[clamav-users] ClamAV ScanOnAccess not scanning RHEL7
Bond Masuda
bond.masuda at hexadiam.com
Fri Mar 31 18:37:50 UTC 2017
Remi,
This is just a guess in the dark, but I've often encountered issues like
that (service doesn't work started from systemd, yet works started from
commandline) as a result of some SELinux AVC. Do you have SELinux
enabled? And if so, does your test yield the desired result if you
disable/make permissive SELinux? Or look through the audit logs for AVC.
On 03/31/2017 12:26 AM, Remi Bruggeman wrote:
> Hey Micky
>
> Thank you so much for your clear reply. However, I do feel you have missed the mark.
> I have configured ClamAV to execute a script upon virus detection with the VirusEvent parameter in the config file.
> This script will move the suspected virus into quarantine, chmod it to 400 and create a ticket in our ticketing system.
>
> The problem I'm facing is that when clamd is running as a (root) service (its 'normal' state) it does not seem to be using the on access scan, as I can freely manipulate the eicar test file without detection.
> However, when I execute clamd as root it does detect eicar, issue a virusevent and execute my script.
>
> In my original mail you'll notice I added 2 logtrails.
> The first one is when Clamd is running as a service. Imaging while this log was generated, I was creating a lot of eicar files and moving them to various places on the system. Sadly There's no output of this since Clamd did not detect these actions.
>
> The second one is when clamd has been executed as a root command, exactly the same command that's invoked by the service, which also runs as root: "/usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes". But here there's a significant difference. The moment I cat, copy or perform any other action on an eicar test file, it's found and handled:
>> Thu Mar 30 10:25:49 2017 -> ScanOnAccess: /root/test: Eicar-Test-Signature(1fa550df41e046eb56eae11d31259de9:73) FOUND
>> Thu Mar 30 10:35:31 2017 -> ScanOnAccess: /root/cfdf52: Eicar-Test-Signature(1fa550df41e046eb56eae11d31259de9:73) FOUND
> This behavior is the expected result of clamd as a service.
> The behavior is not consistent between the 2 modes of execution, while I think it should be.
>
> Notably, When I remove the OnAccessMountPath parameter from the config file, enable DDD and set the OnAccessIncludePath to /root, the clamd service _does_ work as expected and the on-access system _does_ notice when I'm playing with eicar. However, according to policy, we require to scan the complete filesystem.
>
>
> Best Regards,
>
> Remi
>
>
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On Behalf Of Mickey Sola
> Sent: Thursday, March 30, 2017 6:52 PM
> To: ClamAV users ML
> Subject: Re: [clamav-users] ClamAV ScanOnAccess not scanning RHEL7
>
> Hi Remi,
>
> Your configuration looks fine, and it seems like you're getting expected
> behavior given what the log shows.
>
> I'll explain a bit more what's happening, and why you can freely move
> around the eicar testfile.
>
> The important line is here:
> Thu Mar 30 09:58:54 2017 -> ScanOnAccess: notifying only for access
> attempts.
>
> As you know, using OnAccessMountPath disables DDD. It also puts the
> OnAccess scanner into what's best described as "notify-only mode".
>
> Under the DDD system, with "protection mode" enabled, the OnAccess thread
> will essentially place a lock on any file under it's hierarchy if that file
> is accessed in any way. With the lock in place, the file will be scanned
> for malicious content to determine whether the access attempt should be
> allowed.
>
> As you can imagine, inadvertently locking important system files (which
> would happen if you were watching the entire filesystem in protection mode)
> oftentimes leads to entire system freezes. These freezes are why DDD
> prevents users from watching / .
>
> And while OnAccessMountPath does allow you to watch the entirety of / this
> comes with the tradeoff of being in notify-only mode (which scans, but does
> not lock files or block access attempts) in order to prevent users from
> freezing up their system.
>
> The hope with this design was to guide users away from shooting themselves
> in the foot with these tools, while still giving them the flexibility to
> meet their use case (or still shoot themselves in the foot, if that was the
> goal all along).
>
> Longwinded explanation aside, to fix your problem, not knowing your exact
> use case, I would suggest pointing DDD towards the parts of the system you
> most expect could be an initial attack surface for malware.
>
> Alternatively, you could continue scanning the entire system in notify-only
> mode and write an external handler which deals with any threats discovered
> and logged by clamd in whatever way best meets your needs.
>
> I hoped that helped clarify things a bit. Let me know if you have any
> further questions or if you think I've missed the mark in some way.
>
> Cheers,
> Mickey
>
> On Thu, Mar 30, 2017 at 5:40 AM, Remi Bruggeman <
> remi.bruggeman.ext at bayer.com> wrote:
>
>> Hello,
>>
>> I'm trying to configure the ClamAV OnAccessScan, but I'm running into some
>> trouble. I'm hoping anybody here has run into the same trouble and knows a
>> solution. As I have read the configuration options on the ClamAV Blog page,
>> I assume my configuration is correct, but I could of course have overlooked
>> something. http://blog.clamav.net/2016/03/configuring-on-access-
>> scanning-in-clamav.html
>> Should I have forgotten any information required to understand what's
>> going wrong, feel free to ask for it.
>>
>> System: RHEL7 3.10.0-514.6.1.el7.x86_64. (Red Hat)
>> Filesystem: ext4
>>
>> yum info clamav
>> Installed Packages
>> Name : clamav
>> Arch : x86_64
>> Version : 0.99.2
>> Release : 1.el7
>> Size : 2.4 M
>>
>> Goal: ClamAV's OnAccessScan should recursively scan / and issue a
>> VirusEvent upon virus detection.
>> Configuration:
>> ScanOnAccess true
>> OnAccessMaxFileSize 5M
>> OnAccessMountPath /
>> I realize this disables DDD. However, using DDD it's impossible to scan
>> the root dir.
>>
>> Problem: When the clamd service is running the onaccess scan seems to be
>> doing nothing. I can freely move the eicar test file around, open it and
>> cat it. No intervention what-so-ever.
>> Workaround: When I run the command that is executed by the service as
>> root: "/usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes" the
>> eicar test virus is detected and the VirusEvent is executed.
>> ScanOnAccess: /root/cfdf52: Eicar-Test-Signature(
>> 1fa550df41e046eb56eae11d31259de9:73) FOUND
>> Expected result: The onaccess should work when the clamd service is
>> running and detect malicious code on access.
>>
>>
>> Additional info:
>> Clamd.log when the service starts:
>> Thu Mar 30 09:58:43 2017 -> +++ Started at Thu Mar 30 09:58:43 2017
>> Thu Mar 30 09:58:43 2017 -> Received 0 file descriptor(s) from systemd.
>> Thu Mar 30 09:58:43 2017 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH:
>> x86_64, CPU: x86_64)
>> Thu Mar 30 09:58:43 2017 -> Running as user root (UID 0, GID 0)
>> Thu Mar 30 09:58:43 2017 -> Log file size limited to 1048576 bytes.
>> Thu Mar 30 09:58:43 2017 -> Reading databases from /var/lib/clamav
>> Thu Mar 30 09:58:43 2017 -> Not loading PUA signatures.
>> Thu Mar 30 09:58:43 2017 -> Not loading phishing signatures.
>> Thu Mar 30 09:58:43 2017 -> Bytecode: Security mode set to "TrustSigned".
>> Thu Mar 30 09:58:43 2017 -> Disabling URL based phishing detection.
>> Thu Mar 30 09:58:53 2017 -> Loaded 6125132 signatures.
>> Thu Mar 30 09:58:54 2017 -> LOCAL: Unix socket file
>> /var/run/clamd.scan/clamd.sock
>> Thu Mar 30 09:58:54 2017 -> LOCAL: Setting connection queue length to 1
>> Thu Mar 30 09:58:54 2017 -> Limits: Global size limit set to 104857600
>> bytes.
>> Thu Mar 30 09:58:54 2017 -> Limits: File size limit set to 26214400 bytes.
>> Thu Mar 30 09:58:54 2017 -> Limits: Recursion level limit set to 16.
>> Thu Mar 30 09:58:54 2017 -> Limits: Files limit set to 10000.
>> Thu Mar 30 09:58:54 2017 -> Limits: MaxEmbeddedPE limit set to 10485760
>> bytes.
>> Thu Mar 30 09:58:54 2017 -> Limits: MaxHTMLNormalize limit set to 10485760
>> bytes.
>> Thu Mar 30 09:58:54 2017 -> Limits: MaxHTMLNoTags limit set to 2097152
>> bytes.
>> Thu Mar 30 09:58:54 2017 -> Limits: MaxScriptNormalize limit set to
>> 5242880 bytes.
>> Thu Mar 30 09:58:54 2017 -> Limits: MaxZipTypeRcg limit set to 1048576
>> bytes.
>> Thu Mar 30 09:58:54 2017 -> Limits: MaxPartitions limit set to 50.
>> Thu Mar 30 09:58:54 2017 -> Limits: MaxIconsPE limit set to 100.
>> Thu Mar 30 09:58:54 2017 -> Limits: MaxRecHWP3 limit set to 16.
>> Thu Mar 30 09:58:54 2017 -> Limits: PCREMatchLimit limit set to 10000.
>> Thu Mar 30 09:58:54 2017 -> Limits: PCRERecMatchLimit limit set to 5000.
>> Thu Mar 30 09:58:54 2017 -> Limits: PCREMaxFileSize limit set to 26214400.
>> Thu Mar 30 09:58:54 2017 -> Archive support enabled.
>> Thu Mar 30 09:58:54 2017 -> Algorithmic detection enabled.
>> Thu Mar 30 09:58:54 2017 -> Portable Executable support enabled.
>> Thu Mar 30 09:58:54 2017 -> ELF support enabled.
>> Thu Mar 30 09:58:54 2017 -> Mail files support disabled.
>> Thu Mar 30 09:58:54 2017 -> OLE2 support enabled.
>> Thu Mar 30 09:58:54 2017 -> PDF support enabled.
>> Thu Mar 30 09:58:54 2017 -> SWF support enabled.
>> Thu Mar 30 09:58:54 2017 -> HTML support enabled.
>> Thu Mar 30 09:58:54 2017 -> XMLDOCS support enabled.
>> Thu Mar 30 09:58:54 2017 -> HWP3 support enabled.
>> Thu Mar 30 09:58:54 2017 -> Heuristic: precedence enabled
>> Thu Mar 30 09:58:54 2017 -> Self checking every 43200 seconds.
>> Thu Mar 30 09:58:54 2017 -> ScanOnAccess: notifying only for access
>> attempts.
>> Thu Mar 30 09:58:54 2017 -> ScanOnAccess: Protecting '/' and rest of mount.
>> Thu Mar 30 09:58:54 2017 -> ScanOnAccess: Max file size limited to 5242880
>> bytes
>>
>> Clamd.log when the command is executed:
>> Thu Mar 30 10:25:28 2017 -> +++ Started at Thu Mar 30 10:25:28 2017
>> Thu Mar 30 10:25:28 2017 -> Received 0 file descriptor(s) from systemd.
>> Thu Mar 30 10:25:28 2017 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH:
>> x86_64, CPU: x86_64)
>> Thu Mar 30 10:25:28 2017 -> Running as user root (UID 0, GID 0)
>> Thu Mar 30 10:25:28 2017 -> Log file size limited to 1048576 bytes.
>> Thu Mar 30 10:25:28 2017 -> Reading databases from /var/lib/clamav
>> Thu Mar 30 10:25:28 2017 -> Not loading PUA signatures.
>> Thu Mar 30 10:25:28 2017 -> Not loading phishing signatures.
>> Thu Mar 30 10:25:28 2017 -> Bytecode: Security mode set to "TrustSigned".
>> Thu Mar 30 10:25:28 2017 -> Disabling URL based phishing detection.
>> Thu Mar 30 10:25:38 2017 -> Loaded 6125132 signatures.
>> Thu Mar 30 10:25:39 2017 -> LOCAL: Unix socket file
>> /var/run/clamd.scan/clamd.sock
>> Thu Mar 30 10:25:39 2017 -> LOCAL: Setting connection queue length to 1
>> Thu Mar 30 10:25:39 2017 -> Limits: Global size limit set to 104857600
>> bytes.
>> Thu Mar 30 10:25:39 2017 -> Limits: File size limit set to 26214400 bytes.
>> Thu Mar 30 10:25:39 2017 -> Limits: Recursion level limit set to 16.
>> Thu Mar 30 10:25:39 2017 -> Limits: Files limit set to 10000.
>> Thu Mar 30 10:25:39 2017 -> Limits: MaxEmbeddedPE limit set to 10485760
>> bytes.
>> Thu Mar 30 10:25:39 2017 -> Limits: MaxHTMLNormalize limit set to 10485760
>> bytes.
>> Thu Mar 30 10:25:39 2017 -> Limits: MaxHTMLNoTags limit set to 2097152
>> bytes.
>> Thu Mar 30 10:25:39 2017 -> Limits: MaxScriptNormalize limit set to
>> 5242880 bytes.
>> Thu Mar 30 10:25:39 2017 -> Limits: MaxZipTypeRcg limit set to 1048576
>> bytes.
>> Thu Mar 30 10:25:39 2017 -> Limits: MaxPartitions limit set to 50.
>> Thu Mar 30 10:25:39 2017 -> Limits: MaxIconsPE limit set to 100.
>> Thu Mar 30 10:25:39 2017 -> Limits: MaxRecHWP3 limit set to 16.
>> Thu Mar 30 10:25:39 2017 -> Limits: PCREMatchLimit limit set to 10000.
>> Thu Mar 30 10:25:39 2017 -> Limits: PCRERecMatchLimit limit set to 5000.
>> Thu Mar 30 10:25:39 2017 -> Limits: PCREMaxFileSize limit set to 26214400.
>> Thu Mar 30 10:25:39 2017 -> Archive support enabled.
>> Thu Mar 30 10:25:39 2017 -> Algorithmic detection enabled.
>> Thu Mar 30 10:25:39 2017 -> Portable Executable support enabled.
>> Thu Mar 30 10:25:39 2017 -> ELF support enabled.
>> Thu Mar 30 10:25:39 2017 -> Mail files support disabled.
>> Thu Mar 30 10:25:39 2017 -> OLE2 support enabled.
>> Thu Mar 30 10:25:39 2017 -> PDF support enabled.
>> Thu Mar 30 10:25:39 2017 -> SWF support enabled.
>> Thu Mar 30 10:25:39 2017 -> HTML support enabled.
>> Thu Mar 30 10:25:39 2017 -> XMLDOCS support enabled.
>> Thu Mar 30 10:25:39 2017 -> HWP3 support enabled.
>> Thu Mar 30 10:25:39 2017 -> Heuristic: precedence enabled
>> Thu Mar 30 10:25:39 2017 -> Self checking every 43200 seconds.
>> Thu Mar 30 10:25:39 2017 -> ScanOnAccess: notifying only for access
>> attempts.
>> Thu Mar 30 10:25:39 2017 -> ScanOnAccess: Protecting '/' and rest of mount.
>> Thu Mar 30 10:25:39 2017 -> ScanOnAccess: Max file size limited to 5242880
>> bytes
>> Thu Mar 30 10:25:49 2017 -> ScanOnAccess: /root/test: Eicar-Test-Signature(
>> 1fa550df41e046eb56eae11d31259de9:73) FOUND
>> Thu Mar 30 10:35:31 2017 -> ScanOnAccess: /root/cfdf52:
>> Eicar-Test-Signature(1fa550df41e046eb56eae11d31259de9:73) FOUND
>>
>> Packages:
>>> yum info clam*
>> Installed Packages
>> Name : clamav
>> Arch : x86_64
>> Version : 0.99.2
>> Release : 1.el7
>> Size : 2.4 M
>> Repo : installed
>> From repo : clamav_x86_64
>> Summary : End-user tools for the Clam Antivirus scanner
>> URL : http://www.clamav.net
>> License : GPLv2
>> Description : Clam AntiVirus is an anti-virus toolkit for UNIX. The main
>> purpose of this
>> : software is the integration with mail servers (attachment
>> scanning). The
>> : package provides a flexible and scalable multi-threaded
>> daemon, a command
>> : line scanner, and a tool for automatic updating via
>> Internet. The programs
>> : are based on a shared library distributed with the Clam
>> AntiVirus package,
>> : which you can use with your own software. The virus database
>> is based on
>> : the virus database from OpenAntiVirus, but contains
>> additional signatures
>> : (including signatures for popular polymorphic viruses, too)
>> and is KEPT UP
>> : TO DATE.
>>
>> Name : clamav-data
>> Arch : noarch
>> Version : 0.99.2
>> Release : 1.el7
>> Size : 110 M
>> Repo : installed
>> From repo : clamav_noarch
>> Summary : Virus signature data for the Clam Antivirus scanner
>> URL : http://www.clamav.net
>> License : GPLv2
>> Description : This package contains the virus-database needed by clamav.
>> This
>> : database should be updated regularly; the 'clamav-update'
>> package
>> : ships a corresponding cron-job. This package and the
>> : 'clamav-data-empty' package are mutually exclusive.
>> :
>> : Use -data when you want a working (but perhaps outdated)
>> virus scanner
>> : immediately after package installation.
>> :
>> : Use -data-empty when you are updating the virus database
>> regulary and
>> : do not want to download a >5MB sized rpm-package with
>> outdated virus
>> : definitions.
>>
>> Name : clamav-filesystem
>> Arch : noarch
>> Version : 0.99.2
>> Release : 1.el7
>> Size : 0.0
>> Repo : installed
>> From repo : clamav_noarch
>> Summary : Filesystem structure for clamav
>> URL : http://www.clamav.net
>> License : GPLv2
>> Description : This package provides the filesystem structure and contains
>> the
>> : user-creation scripts required by clamav.
>>
>> Name : clamav-lib
>> Arch : x86_64
>> Version : 0.99.2
>> Release : 1.el7
>> Size : 11 M
>> Repo : installed
>> From repo : clamav_x86_64
>> Summary : Dynamic libraries for the Clam Antivirus scanner
>> URL : http://www.clamav.net
>> License : GPLv2
>> Description : This package contains dynamic libraries shared between
>> applications
>> : using the Clam Antivirus scanner.
>>
>> Name : clamav-scanner
>> Arch : noarch
>> Version : 0.99.2
>> Release : 1.el7
>> Size : 22 k
>> Repo : installed
>> From repo : clamav_noarch
>> Summary : Clamav scanner daemon
>> URL : http://www.clamav.net
>> License : GPLv2
>> Description : This package contains a generic system wide clamd service
>> which is
>> : e.g. used by the clamav-milter package.
>>
>> Name : clamav-scanner-systemd
>> Arch : noarch
>> Version : 0.99.2
>> Release : 1.el7
>> Size : 136
>> Repo : installed
>> From repo : clamav_noarch
>> Summary : Systemd initscripts for clamav scanner daemon
>> URL : http://www.clamav.net
>> License : GPLv2
>> Description : The systemd initscripts for clamav-scanner.
>>
>> Name : clamav-server
>> Arch : x86_64
>> Version : 0.99.2
>> Release : 1.el7
>> Size : 244 k
>> Repo : installed
>> From repo : clamav_x86_64
>> Summary : Clam Antivirus scanner server
>> URL : http://www.clamav.net
>> License : GPLv2
>> Description : ATTENTION: most users do not need this package; the main
>> package has
>> : everything (or depends on it) which is needed to scan for
>> virii on
>> : workstations.
>> :
>> : This package contains files which are needed to execute the
>> clamd-daemon.
>> : This daemon does not provide a system-wide service. Instead
>> of, an instance
>> : of this daemon should be started for each service requiring
>> it.
>> :
>> : See the README file how this can be done with a minimum of
>> effort.
>>
>> Name : clamav-server-systemd
>> Arch : noarch
>> Version : 0.99.2
>> Release : 1.el7
>> Size : 235
>> Repo : installed
>> From repo : clamav_noarch
>> Summary : Systemd initscripts for clamav server
>> URL : http://www.clamav.net
>> License : GPLv2
>> Description : Systemd template for the clamav server
>>
>> Name : clamav-update
>> Arch : x86_64
>> Version : 0.99.2
>> Release : 1.el7
>> Size : 213 k
>> Repo : installed
>> From repo : clamav_x86_64
>> Summary : Auto-updater for the Clam Antivirus scanner data-files
>> URL : http://www.clamav.net
>> License : GPLv2
>> Description : This package contains programs which can be used to update
>> the clamav
>> : anti-virus database automatically. It uses the freshclam(1)
>> utility for
>> : this task. To activate it, uncomment the entry in
>> /etc/cron.d/clamav-update.
>>
>> Available Packages
>> Name : clamav-devel
>> Arch : x86_64
>> Version : 0.99.2
>> Release : 1.el7
>> Size : 39 k
>> Repo : clamav_x86_64
>> Summary : Header files and libraries for the Clam Antivirus scanner
>> URL : http://www.clamav.net
>> License : GPLv2
>> Description : This package contains headerfiles and libraries which are
>> needed to
>> : build applications using clamav.
>>
>> Name : clamav-scanner-sysvinit
>> Arch : noarch
>> Version : 0.99.2
>> Release : 1.el7
>> Size : 20 k
>> Repo : clamav_noarch
>> Summary : SysV initscripts for clamav scanner daemon
>> URL : http://www.clamav.net
>> License : GPLv2
>> Description : The SysV initscripts for clamav-scanner.
>>
>> Name : clamav-server-sysvinit
>> Arch : noarch
>> Version : 0.99.2
>> Release : 1.el7
>> Size : 21 k
>> Repo : clamav_noarch
>> Summary : SysV initscripts for clamav server
>> URL : http://www.clamav.net
>> License : GPLv2
>> Description : SysV initscripts template for the clamav server
>>
>> Name : clamav-unofficial-sigs
>> Arch : noarch
>> Version : 3.7.2
>> Release : 1.el7
>> Size : 41 k
>> Repo : clamav_noarch
>> Summary : Scripts to download unoffical clamav signatures
>> URL : http://sourceforge.net/projects/unofficial-sigs/
>> License : BSD
>> Description : This package contains scripts and configuration files
>> : that provide the capability to download, test, and
>> : update the 3rd-party signature databases provide by
>> : Sanesecurity, SecuriteInfo, MalwarePatrol, OITC,
>> : INetMsg and ScamNailer.
>>
>>
>> Best regards,
>>
>> Remi
>>
>>
>> ________________________________________________________________________
>> The information contained in this e-mail is for the exclusive use of the
>> intended recipient(s) and may be confidential, proprietary, and/or
>> legally privileged. Inadvertent disclosure of this message does not
>> constitute a waiver of any privilege. If you receive this message in
>> error, please do not directly or indirectly use, print, copy, forward,
>> or disclose any part of this message. Please also delete this e-mail
>> and all copies and notify the sender. Thank you.
>> ________________________________________________________________________
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
> ________________________________________________________________________
> The information contained in this e-mail is for the exclusive use of the
> intended recipient(s) and may be confidential, proprietary, and/or
> legally privileged. Inadvertent disclosure of this message does not
> constitute a waiver of any privilege. If you receive this message in
> error, please do not directly or indirectly use, print, copy, forward,
> or disclose any part of this message. Please also delete this e-mail
> and all copies and notify the sender. Thank you.
> ________________________________________________________________________
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list