[clamav-users] Encrypted Word doc/phishing attack

Reindl Harald h.reindl at thelounge.net
Wed Oct 5 14:46:05 EDT 2016



Am 05.10.2016 um 20:37 schrieb Alex:
>>>> [root at mail-gw:/etc/clamd.d]$ cat scan.conf | grep OLE2BlockMacros
>>>> OLE2BlockMacros no
>>>>
>>>> [root at mail-gw:/etc/clamd.d]$ cat scan-sa.conf | grep OLE2BlockMacros
>>>> OLE2BlockMacros yes
>>>
>>>
>>> Reindl, I appreciate your input, but I can't just outright reject docs
>>> with macros. We're also talking about password-protected Word
>>> documents here, not macro documents
>>
>> guess why i fixed the clamav-plugin for spamassassin and there are *two*
>> instances like you can see above...
>>
>> reject is above 8.0 and the rest is done by bayes to avoid FP and other
>> rules to make sure it's crap
>
> Can you explain how you configured systemd to start two instances of
> the same clamd binary using different config files?

by just use two different ExecStart= calls in the unit files

nothing easir than start a dozen of indentical binaries with different 
configurations, be it clamd, spamd, mysqld, httpd.... with systemd

[root at mail-gw:~]$ ps aux | grep clamd
clamscan  1140  0.3 12.3 895344 498072 ?       SNsl Okt03  10:39 
/usr/sbin/clamd -c /etc/clamd.d/scan-sa.conf
clamscan  1160  0.3 10.7 858048 435668 ?       SNsl Okt03  10:47 
/usr/sbin/clamd -c /etc/clamd.d/scan.conf

[root at mail-gw:/etc/systemd/system]$ cat clamd.service
[Unit]
Description=ClamAV Scanner Daemon

[Service]
Type=forking
Environment="TMPDIR=/tmp"
Environment="LANG=en_GB.UTF-8"
ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf
ExecReload=/usr/bin/kill -SIGUSR2 $MAINPID
Restart=always
RestartSec=1
Nice=5

User=clamscan
Group=clamilt

PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=no
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=x86-64
SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime 
delete_module fanotify_init finit_module get_mempolicy init_module 
io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp 
kexec_load keyctl lookup_dcookie mbind migrate_pages mount move_pages 
open_by_handle_at perf_event_open pivot_root process_vm_readv 
process_vm_writev ptrace remap_file_pages request_key set_mempolicy 
swapoff swapon umount2 uselib vmsplice

ReadOnlyDirectories=/
ReadWriteDirectories=/run/clamd.scan
ReadWriteDirectories=/run/clamd
ReadWriteDirectories=/var/log
ReadWriteDirectories=/tmp
___________________________________________________________

[root at mail-gw:/etc/systemd/system]$ cat clamd-sa.service
[Unit]
Description=ClamAV Scanner Daemon for SpamAssassin
Before=spamassassin.service

[Service]
Type=forking
Environment="TMPDIR=/tmp"
Environment="LANG=en_GB.UTF-8"
ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan-sa.conf
ExecReload=/usr/bin/kill -SIGUSR2 $MAINPID
Restart=always
RestartSec=1
Nice=5

User=clamscan
Group=clamilt

PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=no
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=x86-64
SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime 
delete_module fanotify_init finit_module get_mempolicy init_module 
io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp 
kexec_load keyctl lookup_dcookie mbind migrate_pages mount move_pages 
open_by_handle_at perf_event_open pivot_root process_vm_readv 
process_vm_writev ptrace remap_file_pages request_key set_mempolicy 
swapoff swapon umount2 uselib vmsplice

ReadOnlyDirectories=/
ReadWriteDirectories=/run/clamd.scan
ReadWriteDirectories=/run/clamd
ReadWriteDirectories=/var/log
ReadWriteDirectories=/tmp



More information about the clamav-users mailing list