[clamav-users] ScanOnAccess, OnAccessPrevention and move to quarantine

[Juan Asensio Sánchez]

Hi, I am trying to configure clamd (running as user root) with ScanOnAccess
enabled and "OnAccessExcludeUID 0". Basically, our web app allows the user
to upload files using a WS (the web server runs as user xxxx, not root),
and then a batch job processes the file. I have also enabled
OnAccessPrevention, so in case of an upload with an infected file, the
batch job can't access (but root user could do it, as per
OnAccessExcludeUID). I have also created a script configured in VirusEvent
so we are alerted when a virus is detected. The problem is that, as the
file remains, the batch job is always trying to process the file, throwing
errors. I have tried to move the file to a quarantine folder using the
VirusEvent script, but the server completely freezes; after the tests, I
have read in some webs that we shouldn't move or delete the infected file
inside that script.

So, what could be a solution? How can I move the file to a quarantine
folder using this configuration? Is there a better/alternative solution?

# uname -a
Linux xxxxxxx 3.10.0-693.11.1.el7.x86_64 #1 SMP Fri Oct 27 05:39:05 EDT
2017 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.4 (Maipo)

# rpm -qa | grep clam
clamav-filesystem-0.99.2-8.el7.noarch
clamav-server-systemd-0.99.2-8.el7.noarch
clamav-update-0.99.2-8.el7.x86_64
clamav-data-0.99.2-8.el7.noarch
clamav-server-0.99.2-8.el7.x86_64
clamav-scanner-0.99.2-8.el7.noarch
clamav-0.99.2-8.el7.x86_64
clamav-lib-0.99.2-8.el7.x86_64
clamav-scanner-systemd-0.99.2-8.el7.noarch

Thanks.