clamdscan incorrectly indicating MaxFiles exceeded

[stheine]

Describe the bug

Scanning a large file (zip) with many small files inside, the MaxFiles might get exceeded, resulting in the virus scanner skipping this file.

In clamd.conf, I have configured AlertExceedsMax yes, and this results in a bad error message:

$ clamdscan manySmallFiles.zip
/path/to/manySmallFiles.zip: 
Heuristics.Limits.Exceeded.MaxFiles FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 26.653 sec (0 m 26 s)
Start Date: 2022:08:05 13:13:37
End Date:   2022:08:05 13:14:04

That reporting is incorrect. in fact, there are no Infected files, where the scanner is reporting 1. Also the line a the top might be understood that a virus was found with the name Heuristics.Limits.Exceeded.MaxFiles.

How to reproduce the problem

Create a zip file that contains more files inside, than configured in the clamd.conf MaxFiles. Send this file via clamdscan.

[ragusaa]

Hi,

Thank you for the report.

That alert can be enabled/disabled with the "HeuristicAlerts" option in your clamd.conf file. The reason a user might want to see those messages is it because of the possibility that a malware author intentionally created a zip file with a lot of tiny files in it to prevent clam from scanning a malicious file.

Thanks, Andy