what does this clamAV message mean?
I am running a clamAV scan on a linux box, using this command:
$ sudo clamscan -r -l ClamScanLog -i /
[sudo] password for e:
msxml.xml:14: parser error : Extra content at the end of the document
^
LibClamAV Warning: check_state[msxml]: CL_EPARSE @ ln304
LibClamAV Warning: cli_msxml_parse_document: encountered issue in parsing xml document
LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only scanning 27262976 bytes
....
What do these warnings mean, and should I be concerned? The CPU fan is revving way up periodically what ever is happening seems CPU intensive.
The parser error is not technically a ClamAV error but an XML error, typically a formatting issue. Using stack overflow might help.
But the really issue I believe is the file size you are trying to scan. Take a look at the ClamAV Man page. You'll see that there is a --max-filesize flag. There is a default of 25MB (to prevent DOS attacks).
If I put a guess on this, your XML file is larger than 25MB (approx. 27MB) and when you attempt to read it it cannot get all the way through and cuts off important information, thus you have ClamAV warning that it hit it's limit and an XML warning that the format is not correct.
Try:
sudo clamscan --max-filesize=30M -r -l ClamScanLog -i /
LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only scanning 27262976 bytes
ClamAV, as all other antivirus software, can not scan a file that exceeds a certain volume. The message above just warns you that ClamAV has encountered a huge file and it can not scan it. If you are curious, check in the documentation the default value of the size of the files that ClamAV could handle properly.
LibClamAV Warning: cli_msxml_parse_document: encountered issue in parsing xml document
If you check this source code file of ClamAV , you will find on line 484
:
else if (ret == CL_VIRUS || ret == CL_ETIMEOUT || ret == CL_BREAK) {
cli_dbgmsg("cli_msxml_parse_document: encountered halt event in parsing xml document\n");
break;
} else {
cli_warnmsg("cli_msxml_parse_document: encountered issue in parsing xml document\n");
break;
}
You can notice (after checking the meaning of the flags CL_VIRUS
, CL_ETIMEOUT
, and CL_BREAK
used as a return value) you will find out that this may be caused either by the scan process over a given file took a long time, stopped for some reason or it is unlikely to be a virus file ( I said unlikely regarding the line 481 of the same file). This warning message could also be triggered for an unexpected reason that ClamAV does not know (line 488). Keep in mind that all these warning are related to parsing XML documents.
LibClamAV Warning: check_state[msxml]: CL_EPARSE @ ln304
On libclamav/msxml_parser.c file, you can see that this warning is raised when ClamAV encounters a problem around one XML file content node ( state = xmlTextReaderNext(reader);
)
The default maximum file size is 25M, it is set in:
/etc/clamav/clamd.conf
MaxFileSize 25M
It can also be provided to clamscan as a command line argument like so:
--max-filesize 100M
There's a warning in the man file about not disabling it or setting it too high.
Warning: disabling this limit or setting it too high may result in severe damage to the system.
I'm not really sure what they mean by that. The only reasons I have found to not set that too high are that you don't want to DOS your own system or fill up your filesystem by having clamscan generate a bunch of temp files. That's pretty strong language though, so I'm going to increase gradually and test as I go. If you're using clamav as an email scanner you don't need to scan files larger than your mail server accepts, but if you're using it to scan your filesystem you might want to bump it up.
There's also a setting for the maximum scan size (This applies to compressed files with large files inside --clamav needs to open the file then open and scan each subfile) scansize sets the max limit for a file plus all its contents. You set that with:
--max-scansize=250M
or in the config file listed above
MaxScanSize 250M