what does this clamAV message mean?

Question

I am running a clamAV scan on a linux box, using this command:

$ sudo clamscan -r -l ClamScanLog -i /
[sudo] password for e: 
msxml.xml:14: parser error : Extra content at the end of the document

^
LibClamAV Warning: check_state[msxml]: CL_EPARSE @ ln304
LibClamAV Warning: cli_msxml_parse_document: encountered issue in parsing xml document
LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only scanning 27262976 bytes

....

What do these warnings mean, and should I be concerned? The CPU fan is revving way up periodically what ever is happening seems CPU intensive.

You shouldn't be surprised about the fan. Virus scanning is CPU intensive. — Tilman Schmidt, Aug 12 '15 at 15:52
@TilmanSchmidt perhaps you'd like to post an answer to this? Sounds like you have some useful things to say. — jorfus, Nov 22 '16 at 01:11
Everything has been said. I don't think another answer would add anything relevant. — Tilman Schmidt, Nov 22 '16 at 22:59

score 9 · Accepted Answer · edited May 23 '17 at 12:41

The parser error is not technically a ClamAV error but an XML error, typically a formatting issue. Using stack overflow might help.

But the really issue I believe is the file size you are trying to scan. Take a look at the ClamAV Man page. You'll see that there is a --max-filesize flag. There is a default of 25MB (to prevent DOS attacks).

If I put a guess on this, your XML file is larger than 25MB (approx. 27MB) and when you attempt to read it it cannot get all the way through and cuts off important information, thus you have ClamAV warning that it hit it's limit and an XML warning that the format is not correct.

Try:

sudo clamscan --max-filesize=30M -r -l ClamScanLog -i /

Actually I'd guess that the XML error messages and the "size exceeds limits" message are from different files. — Tilman Schmidt, Aug 12 '15 at 16:22

score 5 · Answer 2 · answered Aug 12 '15 at 15:42

5

LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only scanning 27262976 bytes

ClamAV, as all other antivirus software, can not scan a file that exceeds a certain volume. The message above just warns you that ClamAV has encountered a huge file and it can not scan it. If you are curious, check in the documentation the default value of the size of the files that ClamAV could handle properly.

LibClamAV Warning: cli_msxml_parse_document: encountered issue in parsing xml document

If you check this source code file of ClamAV , you will find on line 484:

 else if (ret == CL_VIRUS || ret == CL_ETIMEOUT || ret == CL_BREAK) {
      cli_dbgmsg("cli_msxml_parse_document: encountered halt event in parsing xml document\n");
      break;
} else {
      cli_warnmsg("cli_msxml_parse_document: encountered issue in parsing xml document\n");
      break;
}

You can notice (after checking the meaning of the flags CL_VIRUS, CL_ETIMEOUT, and CL_BREAK used as a return value) you will find out that this may be caused either by the scan process over a given file took a long time, stopped for some reason or it is unlikely to be a virus file ( I said unlikely regarding the line 481 of the same file). This warning message could also be triggered for an unexpected reason that ClamAV does not know (line 488). Keep in mind that all these warning are related to parsing XML documents.

LibClamAV Warning: check_state[msxml]: CL_EPARSE @ ln304

On libclamav/msxml_parser.c file, you can see that this warning is raised when ClamAV encounters a problem around one XML file content node ( state = xmlTextReaderNext(reader);)

answered Aug 12 '15 at 15:42

kafir

224

Give me a chance! This is actually incorrect. ClamAV can scan bigger files. It is just configured not to do so in order to prevent DOS attacks. The XML parse message is a separate issue. – Tilman Schmidt Aug 12 '15 at 15:47
@TilmanSchmidt Thank you for the comment. You said it is set to scan bigger files: you use the term bigger in comparaison to a value I must mentioned but which thing I did not do (even if I read the value to which it is set by default but I did not mention it because I never mention things I did not read from official sources). So why is the reason of bigger ? You may ask clarification before downvoting; you forgot the efforts I did to dive in the source code. especially that the other answer focused on the size and said the same thing unless you have something personal with me. Regards – Aug 12 '15 at 15:51
Downvoting is not a personal thing and you should not make it so. Your answer states that ClamAV can not scan a file that exceeds a certain volume which is incorrect. The other answer correctly states that it is a configurable limit whose only purpose is to limit resource consumption. You also misread my comment. I did not say it is set to scan bigger files, but the opposite: it is set not to scan bigger files. – Tilman Schmidt Aug 12 '15 at 15:56
@TilmanSchmidt That is more a philosophical intervention you did: If something is set to a limit, can this something overcome its limit without breaking the settings ? I mentioned the setting problem but I did not want to talk about its reason. Mentioning the limit is enough to explain the warning while adding the reason is just a further information. Have a nice evening/day – Aug 12 '15 at 16:01
Not at all. There's a big difference between what a program can do and what a program can be configured not to do even though it would be capable to do it. Stating that ClamAV cannot deal properly with a file that big implies that the limitation is caused by some deficiency of ClamAV, which is incorrect. The limitation was requested by the user (perhaps unwittingly) via a configuration setting, and honoring it is dealing properly with the file. This is not philosophical. It has practical consequences for how to deal with that message. – Tilman Schmidt Aug 12 '15 at 16:16
This answer should be modified to reflect that this is a configurable option. As written, the answer implies that there is some technical limitation in clamav which makes it unable to scan large files. In reality it is undesirable to scan large files and thus a reasonable default has been set. – jorfus Nov 22 '16 at 01:03

score 4 · Answer 3 · answered Dec 02 '16 at 19:54

The default maximum file size is 25M, it is set in:

/etc/clamav/clamd.conf
MaxFileSize 25M

It can also be provided to clamscan as a command line argument like so:

--max-filesize 100M

There's a warning in the man file about not disabling it or setting it too high.

Warning: disabling this limit or setting it too high may result in severe damage to the system.

I'm not really sure what they mean by that. The only reasons I have found to not set that too high are that you don't want to DOS your own system or fill up your filesystem by having clamscan generate a bunch of temp files. That's pretty strong language though, so I'm going to increase gradually and test as I go. If you're using clamav as an email scanner you don't need to scan files larger than your mail server accepts, but if you're using it to scan your filesystem you might want to bump it up.

There's also a setting for the maximum scan size (This applies to compressed files with large files inside --clamav needs to open the file then open and scan each subfile) scansize sets the max limit for a file plus all its contents. You set that with:

--max-scansize=250M

or in the config file listed above

MaxScanSize 250M

what does this clamAV message mean?

3 Answers3