[clamav-users] ScanOnAccess issue when clamd launched from systemd

Mikko Caldara Mikko.Caldara at fca.org.uk
Thu May 5 05:50:03 EDT 2016


Not sure if it's related, but when I launch clamd *without* systemd and then try to access an "infected" file, 2 problems occur:

- clamd does not prevent access, despite having the option enabled
- clamd goes into an infinite loop and hogs the CPU:

Logs:

Thu May  5 09:42:20 2016 -> ScanOnAccess: /etc/suricata/rules/emerging-activex.rules: Win.Trojan.cve_2011_2657-1(30e2f8e333f1624bb5ab66bed16eb110:274398) FOUND
Thu May  5 09:42:20 2016 -> ScanOnAccess: /tmp/clamav-326fdcae0616839f918d7b703a8e513b.tmp/nocomment.html (deleted): Win.Trojan.cve_2011_2657-1(d361373a52eb4e0cfcb1fd4783700152:273785) FOUND
Thu May  5 09:42:21 2016 -> ScanOnAccess: /tmp/clamav-29d22f0e38aa614b58575e4dee9d27ad.tmp/nocomment.html (deleted): Win.Trojan.cve_2011_2657-1(d361373a52eb4e0cfcb1fd4783700152:273785) FOUND
Thu May  5 09:42:21 2016 -> ScanOnAccess: /tmp/clamav-df9d8818c62cd2824baa139b7de03183.tmp/nocomment.html (deleted): Win.Trojan.cve_2011_2657-1(d361373a52eb4e0cfcb1fd4783700152:273785) FOUND
Thu May  5 09:42:21 2016 -> ScanOnAccess: /tmp/clamav-ff68924711538f56f6281f0d6847928d.tmp/nocomment.html (deleted): Win.Trojan.cve_2011_2657-1(d361373a52eb4e0cfcb1fd4783700152:273785) FOUND
Thu May  5 09:42:21 2016 -> ScanOnAccess: /tmp/clamav-eae1c4e9bc4ecf83322449216feb4f42.tmp/nocomment.html (deleted): Win.Trojan.cve_2011_2657-1(d361373a52eb4e0cfcb1fd4783700152:273785) FOUND
Thu May  5 09:42:21 2016 -> ScanOnAccess: /tmp/clamav-086da1b9d6df8989cb621925b13c7055.tmp/nocomment.html (deleted): Win.Trojan.cve_2011_2657-1(d361373a52eb4e0cfcb1fd4783700152:273785) FOUND
[...]
And it goes on forever... Need to kill it.



________________________________________
From: clamav-users [clamav-users-bounces at lists.clamav.net] on behalf of Mikko Caldara [Mikko.Caldara at fca.org.uk]
Sent: 05 May 2016 09:34
To: ClamAV users ML
Subject: Re: [clamav-users] ScanOnAccess issue when clamd launched from systemd

SELinux is indeed enabled, but there's no blocking message in audit.log when the error occurs.

After further retries, it seems the error sometimes occurs a while after clamd has started, even 2 minutes:

Thu May  5 08:25:38 2016 -> ScanOnAccess: notifying only for access attempts.
Thu May  5 08:25:38 2016 -> ScanOnAccess: Protecting '/' and rest of mount.
Thu May  5 08:25:38 2016 -> ScanOnAccess: Max file size limited to 5242880 bytes
Thu May  5 08:27:29 2016 -> ERROR: ScanOnAccess: Internal error (failed to read data) ... Permission denied

I tried passing the --debug flag to the command, but it does not seem to provide any more info.

The OS is RHEL 7.2 running on Amazon EC2, kernel: 3.10.0-327.10.1.el7.x86_64

Thanks

________________________________________
From: clamav-users [clamav-users-bounces at lists.clamav.net] on behalf of Bond Masuda [bond.masuda at hexadiam.com]
Sent: 04 May 2016 19:11
To: ClamAV users ML
Subject: Re: [clamav-users] ScanOnAccess issue when clamd launched from systemd

Is SELinux enabled on that system? If so, I would look to see if SELinux
is blocking.


On 05/04/2016 09:29 AM, Mikko Caldara wrote:
> Hello,
> I'm trying to configure OnAccess scanning on the whole drive, as read in this post blog:
> http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html (first example)
> It works fine if I launch clamd manually, with: /usr/sbin/clamd -c /etc/clamd.conf &
>
> If I use systemd to launch the clamd service, the ScanOnAccess functionality is broken (Permission denied).
>
> Here's the systemd file:
>
>
>
> [Unit]
>
> Description=ClamAV Daemon
>
>
> [Service]
>
> ExecStartPre=/usr/bin/mkdir -p /var/run/clamav
>
> Type=forking
>
> PIDFile=/var/run/clamav/clamd.pid
>
> User=root
>
> ExecStart=/usr/sbin/clamd -c /etc/clamd.conf
>
>
> [Install]
>
> WantedBy=multi-user.target
>
>
> And here is the partial log, with the error:
>
>
> Wed May  4 15:45:29 2016 -> +++ Started at Wed May  4 15:45:29 2016
>
> Wed May  4 15:45:29 2016 -> clamd daemon 0.99.1 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
>
> Wed May  4 15:45:29 2016 -> Running as user root (UID 0, GID 0)
>
> [...]
>
> Wed May  4 15:45:30 2016 -> ScanOnAccess: notifying only for access attempts.
>
> Wed May  4 15:45:30 2016 -> ScanOnAccess: Protecting '/' and rest of mount.
>
> Wed May  4 15:45:30 2016 -> ScanOnAccess: Max file size limited to 5242880 bytes
>
> Wed May  4 15:45:31 2016 -> ERROR: ScanOnAccess: Internal error (failed to read data) ... Permission denied
>
>
> Any ideas as of why this is happening?
>
>
> Thanks
>
> /MC
>
>
> This communication and any attachments contain information which is confidential and may be subject to legal privilege. It is for intended recipients only. If you are not the intended recipient you must not copy, distribute, publish, rely on or otherwise use it without our consent. Some of our communications may contain confidential information which it could be a criminal offence for you to disclose or use without authority. If you have received this email in error please notify postmaster at fca.org.uk immediately and delete the email from your computer. Further information on the classification and handling of FCA information can be found on the FCA website (http://www.fca.org.uk/site-info/legal/fca-classified-information).
> The FCA (or, if this email originates from the PSR, the FCA on behalf of the PSR/the PSR) reserves the right to monitor all email communications for compliance with legal, regulatory and professional standards.
> This email is not intended to nor should it be taken to create any legal relations or contractual relationships. This email has originated from the Financial Conduct Authority (FCA), or the Payment Systems Regulator (PSR).
> The Financial Conduct Authority (FCA) is registered as a limited company in England and Wales No. 1920623. Registered office: 25 The North Colonnade, Canary Wharf, London E14 5HS, United Kingdom
> The Payment Systems Regulator (PSR) is registered as a limited company in England and Wales No. 8970864. Registered office: 25 The North Colonnade, Canary Wharf, London E14 5HS, United Kingdom
> Switchboard 020 7066 1000
> Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (PSR)
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list