[clamav-users] can't demonstrate that On-Access scanning is working (fedora 24)

Mickey Sola msola at sourcefire.com
Wed Aug 31 13:34:57 EDT 2016


Hugo,

If you could send me the logs it would definitely help me figure out fixes
for some of the quirks you're seeing.

As for combining OnAccessIncludePath and OnAccessMountPath, you would
currently need to run two instances of clamd as the MountPath option
currently supersedes IncludePath when both are specified. I'll look into
the possibility of allowing both to run simultaneously as I can definitely
see the benefit there, but no promises.

OnAccessIncludePath does need to enumerate over all directories within and
build out its internal representation of the specified path, so initial
startup can take awhile for larger hierarchies, which is something to keep
in mind. That said, there might be something else at play here if things
don't start up in a minute or two. You'll definitely want to verify you
have enough inotify watchpoints (although clamd *should* error out with a
message explaining this if that's the case).

Let me know if you have any other questions or need clarifications on
anything.

- Mickey

On Wed, Aug 31, 2016 at 8:08 AM, Hugo Bernier <hbernier at gmail.com> wrote:

> Hi Mickey,
>
> I turned on debug.
>
> Given:
> ScanOnAccess yes
> OnAccessMountPath /
> CrossFilesystems yes
>
>
>
>
> In my /home directory, which is on a different file system, if I open up
> the eicar test file or any file in the test directory of the source
> distribution I get 17 megs of logs. The on access scanner is clearly doing
> something. It does not however report that it found a virus.
>
> If I move the the eicar test file to / it does print out that it found the
> virus. If I include /home as a separate entry on OnAccessMountPath it also
> detects the virus.
>
> The issue seems to be 'CrossFilesystems yes'.
>
> If you or anyone would like the 17 megs of logs I gathered please let me
> know I'll send it to you directly.
>
> That covers detection, which is a good start. Now I'd like to
> get OnAccessPrevention working simultaneously. When I try
> combining OnAccessMountPath (which doesn't do prevention)
> and OnAccessIncludePath which does, the later doesn't work. Is there any
> way to make it work? If OnAccessIncludePath is the only thing in the config
> it does prevent access to the file. OnAccessIncludePath seems pretty picky:
> I couldn't actually use the config file's example of /home - it refused to
> start. I was able to specify my download directory though,
>
> Best Regards,
> Hugo
>
> On Tue, 30 Aug 2016 at 16:02 Mickey Sola <msola at sourcefire.com> wrote:
>
> > Hmmmm, when running clamd manually could you also try enabling debug and
> > opening an eicar sample file in addition to the other tests you've been
> > running?
> >
> > -Mickey
> >
> > On Tue, Aug 30, 2016 at 10:25 AM, Hugo Bernier <hbernier at gmail.com>
> wrote:
> >
> > > Hi Mickey,
> > >
> > > I've set OnAccessMaxFileSize 1000M.
> > >
> > > Instead of "Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Max file size
> > limited
> > > to -1 bytes"
> > > I get: "Tue Aug 30 12:44:08 2016 -> ScanOnAccess: Max file size limited
> > to
> > > 1048576000 bytes"
> > >
> > > I still don't see any entries when I open up files.
> > >
> > > I should note that I also set this selinux boolean a couple of reboots
> > ago.
> > > antivirus_can_scan_system --> on
> > > in selinux as well.
> > >
> > > I also tried simplifying the configuration to this, and running clamd
> > > manually.
> > >
> > > """
> > > LogClean yes
> > > LogSyslog yes
> > > LogVerbose yes
> > > LocalSocket /var/run/clamd.sock
> > > Foreground yes
> > >
> > > ScanOnAccess yes
> > > OnAccessMountPath /
> > > OnAccessExcludeUID 0
> > > """
> > >
> > > When I execute the following command:
> > > clamdscan minuscule.pdf
> > >
> > > In the logs I see
> > > Aug 30 13:20:17 localhost.localdomain clamd[13472]:
> > > /home/<snip>/Documents/minuscule.pdf: OK
> > >
> > > When I open the same file with evince, I get nothing from clamd. Note
> > that
> > > I've been sticking to small files to avoid hitting the default file max
> > > (5m).
> > >
> > > Best,
> > > Hugo
> > >
> > > On Tue, 30 Aug 2016 at 11:54 Mickey Sola <msola at sourcefire.com> wrote:
> > >
> > > > Hi Hugo,
> > > >
> > > > Could you try setting the max filesize option to a non-zero value and
> > let
> > > > me know if that changes anything?
> > > >
> > > > -Mickey
> > > >
> > > > On Aug 30, 2016 7:51 AM, "Hugo Bernier" <hbernier at gmail.com> wrote:
> > > >
> > > > > We have a new requirement at work that we have virus scanners
> > installed
> > > > on
> > > > > our workstations.
> > > > >
> > > > > What I'm trying to do is demonstrate that onAccess scanning works.
> > What
> > > > I'm
> > > > > expecting, which could be wrong, is that there would be output
> either
> > > in
> > > > > the logs or clamdtop when a file is opened other otherwise
> > manipulated
> > > > when
> > > > > verbose logging and "LogClean" is enabled. My assumption is that my
> > > setup
> > > > > is wrong. I've used
> > > > > http://blog.clamav.net/2016/03/configuring-on-access-
> > > > > scanning-in-clamav.html as
> > > > > a base for the settings described below.
> > > > >
> > > > > I'm using clamav 0.99.2 from fedora 24 and the up to date stock
> > fedora
> > > 24
> > > > > kernel. CONFIG_FANOTIFY=y and CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
> > are
> > > > > present in /boot/config-4.6.7-300.fc24.x86_64.
> > > > >
> > > > > Here's my configuration in /etc/clam.d/scan.conf:
> > > > >
> > > > > LogFile /var/log/clamd.scan
> > > > > LogFileUnlock yes
> > > > > LogFileMaxSize 2M
> > > > > LogTime yes
> > > > > LogClean yes
> > > > > LogVerbose yes
> > > > > LogRotate yes
> > > > > ExtendedDetectionInfo yes
> > > > > PidFile /var/run/clamd.scan/clamd.pid
> > > > > LocalSocket /var/run/clamd.scan/clamd.sock
> > > > >
> > > > > ScanOnAccess yes
> > > > > OnAccessMountPath /
> > > > > OnAccessMaxFileSize 0
> > > > > OnAccessExcludeUID 0
> > > > >
> > > > > When clamav starts, the logs show the following:
> > > > >
> > > > > Tue Aug 30 10:38:53 2016 -> +++ Started at Tue Aug 30 10:38:53 2016
> > > > > Tue Aug 30 10:38:53 2016 -> Received 0 file descriptor(s) from
> > systemd.
> > > > > Tue Aug 30 10:38:53 2016 -> clamd daemon 0.99.2 (OS: linux-gnu,
> ARCH:
> > > > > x86_64, CPU: x86_64)
> > > > > Tue Aug 30 10:38:53 2016 -> Log file size limited to 2097152 bytes.
> > > > > Tue Aug 30 10:38:53 2016 -> Reading databases from /var/lib/clamav
> > > > > Tue Aug 30 10:38:53 2016 -> Not loading PUA signatures.
> > > > > Tue Aug 30 10:38:53 2016 -> Bytecode: Security mode set to
> > > "TrustSigned".
> > > > > Tue Aug 30 10:38:58 2016 -> Loaded 4772631 signatures.
> > > > > Tue Aug 30 10:38:59 2016 -> LOCAL: Unix socket file
> > > > > /var/run/clamd.scan/clamd.sock
> > > > > Tue Aug 30 10:38:59 2016 -> LOCAL: Setting connection queue length
> to
> > > 200
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: Global size limit set to
> > 104857600
> > > > > bytes.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: File size limit set to 26214400
> > > > bytes.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: Recursion level limit set to
> 16.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: Files limit set to 10000.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: Core-dump limit is 0.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxEmbeddedPE limit set to
> > 10485760
> > > > > bytes.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxHTMLNormalize limit set to
> > > > 10485760
> > > > > bytes.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxHTMLNoTags limit set to
> > 2097152
> > > > > bytes.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxScriptNormalize limit set to
> > > > 5242880
> > > > > bytes.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxZipTypeRcg limit set to
> > 1048576
> > > > > bytes.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxPartitions limit set to 50.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxIconsPE limit set to 100.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxRecHWP3 limit set to 16.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: PCREMatchLimit limit set to
> > 10000.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: PCRERecMatchLimit limit set to
> > > 5000.
> > > > > Tue Aug 30 10:38:59 2016 -> Limits: PCREMaxFileSize limit set to
> > > > 26214400.
> > > > > Tue Aug 30 10:38:59 2016 -> Archive support enabled.
> > > > > Tue Aug 30 10:38:59 2016 -> Algorithmic detection enabled.
> > > > > Tue Aug 30 10:38:59 2016 -> Portable Executable support enabled.
> > > > > Tue Aug 30 10:38:59 2016 -> ELF support enabled.
> > > > > Tue Aug 30 10:38:59 2016 -> Mail files support enabled.
> > > > > Tue Aug 30 10:38:59 2016 -> OLE2 support enabled.
> > > > > Tue Aug 30 10:38:59 2016 -> PDF support enabled.
> > > > > Tue Aug 30 10:38:59 2016 -> SWF support enabled.
> > > > > Tue Aug 30 10:38:59 2016 -> HTML support enabled.
> > > > > Tue Aug 30 10:38:59 2016 -> XMLDOCS support enabled.
> > > > > Tue Aug 30 10:38:59 2016 -> HWP3 support enabled.
> > > > > Tue Aug 30 10:38:59 2016 -> Self checking every 600 seconds.
> > > > > Tue Aug 30 10:38:59 2016 -> Listening daemon: PID: 3818
> > > > > Tue Aug 30 10:38:59 2016 -> MaxQueue set to: 100
> > > > > Tue Aug 30 10:38:59 2016 -> ScanOnAccess: notifying only for access
> > > > > attempts.
> > > > > Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Protecting '/' and rest
> of
> > > > mount.
> > > > > Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Max file size limited to
> -1
> > > > bytes
> > > > >
> > > > > And then nothing. No matter what programs I start, files I open, I
> > > simply
> > > > > don't get output in the logs or clamdtop related to onAccess
> > scanning.
> > > > >
> > > > > What am I doing wrong?
> > > > >
> > > > > Best,
> > > > > Hugo
> > > > > _______________________________________________
> > > > > Help us build a comprehensive ClamAV guide:
> > > > > https://github.com/vrtadmin/clamav-faq
> > > > >
> > > > > http://www.clamav.net/contact.html#ml
> > > > >
> > > > _______________________________________________
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > _______________________________________________
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



More information about the clamav-users mailing list