[clamav-users] OnAccessScan doesn't prevent Access

vamp898 vamp898 at ignaz.org
Thu Nov 8 11:08:52 UTC 2018


Am 2018-11-08 11:54, schrieb vamp898:
> Am 2018-11-08 11:37, schrieb vamp898:
>> Am 2018-11-08 10:39, schrieb Andreas Schulze:
>>> Am 08.11.18 um 10:25 schrieb vamp898:
>>>> This is how the logs looks like when i do this
>>>> 
>>>> Thu Nov  8 10:13:51 2018 -> ScanOnAccess: notifying only for access 
>>>> attempts.
>>>> Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Protecting 
>>>> '/var/www/localhost/htdocs/nextcloud/data' and rest of mount.
>>>> Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 
>>>> 52428800 bytes
>>>> Thu Nov  8 10:15:09 2018 -> ScanOnAccess: 
>>>> /var/www/localhost/htdocs/nextcloud-14.0.3/data/administrator/files/eicar.com: 
>>>> Eicar-Test-Signature FOUND
>>>> 
>>>> Any help highly appriciated =)
>>> 
>>> looks like a bug:
>>> https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155
>>> 
>>> the second condition should not be negated for my feeling.
>> Dear Mr. Schulze,
>> 
>> thank you for your email.
>> 
>> Eeeyup, looks like a bug for me too. Maybe someone had one to many
>> beer writing that part of the code :P
>> 
>> Am i supposed to open the bug report or would/could you do that? (I
>> dont have an account or something).
>> 
>> If not, please feel free to tell me and i will registert myself there.
>> 
>> 
>> 
>> Best Regards
>> 
>> Former Avira Employee who exclusively supported DATEV back then when
>> they had Webgate :P
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> For the reference, i also tested the following
> 
> OnAccessMaxFileSize 50M
> OnAccessIncludePath /var/www/localhost/htdocs/nextcloud/data
> OnAccessDisableDDD yes
> OnAccessPrevention yes
> 
> And the log looks different
> 
> Thu Nov  8 11:52:27 2018 -> ScanOnAccess: preventing access attempts
> on malicious files.
> Thu Nov  8 11:52:27 2018 -> ScanOnAccess: Protecting directory
> '/var/www/localhost/htdocs/nextcloud/data'
> Thu Nov  8 11:52:27 2018 -> ScanOnAccess: Max file size limited to
> 52428800 bytes
> 
> but there is still full access to this file, it no longer gets detected 
> at all.
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
Of course, because

> OnAccessDisableDDD yes

have to be no.

So that if looks intentional, it looks like it really is supposed to 
deactivate the blocking is OnAccessMountPath is used (it also says so in 
the comment of the config file).

At least i now managed to get this far

Thu Nov  8 11:55:53 2018 -> ScanOnAccess: preventing access attempts on 
malicious files.
Thu Nov  8 11:55:53 2018 -> ScanOnAccess: Max file size limited to 
52428800 bytes
Thu Nov  8 11:55:53 2018 -> ScanOnAccess: Protecting directory 
'/var/www/localhost/htdocs/nextcloud/data' (and all sub-directories)
Thu Nov  8 11:55:53 2018 -> ERROR: ScanOnAccess: Could not watch path 
'/var/www/localhost/htdocs/nextcloud/data', No space left on device

After adjusting the current limits of inotify
fs.inotify.max_queued_events
fs.inotify.max_user_instances
fs.inotify.max_user_watches
user.max_inotify_instances
user.max_inotify_watches

This also was solved. So OnAccessScan WORKSFORME now =)



More information about the clamav-users mailing list