[clamav-users] ScanOnAccess, OnAccessPrevention and move to quarantine

Mickey Sola msola at sourcefire.com
Wed Dec 13 20:04:05 UTC 2017 

Unfortunately, the ExcludeUID option in 0.99.2 is broken due to an
oversight in how clam's optparser handles numbered lists which include 0.
You can follow along with the resolution of that issue here:
https://bugzilla.clamav.net/show_bug.cgi?id=11978

An important takeaway for you in that thread, as a RHEL 7 user, is that
your SELinux targeted policy will prevent clamd from stating /proc/PID
entirely--breaking the ExcludeUID functionality even farther. A second
takeaway might be the patches you can apply to rebuild clam locally with
the new fixes which might help solve the issue you're seeing.

Hope this helps you a bit. Sorry things weren't quite right the first go
round--that's my bad.

- Mickey

On Wed, Dec 13, 2017 at 2:37 AM, Juan Asensio Sánchez <okelet at gmail.com>
wrote:

> Hi, I am trying to configure clamd (running as user root) with ScanOnAccess
> enabled and "OnAccessExcludeUID 0". Basically, our web app allows the user
> to upload files using a WS (the web server runs as user xxxx, not root),
> and then a batch job processes the file. I have also enabled
> OnAccessPrevention, so in case of an upload with an infected file, the
> batch job can't access (but root user could do it, as per
> OnAccessExcludeUID). I have also created a script configured in VirusEvent
> so we are alerted when a virus is detected. The problem is that, as the
> file remains, the batch job is always trying to process the file, throwing
> errors. I have tried to move the file to a quarantine folder using the
> VirusEvent script, but the server completely freezes; after the tests, I
> have read in some webs that we shouldn't move or delete the infected file
> inside that script.
>
> So, what could be a solution? How can I move the file to a quarantine
> folder using this configuration? Is there a better/alternative solution?
>
> # uname -a
> Linux xxxxxxx 3.10.0-693.11.1.el7.x86_64 #1 SMP Fri Oct 27 05:39:05 EDT
> 2017 x86_64 x86_64 x86_64 GNU/Linux
>
> # cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 7.4 (Maipo)
>
> # rpm -qa | grep clam
> clamav-filesystem-0.99.2-8.el7.noarch
> clamav-server-systemd-0.99.2-8.el7.noarch
> clamav-update-0.99.2-8.el7.x86_64
> clamav-data-0.99.2-8.el7.noarch
> clamav-server-0.99.2-8.el7.x86_64
> clamav-scanner-0.99.2-8.el7.noarch
> clamav-0.99.2-8.el7.x86_64
> clamav-lib-0.99.2-8.el7.x86_64
> clamav-scanner-systemd-0.99.2-8.el7.noarch
>
> Thanks.
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

More information about the clamav-users mailing list