Hi there,
You are probably using different configuration files for the two scans.

Find them and you might have your answer. If not, post them here.

clamd.conf does not affect the behavior of clamscan which is why you needed
to run freshclam first to pull database to the default database location.
Thus, there is a possibility that the databases may be mismatched though
it's unlikely as the signature is still part of the current set. In order
to change the clamscan directory from the default, you need to use the '-d'
option.

clamscan -d [database directory] [sample]

Secondly, the versions of ClamAV differ between the two test cases (ClamWin
uses 0.99.1 and clamscan uses 0.99.2). However, there doesn't seem to be
any engine changes that would affect the signature in question.

Thirdly, it appears that ClamWin reports that it scans 85.88 MB while
clamscan reports it scans 0 MB (both read 99.27 MB). It is possible that
the engine is not scanning the file though the reason is uncertain. The
reason could be deduced from comparing the debug logs. It might also be
worth it to provide the logs here as well. Unfortunately, I'm not familiar with
generating debug logs with ClamWin. clamscan will generate the debug log if
you specify "--debug" to it on the command line.

clamscan --debug [sample]

For additional information on clamscan options, refer to the clamscan
manpage or use the the "--help" option.

clamscan --help

Finally, if you suspect that this may be a bug, please report the issue to
https://bugzilla.clamav.net and supply the appropriate samples.

-Kevin
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clama

Thanks for your questions and suggestions.

I had a look via the --debug method, and found the following in the clamAV call:-

LibClamAV debug: cli_updatelimits: filesize exceeded (allowed: 26214400, needed: 104096320)

To check this, I ran clamAV with an eicar string test and got the expected hit:

D:\clamav_testing\EICAR_string.py: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 4667494
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 7.622 sec (0 m 7 s)

Is there somewhere in the clamAV config I can set the cli_updatelimits: filesize to be larger?

In the install dir I only see clamd.conf and freshclam.conf:

TCPSocket 3310
MaxThreads 2
LogFile C:\working\clam_av_logs\clamd.txt
DatabaseDirectory C:\Program Files\clamav-amd64-0.99.2\db




DatabaseMirror database.clamav.net
DNSDatabaseInfo current.cvd.clamav.net



Thanks,

J


Jay Gattuso
***********************
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

You might be able to re-compile the ClamAV source and configure it with --maxfilesize=xxM, but the limit is there to prevent severe system damage that can result from attempting to scan over-sized files. I know in the case of OS X there is no known malware that exceed the established limits.

-Al-
<snip>

The filesize limit can be dynamically set for clamscan with the
"--max-filesize=xxM" option. clamd.conf can be used to change the clamd
filesize limit with "MaxFileSize".

Excerpt from clamscan help:
----
--max-filesize=#n Files larger than this will be
skipped and assumed clean
--max-scansize=#n The maximum amount of data to scan
for each container file (**)
--max-files=#n The maximum number of files to
scan for each container file (**)
----

Excerpt from clamd.conf manpage:
----
MaxScanSize SIZE
Sets the maximum amount of data to be scanned for each input
file. Archives and other containers are recursively extracted and scanned
up to this value. The size of an archive plus the sum of the sizes of all
files within archive count toward the scan size. For example, a 1M
uncompressed archive containing a single 1M inner file counts as 2M toward
the max scan size. Warning: disabling this limit or setting it too
high may result
in severe damage to the system.
Default: 100M

MaxFileSize SIZE
Files larger than this limit won't be scanned. Affects the
input file itself as well as files contained inside it (when the input file
is an archive, a document or some other kind of container). Warning:
disabling this limit or setting it too high may result in severe damage to
the system.
Default: 25M

...

MaxFiles NUMBER
Number of files to be scanned within an archive, a document,
or any other kind of container. Warning: disabling this limit or setting it
too high may result in severe damage to the system.
Default: 10000
----

As said earlier, be careful with expanding the engine limits as scanning
oversized files can be dangerous.

-Kevin
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

ClamAV is both an email/attachment scanner and a file system scanner. It is
pointless to set the email scanner to scan files larger than your MTA is
configured to accept. Secondarily, the interface between the MTA and ClamAV
frequently has a max filesize parameter, too. This is to prevent DOS'ing your
own system. This means only that the clamd.conf file used for file scanning is
possibly inappropriate for use as an email scanner. And there is absolutely no
reason people cannot run multiple instances of clamd on a system so long as each
has its own clamdxx.conf and port/socket/log settings.

dp
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml