Clamdscan scans file in 0 seconds

Question

I have to run clamav on large files. I was wondering which command was the fastest between clamscan and clamdscan.
But it seems that clamdscan is not working properly: it scans file larger than 1 GB.

Could you guys help me find why the heck clamdscan isn't working ? Between clamscan and clamdscan which one is less resource consuming ?

I run ClamAV 0.97.8/18037 on Ubuntu 12.04.3 LTS.

Please find below the execution result of both commands:

clamscan myfile.zip

----------- SCAN SUMMARY ----------- 
Known viruses: 2864504 
Engine version: 0.97.8 
Scanned directories: 0 
Scanned files: 1 
Infected files: 0 
Data scanned: 0.00 MB 
Data read: 1024.16 MB (ratio 0.00:1) 
Time: 9.145 sec (0 m 9 s)


clamdscan myfile.zip
/home/ubuntu/workspace/benchmark/myfile.zip: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.000 sec (0 m 0 s)

And here are the clamav log file:

Wed Oct 30 10:26:32 2013 -> Received POLLIN|POLLHUP on fd 4
Wed Oct 30 10:26:32 2013 -> Got new connection, FD 9
Wed Oct 30 10:26:32 2013 -> Received POLLIN|POLLHUP on fd 5
Wed Oct 30 10:26:32 2013 -> fds_poll_recv: timeout after 5 seconds
Wed Oct 30 10:26:32 2013 -> Received POLLIN|POLLHUP on fd 9
Wed Oct 30 10:26:32 2013 -> got command CONTSCAN /home/ubuntu/workspace/benchmark/myfile.zip (51, 7), argument: /home/ubuntu/workspace/benchmark/myfile.zip
Wed Oct 30 10:26:32 2013 -> mode -> MODE_WAITREPLY
Wed Oct 30 10:26:32 2013 -> Breaking command loop, mode is no longer MODE_COMMAND
Wed Oct 30 10:26:32 2013 -> Consumed entire command
Wed Oct 30 10:26:32 2013 -> Number of file descriptors polled: 1 fds
Wed Oct 30 10:26:32 2013 -> fds_poll_recv: timeout after 3600 seconds
Wed Oct 30 10:26:32 2013 -> THRMGR: queue (single) crossed low threshold -> signaling
Wed Oct 30 10:26:32 2013 -> THRMGR: queue (bulk) crossed low threshold -> signaling
Wed Oct 30 10:26:32 2013 -> /home/ubuntu/workspace/benchmark/myfile.zip: OK
Wed Oct 30 10:26:32 2013 -> Finished scanthread
Wed Oct 30 10:26:32 2013 -> Scanthread: connection shut down (FD 9)
Wed Oct 30 10:26:32 2013 -> THRMGR: queue (single) crossed low threshold -> signaling
Wed Oct 30 10:26:32 2013 -> THRMGR: queue (bulk) crossed low threshold -> signaling

Answer 1

clamd will only scan files up to a maximum size. Run clamconf | grep MaxFileSize to get the exact size in your configuration. The default is 25MB on my system.

Also, you're running an outdated version of Clam that will not detect the latest virii. You should update to 0.98+ immediately.

You should update your freshclam.conf file with a OnOutdatedExecute command that notifies you when you need to upgrade. I use the following:

OnOutdatedExecute "printf 'Subject: ClamAV Outdated\n\nYour ClamAV is outdated, please update to %v' | sendmail me@example.com"

Edit:
Many Linux distros edit the default configuration files of packages in some braindead effort to make the configuration files easier to understand. In your case they probably removed some or all of the configuration items that are normally completely commented out (the directive being commented out simply invokes the default value, so removing it altogether has the same affect on operation, without all the "extra" documentation). In short, your configuration file should have the following:

# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 25M
#MaxFileSize 30M

From there it's pretty easy to uncomment that last line, and specify whatever size you need.