Hey everyone

Firstly, thanks for a great AV! Used it many times and never experienced major probs...

I got the above error... LibClamAV Error: WARNING: not scanned; untested big block - please report

many times while scanning a pc.

It has RAID 1 (mirror) enabled on the HDD's.

Any ideas?

Thanks!

GF

can you put the file where it happens on ftp/http and give us a link?

It doesn't specify the file it's trying to scan. I think it's happening on many files because there are many entries in the log I get mailed.

the error comes from libclamav ole_extract, I would check if this happens only in my win32 port or it affects also unix clamav version

ClamWin Version: 0.90.2

Summary: during scan of my drive C, I get: "Error: WARNING: not scanned; untested big block size - please report"
(since the scanner is telling me to "please report" - I do this now).


Description:
1. When I was scanning my drive C, I got following error:



https://www.skilledtests.com/diverse/clamwin/untested_big_block_size/01_untested_big_block_size_please_report.jpg LibClamAV Warning: Unknown subsystem in PE header (0x10)
LibClamAV Error: WARNING: not scanned; untested big block size - please report
LibClamAV Error: cab_read_block: Can't read block header


Steps I used to reproduce the issue:
2. When I scan again drive C:\ (with debug output), this time the error "untested big block size" appeared on other places
- involved with wpl files

3.
https://www.skilledtests.com/diverse/clamwin/untested_big_block_size/01_original_error_case1_excerpt.txt case 1: during scanning of the file "10_All_Music.wpl" (see for the file + debug outputs https://www.skilledtests.com/diverse/clamwin/untested_big_block_size/case1.zip here)
https://www.skilledtests.com/diverse/clamwin/untested_big_block_size/01_original_error_case2_excerpt.txt case 2: during scanning of the file "lastplayed.wpl" (see for the file + debug outputs https://www.skilledtests.com/diverse/clamwin/untested_big_block_size/case2.zip here)

4. when I only scan each of the two files alone, I do NOT get such an error: "untested big block size"
see https://www.skilledtests.com/diverse/clamwin/untested_big_block_size/02_case1_scanning_1_file_only.txt case1, https://www.skilledtests.com/diverse/clamwin/untested_big_block_size/02_case2_scanning_1_file.txt case2

5. also no such error, when scanning the directories recursively in which the files are in
see https://www.skilledtests.com/diverse/clamwin/untested_big_block_size/03_case1_scanning_complete_dir.txt case1, https://www.skilledtests.com/diverse/clamwin/untested_big_block_size/03_case2_scanning_complete_dir.txt case2


I have looked in the debug output and I see
- 2 occasions of the error: "Unknown subsystem in PE header"
- 211 occasions of the error: "Can't read block header" (I think this is because of the scanned files are damaged ?)
but since it is not saying "please report" in these errors, I will not go into detail here
(also, I did not do a complete scan of drive C yet)


What would I like to know?
Please excuse me, if I might not know yet ClamAV in detail (perhaps the error: "untested big block size" is because of other conditions I am yet not able to see as layman of ClamWin).

I like the idea of ClamWin - how can I be of help (for more assistance to help you identify the problem) ?


My Basic System Information:

OS Name
Microsoft® Windows® Server� Code Name "Longhorn" Datacenter
6.0.6001 Service Pack 1, v.126 Build 6001
AMD Athlon Xp 1800+, 1,25 GB RAM
(more info available on request by a msinfo32 file)

Erkan YILMAZ
blog: https://iaskquestions.com I ask questions

"Can't read block header" is harmless,
he problem on the pe header too, but it would be interesting to have the exact file, it may be inside the cab so please try to scan the cab

Hello Sherpya,

thank you for your fast reply.

about "Unknown subsystem in PE header"
this happens with memtest.exe (version 6.0.6001.16510 which is delivered by Microsoft in Windows Longhorn Server beta 3)
you can find the file https://www.skilledtests.com/diverse/clamwin/Unknown_subsystem_in_PE_header/Unknown_subsystem_in_PE_header_memtest_exe.zip here and debug output https://www.skilledtests.com/diverse/clamwin/Unknown_subsystem_in_PE_header/Unknown_subsystem_in_PE_header_memtest_exe_debug.zip here


Erkan YILMAZ
blog: https://iaskquestions.com I ask questions

16 is not in vs2005 headers need to check vdk or psdk

I'll report it to clamav developers

found it
#define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16

Hello Sherpya,

ok,
one more thing from my side:
I am not sure now about the original reason I reported: "untested big block size - please report"

should I do more investigation in that area?
because I have two new occasions where this happened
case3: https://www.skilledtests.com/diverse/clamwin/untested_big_block_size/case3.zip debug output (unfortunately I recycled my recycle bin already )
case4: again a wpl file (debug output https://www.skilledtests.com/diverse/clamwin/untested_big_block_size/case4.zip here, file is https://www.skilledtests.com/diverse/clamwin/untested_big_block_size/case4_03_Music_rated_at_4_or_5_stars.zip here )


Erkan YILMAZ
blog: https://iaskquestions.com I ask questions

libclamav tries to unpack msi installations using ole2 extractor that obviously is not working, this cannot be easily resolved since msi files look like an ole container,
I filter out *.msi and *.cab in my clamwin configuration

Hello Sherpya,

thank you, will do the same then (though then a possible virus might not be found )

I don't think someone puts a virus into a msi installer, at least if you download them from official sites of the software you are going to install

The filter doesn't work on an individual file, so you will still be able to right click on a single file from the Windows Explorer context menu and scan it.

Regards,

Hello friends,

thank you for your inputs

(my 2 cents - https://en.wikipedia.org/wiki/Murphys_law Murphy's Law can prove us at anytime wrong. My view as tester.)