Does anybody have any evidence of malware that exceeds 4GB? Although I can certainly see the utility of the proposed capability as a hedge for the future, it would seem to be a waste of time and compute power to scan such large files today.

With the ever increasing malware issues we face today, it’s important to consider this:

Risk = threat x vulnerability x consequence

<http://fortune.com/2016/05/14/cybersecurity-risk-calculation/>

We all need to focus on fixing the high risk items first.

Sent from Janet's iPad

-Al-

Hi there,
Perhaps you can elucidate the consequences. If the consequence factor
is as you say very large, then you have a problem to solve.
This will not solve the problem. It can never and will never solve it.
You need to find another way of going about things.
Then you have to fix the system so that it wouldn't be easy.
Stop worrying about it, it's a waste of time and effort. The probability
that you will actually find what you're looking for is very small.
Yes. Because of what I wrote above. Forget prepended bytes and fancy
ways of doing things that won't solve the problem. Look at the problem
in a different way. I'm sure this isn't what you want to hear, but it's
the way things are.

I don't worry about viruses. The reason for that is that I don't use
Windows boxes. The main reason I use ClamAV is to stop spam and similar
junk which third-party databases do pretty well. Scanning for viruses
and similar is just a bonus as far as I'm concerned, it means that if
something is found then we might be able to alert somebody to a problem
that they might have, or we might be able to avoid passing something
on from one correspondent to another through our mail.

But of course we might not find it.

Like all virus scanners, ClamAV performance is not 100% and it never
will be. I suspect it's nearer 30% of the viruses that my servers
see, but that's just my personal experience in what are probably very
atypical systems -- for a start, 25% of the internet address space is
firewalled and if a packet gets past the firewalls it gets harder from
there; spammers and purveyors of malware get firewalled for a single
offence, permanently, and their entire network gets firewalled, not
just the one IP that tried it on. Very atypical. But the point is
that I still see *new* threats which will not usually be found by any
scanner and if the system is vulnerable it will succumb.

If you want to test ClamAV performance, set up a mail server and grab
all the ***@p it sees for a few months. Run all that past a couple of
dozen virus scanners such as you can find on jotti.org and then come
back and tell us what you've found.

Hello again,
...
I didn't say anything about comparisons. You asked for feedback, I
gave you some, and I said you wouldn't like it. You're not going to
like it any better if you modify the question, because my feedback is
going to be the same. I've been using ClamAV for more than a decade
so I have a reasonable idea what it can achieve and what it can't.
You aren't making any sense. As I explained in the parts of my post
which you have conveniently snipped, no scanner can do what you want,
not least because there are such things as zero-day vulnerabilities.

Hello once again,
There's a possibility of failing to find it in the second scenario.
It's anybody's guess what the probability will be; my guess would be
that the probability of that failure would be small compared with the
relatively large probability of not finding it at all in both cases.
I don't think so. Just think about it a bit:

Much of ClamAV's operation is looking for pattern matches.
Suppose you scan a 4.5GB file in two chunks.
Suppose half this mysterious 'huge file virus' is in the first chunk.
Presumably the other half is in the second chunk.
What happens if the pattern is designed to match the entire virus?
No. You're a user, the developers' list is for working on ClamAV.