Scanfile in Savdid

Hi Marius Flage

Are you using SAVDI? Could you please check this article and set scanning options. 

But what scanning options should I set so that large files are scanned? I attempted to set "savigrp: GrpSuper 1", but still the scanning of the large 2 GB file took less than one second.

Hello Marius Flage,

the scanning of the large 2 GB file took less than one second
first of all, size doesn't matter (as long as we're not talking about scanning inside archives and containers). It's not necessary to read all of a file to assess wheter it's clean or not.
Is your test file indeed a very large TIFF? If so, please see the CleanTiff option.

Christian

QC said:

first of all, size doesn't matter (as long as we're not talking about scanning inside archives and containers). It's not necessary to read all of a file to assess wheter it's clean or not.

What do you mean it's not necessary to read all of a file to assess weather it's clean or not? Malware can hide all over the place, no?

It also states that: "Certain file formats (e.g. .bmp bitmap files) cannot contain viruses. These options enable files of the corresponding types to be positively identified and scanning of them to be stopped. This results in more efficient scanning of these file types." . Is this true? Can't tiff images contain malware that can cause an underlying library to crash and then potentially run some malware?

Hello Marius Flage,

no. It depends on the nature of the file where it can hide. Please note we're not talking about malicious code that hides in a place from where it has to be read by some other malicious code before it can execute.

Christian

Hm, ok. But our customer requires us to actually scan a tiff file for viruses. How do I set the cleantiff option to 0? It looks like it has to be set to 0 to deactivate the assumption that all tiff files are clean, right?

I tried setting the following inside the scanner {} block:

scanner {

# type and inprocess can only be SAVI and YES for now

type: SAVI

inprocess: YES

# Max time to be allowed for scanning a single file

maxscantime: -1

maxrequesttime: -1

savigrp: GrpSuper 1

savigrp: GrpClean 0

savists: CleanTiff 0

}

But it still takes suspiciously little time to scan it.

Hello Marius Flage,

you are probably using the correct setting (I never worked with SAVDI). But even with CleanTiff disabled the scanner won't scan all of the file. Files are scanned for structural integrity, anomalies and telltale signs in specific places. Depending on what is found (or not found) the scan goes deeper or ends.

Christian

But the file is 2GB. The feedback is more or less instantaneous, so I can't believe that it has actually done anything to scan it. If we run 'savscan -f' from the command line, then this takes 12 seconds to complete. 

Hello Marius Flage,

(sorry for the delay).
ah, I see . The difference is that SAVDI instructs a fully operational scanner thread to scan the file whereas savscan has to load and initialize the virus data for the scanning engine, this accounts for the extra time. You can easily verify this by savscanning some tiny file.

Christian

Yes, I have already attempted that comparison. The loading and initialization of the virus data accounts for roughly 4 seconds (I ran against a tiny file). So 'savscan' is actually doing something for the remaining 8.

Hello Marius Flage,

you're right. savscan -f requests a full sweep and this takes significantly longer (although I don't have a 2GB TIFF). Coincidentally there's a FullSweep option (that doesn't belong to any group) as well as an ExtensiveScan (AFAIK savscan doesn't offer the latter).

Christian 
.

Ah! Perfect. Now I can at least say that the whole file has been analyzed and this will make our customer happy  

Ah! Perfect. Now I can at least say that the whole file has been analyzed and this will make our customer happy