[clamav-users] can't demonstrate that On-Access scanning is working (fedora 24)

Mickey Sola msola at sourcefire.com
Tue Aug 30 16:02:13 EDT 2016


Hmmmm, when running clamd manually could you also try enabling debug and
opening an eicar sample file in addition to the other tests you've been
running?

-Mickey

On Tue, Aug 30, 2016 at 10:25 AM, Hugo Bernier <hbernier at gmail.com> wrote:

> Hi Mickey,
>
> I've set OnAccessMaxFileSize 1000M.
>
> Instead of "Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Max file size limited
> to -1 bytes"
> I get: "Tue Aug 30 12:44:08 2016 -> ScanOnAccess: Max file size limited to
> 1048576000 bytes"
>
> I still don't see any entries when I open up files.
>
> I should note that I also set this selinux boolean a couple of reboots ago.
> antivirus_can_scan_system --> on
> in selinux as well.
>
> I also tried simplifying the configuration to this, and running clamd
> manually.
>
> """
> LogClean yes
> LogSyslog yes
> LogVerbose yes
> LocalSocket /var/run/clamd.sock
> Foreground yes
>
> ScanOnAccess yes
> OnAccessMountPath /
> OnAccessExcludeUID 0
> """
>
> When I execute the following command:
> clamdscan minuscule.pdf
>
> In the logs I see
> Aug 30 13:20:17 localhost.localdomain clamd[13472]:
> /home/<snip>/Documents/minuscule.pdf: OK
>
> When I open the same file with evince, I get nothing from clamd. Note that
> I've been sticking to small files to avoid hitting the default file max
> (5m).
>
> Best,
> Hugo
>
> On Tue, 30 Aug 2016 at 11:54 Mickey Sola <msola at sourcefire.com> wrote:
>
> > Hi Hugo,
> >
> > Could you try setting the max filesize option to a non-zero value and let
> > me know if that changes anything?
> >
> > -Mickey
> >
> > On Aug 30, 2016 7:51 AM, "Hugo Bernier" <hbernier at gmail.com> wrote:
> >
> > > We have a new requirement at work that we have virus scanners installed
> > on
> > > our workstations.
> > >
> > > What I'm trying to do is demonstrate that onAccess scanning works. What
> > I'm
> > > expecting, which could be wrong, is that there would be output either
> in
> > > the logs or clamdtop when a file is opened other otherwise manipulated
> > when
> > > verbose logging and "LogClean" is enabled. My assumption is that my
> setup
> > > is wrong. I've used
> > > http://blog.clamav.net/2016/03/configuring-on-access-
> > > scanning-in-clamav.html as
> > > a base for the settings described below.
> > >
> > > I'm using clamav 0.99.2 from fedora 24 and the up to date stock fedora
> 24
> > > kernel. CONFIG_FANOTIFY=y and CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y are
> > > present in /boot/config-4.6.7-300.fc24.x86_64.
> > >
> > > Here's my configuration in /etc/clam.d/scan.conf:
> > >
> > > LogFile /var/log/clamd.scan
> > > LogFileUnlock yes
> > > LogFileMaxSize 2M
> > > LogTime yes
> > > LogClean yes
> > > LogVerbose yes
> > > LogRotate yes
> > > ExtendedDetectionInfo yes
> > > PidFile /var/run/clamd.scan/clamd.pid
> > > LocalSocket /var/run/clamd.scan/clamd.sock
> > >
> > > ScanOnAccess yes
> > > OnAccessMountPath /
> > > OnAccessMaxFileSize 0
> > > OnAccessExcludeUID 0
> > >
> > > When clamav starts, the logs show the following:
> > >
> > > Tue Aug 30 10:38:53 2016 -> +++ Started at Tue Aug 30 10:38:53 2016
> > > Tue Aug 30 10:38:53 2016 -> Received 0 file descriptor(s) from systemd.
> > > Tue Aug 30 10:38:53 2016 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH:
> > > x86_64, CPU: x86_64)
> > > Tue Aug 30 10:38:53 2016 -> Log file size limited to 2097152 bytes.
> > > Tue Aug 30 10:38:53 2016 -> Reading databases from /var/lib/clamav
> > > Tue Aug 30 10:38:53 2016 -> Not loading PUA signatures.
> > > Tue Aug 30 10:38:53 2016 -> Bytecode: Security mode set to
> "TrustSigned".
> > > Tue Aug 30 10:38:58 2016 -> Loaded 4772631 signatures.
> > > Tue Aug 30 10:38:59 2016 -> LOCAL: Unix socket file
> > > /var/run/clamd.scan/clamd.sock
> > > Tue Aug 30 10:38:59 2016 -> LOCAL: Setting connection queue length to
> 200
> > > Tue Aug 30 10:38:59 2016 -> Limits: Global size limit set to 104857600
> > > bytes.
> > > Tue Aug 30 10:38:59 2016 -> Limits: File size limit set to 26214400
> > bytes.
> > > Tue Aug 30 10:38:59 2016 -> Limits: Recursion level limit set to 16.
> > > Tue Aug 30 10:38:59 2016 -> Limits: Files limit set to 10000.
> > > Tue Aug 30 10:38:59 2016 -> Limits: Core-dump limit is 0.
> > > Tue Aug 30 10:38:59 2016 -> Limits: MaxEmbeddedPE limit set to 10485760
> > > bytes.
> > > Tue Aug 30 10:38:59 2016 -> Limits: MaxHTMLNormalize limit set to
> > 10485760
> > > bytes.
> > > Tue Aug 30 10:38:59 2016 -> Limits: MaxHTMLNoTags limit set to 2097152
> > > bytes.
> > > Tue Aug 30 10:38:59 2016 -> Limits: MaxScriptNormalize limit set to
> > 5242880
> > > bytes.
> > > Tue Aug 30 10:38:59 2016 -> Limits: MaxZipTypeRcg limit set to 1048576
> > > bytes.
> > > Tue Aug 30 10:38:59 2016 -> Limits: MaxPartitions limit set to 50.
> > > Tue Aug 30 10:38:59 2016 -> Limits: MaxIconsPE limit set to 100.
> > > Tue Aug 30 10:38:59 2016 -> Limits: MaxRecHWP3 limit set to 16.
> > > Tue Aug 30 10:38:59 2016 -> Limits: PCREMatchLimit limit set to 10000.
> > > Tue Aug 30 10:38:59 2016 -> Limits: PCRERecMatchLimit limit set to
> 5000.
> > > Tue Aug 30 10:38:59 2016 -> Limits: PCREMaxFileSize limit set to
> > 26214400.
> > > Tue Aug 30 10:38:59 2016 -> Archive support enabled.
> > > Tue Aug 30 10:38:59 2016 -> Algorithmic detection enabled.
> > > Tue Aug 30 10:38:59 2016 -> Portable Executable support enabled.
> > > Tue Aug 30 10:38:59 2016 -> ELF support enabled.
> > > Tue Aug 30 10:38:59 2016 -> Mail files support enabled.
> > > Tue Aug 30 10:38:59 2016 -> OLE2 support enabled.
> > > Tue Aug 30 10:38:59 2016 -> PDF support enabled.
> > > Tue Aug 30 10:38:59 2016 -> SWF support enabled.
> > > Tue Aug 30 10:38:59 2016 -> HTML support enabled.
> > > Tue Aug 30 10:38:59 2016 -> XMLDOCS support enabled.
> > > Tue Aug 30 10:38:59 2016 -> HWP3 support enabled.
> > > Tue Aug 30 10:38:59 2016 -> Self checking every 600 seconds.
> > > Tue Aug 30 10:38:59 2016 -> Listening daemon: PID: 3818
> > > Tue Aug 30 10:38:59 2016 -> MaxQueue set to: 100
> > > Tue Aug 30 10:38:59 2016 -> ScanOnAccess: notifying only for access
> > > attempts.
> > > Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Protecting '/' and rest of
> > mount.
> > > Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Max file size limited to -1
> > bytes
> > >
> > > And then nothing. No matter what programs I start, files I open, I
> simply
> > > don't get output in the logs or clamdtop related to onAccess scanning.
> > >
> > > What am I doing wrong?
> > >
> > > Best,
> > > Hugo
> > > _______________________________________________
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



More information about the clamav-users mailing list