[clamav-users] can't demonstrate that On-Access scanning is working (fedora 24)

Hugo Bernier hbernier at gmail.com
Wed Aug 31 11:08:33 EDT 2016


Hi Mickey,

I turned on debug.

Given:
ScanOnAccess yes
OnAccessMountPath /
CrossFilesystems yes




In my /home directory, which is on a different file system, if I open up
the eicar test file or any file in the test directory of the source
distribution I get 17 megs of logs. The on access scanner is clearly doing
something. It does not however report that it found a virus.

If I move the the eicar test file to / it does print out that it found the
virus. If I include /home as a separate entry on OnAccessMountPath it also
detects the virus.

The issue seems to be 'CrossFilesystems yes'.

If you or anyone would like the 17 megs of logs I gathered please let me
know I'll send it to you directly.

That covers detection, which is a good start. Now I'd like to
get OnAccessPrevention working simultaneously. When I try
combining OnAccessMountPath (which doesn't do prevention)
and OnAccessIncludePath which does, the later doesn't work. Is there any
way to make it work? If OnAccessIncludePath is the only thing in the config
it does prevent access to the file. OnAccessIncludePath seems pretty picky:
I couldn't actually use the config file's example of /home - it refused to
start. I was able to specify my download directory though,

Best Regards,
Hugo

On Tue, 30 Aug 2016 at 16:02 Mickey Sola <msola at sourcefire.com> wrote:

> Hmmmm, when running clamd manually could you also try enabling debug and
> opening an eicar sample file in addition to the other tests you've been
> running?
>
> -Mickey
>
> On Tue, Aug 30, 2016 at 10:25 AM, Hugo Bernier <hbernier at gmail.com> wrote:
>
> > Hi Mickey,
> >
> > I've set OnAccessMaxFileSize 1000M.
> >
> > Instead of "Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Max file size
> limited
> > to -1 bytes"
> > I get: "Tue Aug 30 12:44:08 2016 -> ScanOnAccess: Max file size limited
> to
> > 1048576000 bytes"
> >
> > I still don't see any entries when I open up files.
> >
> > I should note that I also set this selinux boolean a couple of reboots
> ago.
> > antivirus_can_scan_system --> on
> > in selinux as well.
> >
> > I also tried simplifying the configuration to this, and running clamd
> > manually.
> >
> > """
> > LogClean yes
> > LogSyslog yes
> > LogVerbose yes
> > LocalSocket /var/run/clamd.sock
> > Foreground yes
> >
> > ScanOnAccess yes
> > OnAccessMountPath /
> > OnAccessExcludeUID 0
> > """
> >
> > When I execute the following command:
> > clamdscan minuscule.pdf
> >
> > In the logs I see
> > Aug 30 13:20:17 localhost.localdomain clamd[13472]:
> > /home/<snip>/Documents/minuscule.pdf: OK
> >
> > When I open the same file with evince, I get nothing from clamd. Note
> that
> > I've been sticking to small files to avoid hitting the default file max
> > (5m).
> >
> > Best,
> > Hugo
> >
> > On Tue, 30 Aug 2016 at 11:54 Mickey Sola <msola at sourcefire.com> wrote:
> >
> > > Hi Hugo,
> > >
> > > Could you try setting the max filesize option to a non-zero value and
> let
> > > me know if that changes anything?
> > >
> > > -Mickey
> > >
> > > On Aug 30, 2016 7:51 AM, "Hugo Bernier" <hbernier at gmail.com> wrote:
> > >
> > > > We have a new requirement at work that we have virus scanners
> installed
> > > on
> > > > our workstations.
> > > >
> > > > What I'm trying to do is demonstrate that onAccess scanning works.
> What
> > > I'm
> > > > expecting, which could be wrong, is that there would be output either
> > in
> > > > the logs or clamdtop when a file is opened other otherwise
> manipulated
> > > when
> > > > verbose logging and "LogClean" is enabled. My assumption is that my
> > setup
> > > > is wrong. I've used
> > > > http://blog.clamav.net/2016/03/configuring-on-access-
> > > > scanning-in-clamav.html as
> > > > a base for the settings described below.
> > > >
> > > > I'm using clamav 0.99.2 from fedora 24 and the up to date stock
> fedora
> > 24
> > > > kernel. CONFIG_FANOTIFY=y and CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
> are
> > > > present in /boot/config-4.6.7-300.fc24.x86_64.
> > > >
> > > > Here's my configuration in /etc/clam.d/scan.conf:
> > > >
> > > > LogFile /var/log/clamd.scan
> > > > LogFileUnlock yes
> > > > LogFileMaxSize 2M
> > > > LogTime yes
> > > > LogClean yes
> > > > LogVerbose yes
> > > > LogRotate yes
> > > > ExtendedDetectionInfo yes
> > > > PidFile /var/run/clamd.scan/clamd.pid
> > > > LocalSocket /var/run/clamd.scan/clamd.sock
> > > >
> > > > ScanOnAccess yes
> > > > OnAccessMountPath /
> > > > OnAccessMaxFileSize 0
> > > > OnAccessExcludeUID 0
> > > >
> > > > When clamav starts, the logs show the following:
> > > >
> > > > Tue Aug 30 10:38:53 2016 -> +++ Started at Tue Aug 30 10:38:53 2016
> > > > Tue Aug 30 10:38:53 2016 -> Received 0 file descriptor(s) from
> systemd.
> > > > Tue Aug 30 10:38:53 2016 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH:
> > > > x86_64, CPU: x86_64)
> > > > Tue Aug 30 10:38:53 2016 -> Log file size limited to 2097152 bytes.
> > > > Tue Aug 30 10:38:53 2016 -> Reading databases from /var/lib/clamav
> > > > Tue Aug 30 10:38:53 2016 -> Not loading PUA signatures.
> > > > Tue Aug 30 10:38:53 2016 -> Bytecode: Security mode set to
> > "TrustSigned".
> > > > Tue Aug 30 10:38:58 2016 -> Loaded 4772631 signatures.
> > > > Tue Aug 30 10:38:59 2016 -> LOCAL: Unix socket file
> > > > /var/run/clamd.scan/clamd.sock
> > > > Tue Aug 30 10:38:59 2016 -> LOCAL: Setting connection queue length to
> > 200
> > > > Tue Aug 30 10:38:59 2016 -> Limits: Global size limit set to
> 104857600
> > > > bytes.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: File size limit set to 26214400
> > > bytes.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: Recursion level limit set to 16.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: Files limit set to 10000.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: Core-dump limit is 0.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxEmbeddedPE limit set to
> 10485760
> > > > bytes.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxHTMLNormalize limit set to
> > > 10485760
> > > > bytes.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxHTMLNoTags limit set to
> 2097152
> > > > bytes.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxScriptNormalize limit set to
> > > 5242880
> > > > bytes.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxZipTypeRcg limit set to
> 1048576
> > > > bytes.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxPartitions limit set to 50.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxIconsPE limit set to 100.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxRecHWP3 limit set to 16.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: PCREMatchLimit limit set to
> 10000.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: PCRERecMatchLimit limit set to
> > 5000.
> > > > Tue Aug 30 10:38:59 2016 -> Limits: PCREMaxFileSize limit set to
> > > 26214400.
> > > > Tue Aug 30 10:38:59 2016 -> Archive support enabled.
> > > > Tue Aug 30 10:38:59 2016 -> Algorithmic detection enabled.
> > > > Tue Aug 30 10:38:59 2016 -> Portable Executable support enabled.
> > > > Tue Aug 30 10:38:59 2016 -> ELF support enabled.
> > > > Tue Aug 30 10:38:59 2016 -> Mail files support enabled.
> > > > Tue Aug 30 10:38:59 2016 -> OLE2 support enabled.
> > > > Tue Aug 30 10:38:59 2016 -> PDF support enabled.
> > > > Tue Aug 30 10:38:59 2016 -> SWF support enabled.
> > > > Tue Aug 30 10:38:59 2016 -> HTML support enabled.
> > > > Tue Aug 30 10:38:59 2016 -> XMLDOCS support enabled.
> > > > Tue Aug 30 10:38:59 2016 -> HWP3 support enabled.
> > > > Tue Aug 30 10:38:59 2016 -> Self checking every 600 seconds.
> > > > Tue Aug 30 10:38:59 2016 -> Listening daemon: PID: 3818
> > > > Tue Aug 30 10:38:59 2016 -> MaxQueue set to: 100
> > > > Tue Aug 30 10:38:59 2016 -> ScanOnAccess: notifying only for access
> > > > attempts.
> > > > Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Protecting '/' and rest of
> > > mount.
> > > > Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Max file size limited to -1
> > > bytes
> > > >
> > > > And then nothing. No matter what programs I start, files I open, I
> > simply
> > > > don't get output in the logs or clamdtop related to onAccess
> scanning.
> > > >
> > > > What am I doing wrong?
> > > >
> > > > Best,
> > > > Hugo
> > > > _______________________________________________
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > _______________________________________________
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



More information about the clamav-users mailing list