[clamav-users] on-access scan

Z F mail4me9999 at yahoo.com
Thu Aug 18 10:16:04 EDT 2016


 I was wodering if anyone could comment on the situation that the on-access scanning does not seem to work properly
thank you very much for your help
ZF

    On Wednesday, August 10, 2016 7:17 PM, Z F <mail4me9999 at yahoo.com> wrote:
 
 

 Dear Mickey
I apologize for a delay
ps aux|grep clamclamav    1895  0.0  0.0 132388 12084 ?        Ss   14:58   0:00 /usr/bin/freshclam -d --foreground=trueroot      1939  0.0  1.2 614312 409072 ?       Ssl  14:58   0:11 /usr/sbin/clamd --foreground=true
So I think clamd is running as root
I have setup an LXD container and would like clamav to monitor the home directory of that container. this is because the home directory of the container is exported via sambato windows users. So the directory which is monitored is /var/lib/lxd/containers/myportalclamav is running on the host (not inside LXD)
ls  -ld /var/lib/lxd/containers/myportal
drwxr-xr-x 4 165536 165536 /var/lib/lxd/containers/myportal

section of the clamav log /var/log/clamav/clamav.log

Wed Aug 10 14:58:28 2016 -> +++ Started at Wed Aug 10 14:58:28 2016Wed Aug 10 14:58:28 2016 -> Received 1 file descriptor(s) from systemd.Wed Aug 10 14:58:28 2016 -> clamd daemon 0.99 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)Wed Aug 10 14:58:28 2016 -> Running as user root (UID 0, GID 0)Wed Aug 10 14:58:28 2016 -> Log file size limited to 4294967295bytes.Wed Aug 10 14:58:28 2016 -> Reading databases from /var/lib/clamavWed Aug 10 14:58:28 2016 -> Not loading PUA signatures.Wed Aug 10 14:58:28 2016 -> Bytecode: Security mode set to "TrustSigned".Wed Aug 10 14:58:39 2016 -> Loaded 4713019 signatures.Wed Aug 10 14:58:41 2016 -> TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd.Wed Aug 10 14:58:41 2016 -> LOCAL: Received AF_UNIX SOCK_STREAM socket from systemd.Wed Aug 10 14:58:41 2016 -> Limits: Global size limit set to 104857600 bytes.Wed Aug 10 14:58:41 2016 -> Limits: File size limit set to 26214400 bytes.Wed Aug 10 14:58:41 2016 -> Limits: Recursion level limit set to 16.Wed Aug 10 14:58:41 2016 -> Limits: Files limit set to 10000.Wed Aug 10 14:58:41 2016 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.Wed Aug 10 14:58:41 2016 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.Wed Aug 10 14:58:41 2016 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.Wed Aug 10 14:58:41 2016 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.Wed Aug 10 14:58:41 2016 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.Wed Aug 10 14:58:41 2016 -> Limits: MaxPartitions limit set to 50.Wed Aug 10 14:58:41 2016 -> Limits: MaxIconsPE limit set to 100.Wed Aug 10 14:58:41 2016 -> Limits: PCREMatchLimit limit set to 10000.Wed Aug 10 14:58:41 2016 -> Limits: PCRERecMatchLimit limit set to 5000.Wed Aug 10 14:58:41 2016 -> Limits: PCREMaxFileSize limit set to 26214400.Wed Aug 10 14:58:41 2016 -> Archive support enabled.Wed Aug 10 14:58:41 2016 -> Algorithmic detection enabled.Wed Aug 10 14:58:41 2016 -> Portable Executable support enabled.Wed Aug 10 14:58:41 2016 -> ELF support enabled.Wed Aug 10 14:58:41 2016 -> Mail files support enabled.Wed Aug 10 14:58:41 2016 -> OLE2 support enabled.Wed Aug 10 14:58:41 2016 -> PDF support enabled.Wed Aug 10 14:58:41 2016 -> SWF support enabled.Wed Aug 10 14:58:41 2016 -> HTML support enabled.Wed Aug 10 14:58:41 2016 -> Self checking every 3600 seconds.Wed Aug 10 14:58:41 2016 -> ERROR: ScanOnAccess: fanotify_init failed: Operation not permittedWed Aug 10 14:58:41 2016 -> ScanOnAccess: clamd must be started by rootWed Aug 10 15:58:41 2016 -> SelfCheck: Database status OK.Wed Aug 10 16:58:41 2016 -> SelfCheck: Database status OK.Wed Aug 10 17:58:41 2016 -> SelfCheck: Database status OK.
cat /boot/config-4.4.0-34-generic|grep -i fanotifyCONFIG_FANOTIFY=yCONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
auditd is not installedselinux is not installed either
dpkg -l|grep selinuxii  libselinux1:amd64                  2.4-3build2                     amd64        SELinux runtime shared libraries
dpkg -l|grep auditii  libaudit-common                    1:2.4.5-1ubuntu2                all          Dynamic library for security auditing - common filesii  libaudit1:amd64                    1:2.4.5-1ubuntu2                amd64        Dynamic library for security auditing
the configuration. I took the default configuration from ubuntu 16.04and inserted this section
#ScanOnAccess falseScanOnAccess trueOnAccessIncludePath /var/lib/lxd/containers/myportal/home OnAccessPrevention trueOnAccessExtraScanning true

Can you see from this what the problem is?
 thank you very much for your help
ZF

   

 On Monday, August 8, 2016 12:15 PM, Mickey Sola <msola at sourcefire.com> wrote:
 
 

 So, to be clear. Setting "User" to "root" in clamd.conf does not begin the clamd instance with elevated permissions. You actually need to run clamd as the root user for that option to work at all.

Assuming you've run clamd as root, I'd be interested to know the group/owner and other attributes of /home/user/DownloadsOnAccessPrevention as well as any accompanying selinux diagnostics in audit.log (or avc.log if you aren't running auditd).

Cheers,
Mickey
On Mon, Aug 8, 2016 at 11:28 AM, Z F <mail4me9999 at yahoo.com> wrote:



Have you tried running clamd itself with root permissions?

e.g. $sudo clamd [options

Yes i did same result....I did not use any options...

-Mickey

On Sun, Aug 7, 2016 at 1:18 AM, Z F <mail4me9999 at yahoo.com> wrote:

> I have noticed in  /var/log/clamav/clamav.log
>
> Sun Aug  7 01:14:28 2016 -> ERROR: ScanOnAccess: fanotify_init failed:
> Operation not permittedSun Aug  7 01:14:28 2016 -> ScanOnAccess: clamd must
> be started by root
>
> in /etc/clamav/clamd.conf
> I had User clamav
> then I changed to User rootand rebooted but this did not helpnot sure if
> even User should be set to root. I thought clamav is better choice
> thank you very much for your help
> ZF
>
>
>    On Sunday, August 7, 2016 1:06 AM, Z F <mail4me9999 at yahoo.com> wrote:
>
>
>
>  Dear clamav
> I have used these instructions to setup on-access scan
> ClamAV® blog: Configuring On-Access Scanning in ClamAV
>
>
> canOnAccess trueOnAccessIncludePath /home/user/ DownloadsOnAccessPrevention
> true
> OnAccessExtraScanning true
> the installed version is
> 0.99+dfsg-1ubuntu1.1
>
> on ubutnu 16.04grep FANOTIFY /boot/config-4.4.0-31-generic
> CONFIG_FANOTIFY=yCONFIG_ FANOTIFY_ACCESS_PERMISSIONS=y
> I have made a test virus file
> http://www.eicar.org/86-0- Intended-use.html
> but the test file can be still accessed.
> could someone suggest what I did wrong?thank you
> ZF
>
> |
> |  |
> ClamAV® blog: Configuring On-Access Scanning in ClamAV
>    |  |
>
>  |
>
>
>
>
>
>
> ______________________________ _________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/ clamav-faq
>
> http://www.clamav.net/contact. html#ml
>
______________________________ _________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/ clamav-faq

http://www.clamav.net/contact. html#ml  




 
   

 
   


More information about the clamav-users mailing list