-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failure scanning large image #889
Comments
@sammarshallou I am unable to reproduce any failure scanning the attached image with I tried this first:
Then when that worked, I tried starting
And once started, I ran this:
Seems to be working okay to me. Please share any output you have that shows an error. |
Never mind, just found 877 |
Most of that In any case, you described an error in your initial post. Where is this error? |
@micahsnyder I've got no error message so this may not be reproducible, maybe you need to close this, apologies. To give a bit more detail, we are running a docker image inside Amazon ECS, and sending it the file data via a socket connection from a PHP application running separately. After the data is sent (fwrite of 'nINSTREAM\n', followed by the byte size and the actual data, followed by a zero), the PHP code reads one line from the socket using this command:
For a working file, the value of $output which I'm logging is 'stream: OK\n'. For a non-working file, this function returns FALSE, which generally means the connection was closed. There is a health check on connecting to the clamd port, which then fails, and ECS kills the task and starts a new one. So it looks like it crashed. There is nothing in the clamd log except the stuff that gets logged when the new instance starts up. |
@sammarshallou That's strange! Clamd does have have read timeout where it will close the connection after a configurable time limit, using |
@micahsnyder I had logging from the PHP application of the time when the write of the file data finished, and the time when the response read finished (or failed in the case of this large image). While it's much longer than the tiny working image I was comparing against, It's still only 3 seconds so I don't think there can be a timeout: [2023-04-17 14:44:37.387127 GMT] [php:notice] [pid 144:tid [client 10.52.1.104:39134] ClamAV done write... I checked in clamd.conf and our ReadTimeout is set to 600, CommandReadTimeout left at default 30. While looking in the file I did notice there are verbose and debug logging options, so I figured out how to rebuild our container, turned both those on and repeated the test. It's a bit hard to tell what happens because the same log includes multiple containers, but I think when it's failing, the log ends like this: | Tue Apr 18 09:06:38 2023 -> Got chunksize: 0 | I.e. after that line there is no more about the jpg, it stops there. This compares to a successful (small) jpg scan which continued after that line: | Tue Apr 18 09:06:28 2023 -> Got chunksize: 0 | So it does appear like whatever is failing on our setup might be something that happens while computing the hash. |
Following further investigation it looks like this happens for us when the machine runs out of memory, so it's not really a bug (although it might be nice if there was an 'out of memory' error message in the log). We've increased the memory capacity of the ClamAV container, and the problem is now resolved for us, so I'll close this issue, apologies. |
@sammarshallou Glad to hear you figured out it was a memory issue. Sorry it was so frustrating to solve. It certainly would be nice if clamd could detect it was about to exceed system memory and warn before the OS kills it. |
Describe the bug
When using a very large image (attached), 11840x7500, 9MB JPEG:
We get an error scanning. This is using the clamav/clamav:latest from https://hub.docker.com/layers/clamav/clamav/latest/images/sha256-eb1057073c6178d3e7f3e6e1edb43feec84db6809f12fbf900d9f7056380793a?context=explore as of yesterday.
The error happens with multiple images of this size (originally we had a user report, this test image is one I made).
It does not happen with normal-sized images, nor with other files that aren't images, even if they are larger (eg 13MB .dll file).
We are using a Moodle installation to do this and it fails across multiple different instances (test, live, etc). I tried downloading the latest 'portable win64' ClamAV standalone installation, but it is able to successfully scan this file.
How to reproduce the problem
On our Moodle system connected to a ClamAV container (version as above), upload the attached file; it fails with the 'error scanning file' popup message. (This is different from the 'your file has a virus' popup message, but that's the only information I have.)
Attachments
The text was updated successfully, but these errors were encountered: