ClamAV Antivirus by default setting wont search files larger than 25mb.
ClamAV warns "increasing this limit or setting too high may result in severe damage to the system." And someone else said "you don't want to DOS your own system or fill up your filesystem by having clamscan generate a bunch of temp files."
But this is all actually weird & bizarre, in my entire life, never have i come across a supposed antivirus software, & I've used countless types, that can harm you if they are configured to search all your PC's large files. Why can these mainstream antivirus programs do this without problem, but ClamAV cant figure out how to do it?
Lastly I want to point out that Linus Tech Tips was recently hacked by a virus that was disguised inside a 800mb pdf file, the hackers knew antiviruses in general ignore/skip over large files & dont scan them.
The largest max file size that I have seen so far in my life is 128mb
And... this topic can get a bit misleading if you look around the web. Some places will state that if you do not configure a max file size, then there is no limit. This is not an accurate way of wording it.
If scanning a Large File, the scanner will scan the individual files contained within that large file.
For example, let's say you download a .deb package and you wish to scan it. The .deb package is composed of smaller files. So even if that package has a total size of 48mbs, the files within it are significantly smaller, usually in the kilobyte range. The individual files are scanned, not the total package size.
So the scanner can scan an 800gigabyte package "file" by scanning the component files that are smaller than the max limit. See? Problem solved, right? And if the scanner encounters one single file too large - it just skips that file and does not tell you so. It is programmed to "assume it safe."
The difference between ClamAV and others is that ClamAV openly admits this to you.
@Aravisian , Thanks for the comment.
1.) Your first example, Google, is not actually an installable program.
I was referring to installable antivirus programs. Which i have never had an issue scanning large files with.
2.) Virustotal is not an installable antivirus either. Also many people warn that Virustotal is not an actual "antivirus", its missing features that make an antivirus tool good & complete. I cant remember what they are though.
3.) "it just skips that file and does not tell you so. It is programmed to "assume it safe. The difference between ClamAV and others is that ClamAV openly admits this to you."
That maybe true, but all antiviruses I've ever used never told me they skipped large files. Always seemed to me they scanned literally everything, as long as i told them to do a thorough deep scan. Hmm...
The main problem is speed... smaller files being scanned keep the system responsive, whereas a huge file being scanned on a system that isn't set up to handle it may make it seem to freeze for awhile, it may crash due to memory exhaustion, etc., etc. ClamAV attempts to scan in-memory, so huge files will exhaust memory.
When I was on Windows, I had my A/V (AVG antivirus) set to scan files up to 4 GB in size (the interface wouldn't let me choose a higher number than that)... no problems whatsoever.
Sophos savscan handles files up to 8 GB.
Clamscan tops out at 4 GB (but it'll struggle above 2 GB), but you can use split to chunk a large file, then feed the pieces to the scanner... but that comes with problems of its own stripe... if the file is virus-infected, and the file is split such that the virus code is split, it might not be detected. Scanning multiple times with different chunk sizes (333 MB, 500 MB, 1.2 GB) so the splits change with each scan would be one solution, but that drastically increases scan time.
There is another way... use INSTREAM to successively scan chunks of large files. That's essentially the same as using split, but more elegant. Same drawbacks, though.
I've been using the ClamAV CLI for all sorts of files without issues. For example I'm able to run it against the ZorinOS 16.2 Pro iso (5.5GB) without any issues.
I'm wondering now if that is because of how this file type actually may be actually structured, into smaller chunks as Aravisian pointed out. However, I run it on every file I download regardless of the type or size, and it always seems to do it's job fine.
It may also be different when running it as a one-time scan, as opposed to having it run in the backround.
default the max size is 20Mb . Use --max-scansize . ClamAV is mainly oriented at mail servers and scanning attachments. It has a max filesize limit in order to prevent an attacker sending a ton of big attachments and grind the mail server to a halt as clamav slowly scans the files in resident memory. Do note the max size is 4gb, and clamav will try to load any file up to 4gb into ram, so if you don't have 4gb free the system will become annoyingly unresponsive
You may see people on various forums suggest max-filesize, Don't use max-filesize without understanding what it does :
--max-filesize=#n - files larger than this will be skipped and assumed clean.
If you want to scan your Linux files for linux malware ClamAV uses mainly Windows rules to find Windows viruses (again originally designed for mail and attachments). If you need to scan a Linux OS for malware you need to also use tools like rkhunter or chkrootkit.
Seems you're trying to use ClamAV to what it's not designed for. ClamAV is a mail/attachment scanner scanning mainly for Windows OS nasties. Follow @seanhinkley advise instead.
