    * Submodule     SCRENC:     On
LibClamAV debug:    * Submodule       RIFF:     On
LibClamAV debug:    * Submodule       JPEG:     On
LibClamAV debug:    * Submodule    CRYPTFF:     On
LibClamAV debug:    * Submodule        DLP:     On
LibClamAV debug:    * Submodule  MYDOOMLOG:     On
LibClamAV debug:    * Submodule PREFILTERING:   On
LibClamAV debug:    * Submodule PDFNAMEOBJ:     On
LibClamAV debug:    * Submodule  PRTNINTXN:     On
LibClamAV debug:    * Submodule        LZW:     On
LibClamAV debug:    * Submodule        GIF:     On
LibClamAV debug:    * Submodule        PNG:     On
LibClamAV debug:    * Submodule       TIFF:     On
LibClamAV debug: Module PHISHING On
LibClamAV debug:    * Submodule     ENGINE:     On
LibClamAV debug:    * Submodule    ENTCONV:     On
LibClamAV debug: Module BYTECODE On
LibClamAV debug:    * Submodule INTERPRETER:    On
LibClamAV debug:    * Submodule    JIT X86:     On
LibClamAV debug:    * Submodule    JIT PPC:     On
LibClamAV debug:    * Submodule    JIT ARM:     ** Off **
LibClamAV debug: Module STATS Off
LibClamAV debug: Module PCRE On
LibClamAV debug:    * Submodule    SUPPORT:     On
LibClamAV debug:    * Submodule    OPTIONS:     On
LibClamAV debug:    * Submodule     GLOBAL:     On
LibClamAV debug: pool memory used: 734.312 MB
LibClamAV debug: No bytecodes loaded, not running builtin test
LibClamAV debug: Checking realpath of arm64-binary
LibClamAV debug: cli_get_filepath_from_filedesc: File path for fd [3] is: /Volumes/git/sandbox/clamav-debug/arm64-binary
LibClamAV debug: Recognized ELF file
LibClamAV debug: clean_cache_check: collect metadata feature enabled, skipping cache
LibClamAV debug: in cli_scanelf
LibClamAV debug: ELF: ELF class 2 (64-bit)
LibClamAV debug: ELF: File is little-endian - conversion not required
LibClamAV debug: ELF: File type: Executable
LibClamAV debug: ELF: Machine type: Unknown (0xb7)
LibClamAV debug: ELF: Number of program headers: 6
LibClamAV debug: ELF: Program header table offset: 64
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Segment #0
LibClamAV debug: ELF: Segment type: 0x6
LibClamAV debug: ELF: Segment offset: 0x40
LibClamAV debug: ELF: Segment virtual address: 0x10040
LibClamAV debug: ELF: Segment real size: 0x150
LibClamAV debug: ELF: Segment virtual size: 0x150
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Segment #1
LibClamAV debug: ELF: Segment type: 0x4
LibClamAV debug: ELF: Segment offset: 0xf9c
LibClamAV debug: ELF: Segment virtual address: 0x10f9c
LibClamAV debug: ELF: Segment real size: 0x64
LibClamAV debug: ELF: Segment virtual size: 0x64
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Segment #2
LibClamAV debug: ELF: Segment type: 0x1
LibClamAV debug: ELF: Segment offset: 0x0
LibClamAV debug: ELF: Segment virtual address: 0x10000
LibClamAV debug: ELF: Segment real size: 0x89deb4
LibClamAV debug: ELF: Segment virtual size: 0x89deb4
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Segment #3
LibClamAV debug: ELF: Segment type: 0x1
LibClamAV debug: ELF: Segment offset: 0x8a0000
LibClamAV debug: ELF: Segment virtual address: 0x8b0000
LibClamAV debug: ELF: Segment real size: 0x980630
LibClamAV debug: ELF: Segment virtual size: 0x980630
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Segment #4
LibClamAV debug: ELF: Segment type: 0x1
LibClamAV debug: ELF: Segment offset: 0x1230000
LibClamAV debug: ELF: Segment virtual address: 0x1240000
LibClamAV debug: ELF: Segment real size: 0x15b820
LibClamAV debug: ELF: Segment virtual size: 0x1a4778
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Segment #5
LibClamAV debug: ELF: Segment type: 0x6474e551
LibClamAV debug: ELF: Segment offset: 0x0
LibClamAV debug: ELF: Segment virtual address: 0x0
LibClamAV debug: ELF: Segment real size: 0x0
LibClamAV debug: ELF: Segment virtual size: 0x0
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Entry point address: 0x000000000007ded0
LibClamAV debug: ELF: Entry point offset: 0x000000000006ded0 (450256)
LibClamAV debug: ELF: Number of sections: 23
LibClamAV debug: ELF: Section header table offset: 400
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 0
LibClamAV debug: ELF: Section offset: 0
LibClamAV debug: ELF: Section size: 0
LibClamAV debug: ELF: Section type: Null (no associated section)
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 1
LibClamAV debug: ELF: Section offset: 4096
LibClamAV debug: ELF: Section size: 9031348
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ELF: Section occupies memory
LibClamAV debug: ELF: Section contains executable code
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 2
LibClamAV debug: ELF: Section offset: 9043968
LibClamAV debug: ELF: Section size: 3610275
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ELF: Section occupies memory
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 3
LibClamAV debug: ELF: Section offset: 12654272
LibClamAV debug: ELF: Section size: 263
LibClamAV debug: ELF: Section type: String table
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 4
LibClamAV debug: ELF: Section offset: 12654560
LibClamAV debug: ELF: Section size: 25392
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ELF: Section occupies memory
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 5
LibClamAV debug: ELF: Section offset: 12679968
LibClamAV debug: ELF: Section size: 10984
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ELF: Section occupies memory
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 6
LibClamAV debug: ELF: Section offset: 12690952
LibClamAV debug: ELF: Section size: 0
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ELF: Section occupies memory
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 7
LibClamAV debug: ELF: Section offset: 12690976
LibClamAV debug: ELF: Section size: 6316048
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ELF: Section occupies memory
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 8
LibClamAV debug: ELF: Section offset: 19070976
LibClamAV debug: ELF: Section size: 4912
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ELF: Section contains writable data
LibClamAV debug: ELF: Section occupies memory
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 9
LibClamAV debug: ELF: Section offset: 19075904
LibClamAV debug: ELF: Section size: 1243460
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ELF: Section contains writable data
LibClamAV debug: ELF: Section occupies memory
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 10
LibClamAV debug: ELF: Section offset: 20319392
LibClamAV debug: ELF: Section size: 174960
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ELF: Section contains writable data
LibClamAV debug: ELF: Section occupies memory
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 11
LibClamAV debug: ELF: Section offset: 20494368
LibClamAV debug: ELF: Section size: 250776
LibClamAV debug: ELF: Section type: Empty section (NOBITS)
LibClamAV debug: ELF: Section contains writable data
LibClamAV debug: ELF: Section occupies memory
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 12
LibClamAV debug: ELF: Section offset: 20745152
LibClamAV debug: ELF: Section size: 48056
LibClamAV debug: ELF: Section type: Empty section (NOBITS)
LibClamAV debug: ELF: Section contains writable data
LibClamAV debug: ELF: Section occupies memory
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 13
LibClamAV debug: ELF: Section offset: 20512768
LibClamAV debug: ELF: Section size: 309
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 14
LibClamAV debug: ELF: Section offset: 20513077
LibClamAV debug: ELF: Section size: 1182422
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 15
LibClamAV debug: ELF: Section offset: 21695499
LibClamAV debug: ELF: Section size: 340918
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 16
LibClamAV debug: ELF: Section offset: 22036417
LibClamAV debug: ELF: Section size: 51
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 17
LibClamAV debug: ELF: Section offset: 22036468
LibClamAV debug: ELF: Section size: 2483808
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 18
LibClamAV debug: ELF: Section offset: 24520276
LibClamAV debug: ELF: Section size: 1981186
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 19
LibClamAV debug: ELF: Section offset: 26501462
LibClamAV debug: ELF: Section size: 553207
LibClamAV debug: ELF: Section type: Program information
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 20
LibClamAV debug: ELF: Section offset: 3996
LibClamAV debug: ELF: Section size: 100
LibClamAV debug: ELF: Section type: Note section
LibClamAV debug: ELF: Section occupies memory
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 21
LibClamAV debug: ELF: Section offset: 27054672
LibClamAV debug: ELF: Section size: 757704
LibClamAV debug: ELF: Section type: Symbol table
LibClamAV debug: ------------------------------------
LibClamAV debug: ELF: Section 22
LibClamAV debug: ELF: Section offset: 27812376
LibClamAV debug: ELF: Section size: 1592073
LibClamAV debug: ELF: Section type: String table
LibClamAV debug: ------------------------------------
LibClamAV debug: Descriptor[3]: Continuing after file scan resulted with: No viruses detected
LibClamAV debug: in cli_elfheader
LibClamAV debug: ELF: ELF class 2 (64-bit)
LibClamAV debug: ELF: Number of program headers: 6
LibClamAV debug: ELF: Number of sections: 23
LibClamAV debug: Matched signature for file type ZIP-SFX at 19076080
LibClamAV debug: Matched signature for file type RAR-SFX at 19076520
LibClamAV debug: Matched signature for file type RAR-SFX at 19076520
LibClamAV debug: Matched signature for file type HTML data at 20077476
LibClamAV debug: Matched signature for file type HTML data
LibClamAV debug: Matched signature for file type HTML data
LibClamAV debug: matcher_run: performing regex matching on full map: 29291136+113313(29404449) >= 29404449
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: CL_TYPE_ZIPSFX signature found at 19076080
LibClamAV debug: in cli_unzip_single
LibClamAV debug: cli_unzip: local header - ZMDNAME:1:���:4294967295:4294927982:692d6c6c:46376:0:1
LibClamAV debug: CDBNAME:CL_TYPE_ZIP:4294927982:���:4294927982:4294967295:1:0:1764584556:0x0
LibClamAV debug: cli_unzip: local header - has data desc
LibClamAV debug: CL_TYPE_RARSFX signature found at 19076520
LibClamAV debug: fmap_dump_to_file: dumping fmap not backed by file...
LibClamAV debug: in scanrar()
unrar_open: Comments are not present in this archive.
unrar_open: Volume attribute (archive volume):              no
unrar_open: Archive comment present:                        no
unrar_open: Archive lock attribute:                         no
unrar_open: Solid attribute (solid archive):                no
unrar_open: New volume naming scheme ('volname.partN.rar'): no
unrar_open: Authenticity information present (obsolete):    no
unrar_open: Recovery record present:                        no
unrar_open: Block headers are encrypted:                    no
unrar_open: First volume (set only by RAR 3.0 and later):   no
unrar_open: Opened archive: /var/folders/ln/vqtgf6r50jj7llpd28yrv60d082fsw/T//20240730_210831-scantemp.fe25d32168/clamav-d4aed806711af70417a1e533c7ea5fc1.tmp
unrar_peek_file_header:   Name:
unrar_peek_file_header:   Directory?:    0
unrar_peek_file_header:   Target Dir:    0
unrar_peek_file_header:   RAR Version:   3
unrar_peek_file_header:   Packed Size:   8719941959316996884
unrar_peek_file_header:   Unpacked Size: 9080236526577124131
LibClamAV debug: RAR: , crc32: 0x35033103, encrypted: 0, compressed: 52232980, normal: 52953891, method: 97, ratio: 1
LibClamAV debug: CDBNAME:CL_TYPE_RAR:8719941959316996884::8719941959316996884:9080236526577124131:0:1:889401603:0x0
LibClamAV debug: RAR: filesize exceeded (allowed: 2147483645, needed: 9080236526577124131)
LibClamAV debug: FP SIGNATURE: 312cc9<redacted>:10327929:Heuristics.Limits.Exceeded.MaxFileSize  # Name: n/a, Type: CL_TYPE_RAR
LibClamAV debug: FP SIGNATURE: 5e5e9c<redacted>:29404449:Heuristics.Limits.Exceeded.MaxFileSize  # Name: arm64-binary, Type: CL_TYPE_ELF
LibClamAV debug: Heuristics.Limits.Exceeded.MaxFileSize: scanning may be incomplete and additional analysis needed for this file.
LibClamAV debug: RAR: Next file is too large (9080236526577124131 bytes); it would exceed max scansize.  Skipping to next file.
unrar_skip_file: File skipped.
unrar_retcode: Bad data / File CRC error.
LibClamAV debug: RAR: Error (4) reading file header!
LibClamAV debug: RAR: Exit code: 0
LibClamAV debug: CL_TYPE_RARSFX signature found at 19076520
LibClamAV debug: fmap_dump_to_file: dumping fmap not backed by file...
LibClamAV debug: in scanrar()
unrar_open: Comments are not present in this archive.
unrar_open: Volume attribute (archive volume):              no
unrar_open: Archive comment present:                        no
unrar_open: Archive lock attribute:                         no
unrar_open: Solid attribute (solid archive):                no
unrar_open: New volume naming scheme ('volname.partN.rar'): no
unrar_open: Authenticity information present (obsolete):    no
unrar_open: Recovery record present:                        no
unrar_open: Block headers are encrypted:                    no
unrar_open: First volume (set only by RAR 3.0 and later):   no
unrar_open: Opened archive: /var/folders/ln/vqtgf6r50jj7llpd28yrv60d082fsw/T//20240730_210831-scantemp.fe25d32168/clamav-3d5e7e2157c138de5bd860f56bc2ce0d.tmp
unrar_peek_file_header:   Name:
unrar_peek_file_header:   Directory?:    0
unrar_peek_file_header:   Target Dir:    0
unrar_peek_file_header:   RAR Version:   3
unrar_peek_file_header:   Packed Size:   8719941959316996884
unrar_peek_file_header:   Unpacked Size: 9080236526577124131
LibClamAV debug: RAR: , crc32: 0x35033103, encrypted: 0, compressed: 52232980, normal: 52953891, method: 97, ratio: 1
LibClamAV debug: CDBNAME:CL_TYPE_RAR:8719941959316996884::8719941959316996884:9080236526577124131:0:1:889401603:0x0
LibClamAV debug: RAR: filesize exceeded (allowed: 2147483645, needed: 9080236526577124131)
LibClamAV debug: RAR: Next file is too large (9080236526577124131 bytes); it would exceed max scansize.  Skipping to next file.
unrar_skip_file: File skipped.
unrar_retcode: Bad data / File CRC error.
LibClamAV debug: RAR: Error (4) reading file header!
LibClamAV debug: RAR: Exit code: 0
LibClamAV debug: Descriptor[3]: Continuing after file scan resulted with: No viruses detected
LibClamAV debug: Running bytecode hook
LibClamAV debug: Bytecode executing hook id 261 (0 hooks)
LibClamAV debug: Bytecode: no logical signature matched, no bytecode executed
LibClamAV debug: Finished running bytecode hook
LibClamAV debug: Descriptor[3]: Continuing after file scan resulted with: No viruses detected
LibClamAV debug: cli_magic_scan: returning 0  at line 5037
LibClamAV debug: {
  "Magic":"CLAMJSONv0",
  "RootFileType":"CL_TYPE_ELF",
  "FileName":"arm64-binary",
  "FileType":"CL_TYPE_ELF",
  "FileSize":29404449,
  "FileMD5":"5e5e9c<redacted>",
  "EmbeddedObjects":[
    {
      "FileType":"CL_TYPE_ZIPSFX",
      "Offset":19076080
    },
    {
      "FileType":"CL_TYPE_RARSFX",
      "Offset":19076520,
      "Viruses":[
        "Heuristics.Limits.Exceeded.MaxFileSize"
      ],
      "ParseErrors":[
        "Heuristics.Limits.Exceeded.MaxFileSize"
      ]
    },
    {
      "FileType":"CL_TYPE_RARSFX",
      "Offset":19076520
    }
  ]
}
LibClamAV debug: Bytecode executing hook id 260 (0 hooks)
LibClamAV debug: Bytecode: no logical signature matched, no bytecode executed

/Volumes/git/sandbox/clamav-debug/arm64-binary: Heuristics.Limits.Exceeded.MaxFileSize FOUND

LibClamAV debug: Descriptor[3]: halting after file scan because: Virus(es) detected
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up

----------- SCAN SUMMARY -----------
Known viruses: 2038591
Engine version: 1.3.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 29.86 MB
Data read: 28.04 MB (ratio 1.06:1)
Time: 6.226 sec (0 m 6 s)
Start Date: 2024:07:30 21:08:26
End Date:   2024:07:30 21:08:32

Unfortuantely, I can't share the concrete binary. But happy to dig up more debug information if helpful!

fawind avatar Jul 30 '24 20:07 fawind

Did some more digging and think this has the same cause as https://github.com/Cisco-Talos/clamav/issues/1143#issuecomment-1894595948.

This is also a compiled golang binary which contains the rar header bytes because go stdlib defines this as string here: https://github.com/golang/go/blob/b44f6378233ada888f0dc79e0ac56def4673d9ed/src/net/http/sniff.go#L183-L190

Hex of the scanned file at the referenced offset:

Screenshot 2024-08-01 at 11 14 57

ClamAV then assumes that this is the beginning of a RAR archive, and tries to read the PACK_SIZE and UNP_SIZE RAR headers to get the archive size. However given this is not actually a RAR archive, the locations contains effectively random bytes which result in ClamAV assuming its a 9 PB archive.

unrar_peek_file_header:   Name:
unrar_peek_file_header:   Directory?:    0
unrar_peek_file_header:   Target Dir:    0
unrar_peek_file_header:   RAR Version:   3
unrar_peek_file_header:   Packed Size:   8719941959316996884
unrar_peek_file_header:   Unpacked Size: 9080236526577124131

Can we improve the RAR archive detection here? Not sure in what ways we already do this, but maybe we can check for the presence of the HEAD_TYPE bytes or even check if the HEAD_CRC is present?

Currently, any golang binary containing net/http/sniff (or other static references to the rar header) will likely run into a FP here.

fawind avatar Aug 01 '24 10:08 fawind