[clamav-users] ScanOnAccess issue when clamd launched from systemd

Mickey Sola msola at sourcefire.com
Thu May 5 11:27:43 EDT 2016


Mikko,

I know you didn't find anything in audit.log, but is your primary issue
resolved when you set SELinux to Permissive? Looking at the code, and the
debug output, so far everything points to this being an issue with
permissions.

Regarding your secondary problems:

As documented, OnAccess scanning will not prevent access or write attempts
if OnAccessMountPath is enabled. This is to prevent users from accidentally
locking up their systems via an fanotify induced deadlock.

The cpu resource utilization when watching the entire filesystem is
expected, due to the constant system-wide access events which must be
queued and processed individually. Unfortunately, delaying or throttling
event handling in this case would quickly overflow the fanotify event
queue. You might consider being more selective with your watchpoints to
reduce unwanted noise and free up cpu cycles.

- Mickey

On Thu, May 5, 2016 at 6:12 AM, Mikko Caldara <Mikko.Caldara at fca.org.uk>
wrote:

> I currently have these options enabled:
>
> ScanOnAccess yes
> OnAccessMountPath /
> OnAccessExcludeUID 0
> OnAccessPrevention yes
>
> the user is root.
> I guess there's a bug then?
>
> ________________________________________
> From: clamav-users [clamav-users-bounces at lists.clamav.net] on behalf of
> Virgo Pärna [virgo.parna at mail.ee]
> Sent: 05 May 2016 11:07
> To: clamav-users at lists.clamav.net
> Subject: Re: [clamav-users] ScanOnAccess issue when clamd launched from
> systemd
>
> On Thu, 5 May 2016 09:50:03 +0000, Mikko Caldara <Mikko.Caldara at fca.org.uk>
> wrote:
> > Not sure if it's related, but when I launch clamd *without* systemd and
> then try to access an "infected" file, 2 problems occur:
> >
> > - clamd does not prevent access, despite having the option enabled
> > - clamd goes into an infinite loop and hogs the CPU:
> >
> > Thu May  5 09:42:20 2016 -> ScanOnAccess:
> /etc/suricata/rules/emerging-activex.rules:
> Win.Trojan.cve_2011_2657-1(30e2f8e333f1624bb5ab66bed16eb110:274398) FOUND
> > Thu May  5 09:42:20 2016 -> ScanOnAccess:
> /tmp/clamav-326fdcae0616839f918d7b703a8e513b.tmp/nocomment.html (deleted):
> Win.Trojan.cve_2011_2657-1(d361373a52eb4e0cfcb1fd4783700152:273785) FOUND
>
>
>         Looks like it is also scanning temporary files created turing
> the scanning. Could you set OnAccessExlcudeUID to clamd user id?
>
> --
> Virgo Pärna
> virgo.parna at mail.ee
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> This communication and any attachments contain information which is
> confidential and may be subject to legal privilege. It is for intended
> recipients only. If you are not the intended recipient you must not copy,
> distribute, publish, rely on or otherwise use it without our consent. Some
> of our communications may contain confidential information which it could
> be a criminal offence for you to disclose or use without authority. If you
> have received this email in error please notify postmaster at fca.org.uk
> immediately and delete the email from your computer. Further information on
> the classification and handling of FCA information can be found on the FCA
> website (http://www.fca.org.uk/site-info/legal/fca-classified-information
> ).
> The FCA (or, if this email originates from the PSR, the FCA on behalf of
> the PSR/the PSR) reserves the right to monitor all email communications for
> compliance with legal, regulatory and professional standards.
> This email is not intended to nor should it be taken to create any legal
> relations or contractual relationships. This email has originated from the
> Financial Conduct Authority (FCA), or the Payment Systems Regulator (PSR).
> The Financial Conduct Authority (FCA) is registered as a limited company
> in England and Wales No. 1920623. Registered office: 25 The North
> Colonnade, Canary Wharf, London E14 5HS, United Kingdom
> The Payment Systems Regulator (PSR) is registered as a limited company in
> England and Wales No. 8970864. Registered office: 25 The North Colonnade,
> Canary Wharf, London E14 5HS, United Kingdom
> Switchboard 020 7066 1000
> Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (PSR)
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



More information about the clamav-users mailing list