Messages quarantined for (ClamAV) "Heuristics.Limits.Exceeded.MaxFileSize" and "Heuristics.Limits.Exceeded.MaxRecursion | MDaemon Technologies, Ltd.
  1. Forum
  2. MDaemon
  3. Messages quarantined for (ClamAV) "Heuristics.Limits.Exceeded.MaxFileSize" and "Heuristics.Limits.Exceeded.MaxRecursion

Messages quarantined for (ClamAV) "Heuristics.Limits.Exceeded.MaxFileSize" and "Heuristics.Limits.Exceeded.MaxRecursion

  • T

    Hi, guys!

    I found a lot of messages (part of them local to local) in a customer's MDaemon, blocked with subject reasons:

    (ClamAV) winmail.dat could not be scanned - Heuristics.Limits.Exceeded.MaxRecursion

    (ClamAV) archive.7z could not be scanned - Heuristics.Limits.Exceeded.MaxFileSize

    Any solution for these ones?

    Messages are genuine, some of them are big messages / have big attachments.

    Thank you!

    PS: forgot to leave sys details:

    MDaemon Server (64-bit)

     SMTP/POP/IMAP server: v24.0.1
      Webmail HTTP server: v24.0.1
      Webmail DLL: v24.0.1
      MDaemon Instant Messenger client: v22.0.1
      Content filter server: v24.0.1
      Content filter DLL: v24.0.1
      Content filter GUI: v24.0.1

    MDaemon AntiVirus:

      AV overall system: v24.0.1
      AV engine source: MDaemon Technologies, Ltd
      AV last virus update: 2024-07-15 07:48:18
      Outbreak Protection (MDOP.dll): v1.3.8

    [ClamAV]
    Version=ClamAV 1.0.6
    SignatureDate=Sun Oct 13 11:30:02 2024
    SignatureVersion=27426
    [Updater]
    LastUpdateRun=Mon 2024-10-14 08:00:26
    LastUpdateResult=Success

     

    0 likes
  • A

    ClamAV allows you to control these limits by editing the clamd.conf file in the MDaemon\SecurityPlus\ClamAVPlugin\conf\ directory using a tool such as Notepad++. 

    MaxScanSize 100M

    MaxScanTime 120000

    MaxFileSize 25M

    MaxRecursion 10

    MaxFiles 15000

    If there is a "#" at the beginning of the setting, it is commented out and using the default value.  If you want to customize the value, remove the # and adjust the number to your desired value.  Save the file and then restart MDaemon.  If you set the values too high, it could cause ClamAV to use all the resources on the machine and slow down mail processing.

    There is also a "AlertExceedsMax yes" setting that you can change to No. This will cause ClamAV to report files that exceed the limits as OK. This could allow malicous files to pass throug system. 

    --
    Arron Caruth

    0 likes
  • T

    Ok, Arron, thanks for your input.

    It is strange that I don't have ANY quarantined files on few other servers running ClamAV (while they are on an older version, like 23.x), although I did not play at all with ClamAV conf until now on any of them.

    I will take a look at the conf file, and change few things, and see how it's going.

    Do I need to restart MDaemon for the changes to be applied?

    Thank you!

    T.

    0 likes
  • A

    Yes, it is best to restart MDaemon after making the changes.  

    --
    Arron Caruth

  • T

    Dear Arron, good afternoon!

    I have to revert on this.

    Although I did the above changes, and restarted MDaemon, I still found several messages (about 40-50 / day, for a pool of about 60 active users) with below (or similar):

    Tue 2024-10-22 09:05:37.724: * (ClamAV) winmail.dat could not be scanned - Heuristics.Limits.Exceeded.MaxRecursion

    Mostly all of them are messages under 1 MByte, but all of them (at least from a quick view) have a problem with decoding winmail.dat (Yes, I know what that outlook proprietary TNEF is, but I cannot force users, at least not the outside one, in not using that).

    I also had seen before starting the thread and changing ClamAV conf the below:

    Wed 2024-10-09 08:18:52.735: * (ClamAV) attachment.xlsx could not be scanned - Heuristics.Limits.Exceeded.MaxScanSize

    (changed file name) - that was for a total size of 12.1 MBytes (although the default is 25 MBytes, as per clamav.conf file), I will monitor this for bigger files (not I've set it to 150 MBytes).

    But, for now, I need some idea regarding the winmail.dat triggering Heuristics.Limits.Exceeded.MaxRecursion - it was 16, now is 100, will  monitor that and revert.

    Thank you for your support!

    T

     

     

    0 likes
  • A

    What do you have MaxRecursion set to in the clamd.conf file?

    What does the Clamd.log file show is happening?

    Can you upload a sample MSG file to us so that we can use to reproduce the issue?  https://mdaemon.sharefile.com/r-rc3922c1eed334d4dbf5e34f0bd04ccd6

    If you are able to upload a file please let us know the name of the file you uploaded.

    --
    Arron Caruth

    0 likes
  • T

    Arron, thanks!

    Attached a zip file with a message, today Antivirus log file and clamav.conf (zipped due to size of log file).

    I didn't have ClamAV log enabled, just did it, will revert with info if anything during next period.

    MaxRecursion was set to 10, now to 100.

    Filename: eprm-clamav-2024-10-22.zip

    Thank you!

    0 likes
  • A

    I'm not able to reproduce the issue using the files provided. 

    The next time it happens, please upload a copy of the message along with the clamd log file.

     

    --
    Arron Caruth

    0 likes
  • T

    Ok, noted, waiting to happen (now, with ClamAV.log active, and MaxRecursion set to 100).

    Will revert.

    Thanks Arron!

    0 likes
Please login to reply this topic!