[clamav-users] Clamdtop not showing activity for ScanOnAccess activity?

Micah Snyder (micasnyd) micasnyd at cisco.com
Wed Oct 9 22:19:04 EDT 2019

Hi Ian,

It's my understanding that on-access scanning features in ClamAV 0.100 and 0.101 run in newly created threads for each scan outside of the normal clamd scanning thread pool.  It's no surprise to me that clamdtop doesn't observe on-access scan activity in 0.100 or 0.101.  

Resource management of these on-access scanning threads were a bit of a problem, which is why "VirusEvent" and "ExtraScanning" features had been disabled.  This, and the security concerns regarding scanning malware while clamd is running with root privileges (kinda the opposite of a sandboxed environment) led us to overhaul the on-access scanning features.

In ClamAV 0.102 (just released), the on-access scanning feature is now a separate client program called clamonacc that submits scans to clamd similar to how clamdscan and clamav-milter submit scans.  Scans triggered by clamonacc should now show up in clamdtop. 


On 10/9/19, 8:37 PM, "clamav-users on behalf of Ian via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:

    I’m sure I’ve done something wrong, so hopefully I can give enough detail to discover what that is...
    Ubuntu 18.04.3 LTS (4.15.0-1040-aws)
    Installed packages:
    ii  clamav                                0.100.3+dfsg-0ubuntu0.18.04.1      amd64        anti-virus utility for Unix - command-line interface
    ii  clamav-base                           0.100.3+dfsg-0ubuntu0.18.04.1      all          anti-virus utility for Unix - base package
    ii  clamav-daemon                         0.100.3+dfsg-0ubuntu0.18.04.1      amd64        anti-virus utility for Unix - scanner daemon
    ii  clamav-freshclam                      0.100.3+dfsg-0ubuntu0.18.04.1      amd64        anti-virus utility for Unix - virus database update utility
    ii  libclamav7:amd64                      0.100.3+dfsg-0ubuntu0.18.04.1      amd64        anti-virus utility for Unix - library
    I’ve enabled on access scanning (detect only), changed the user to root and (hopefully) adjusted the socket information to work with these adjustments:
    LocalSocket /var/run/clamav/clamd.ctl
    FixStaleSocket true
    LocalSocketGroup root
    LocalSocketMode 666
    ScanOnAccess true
    ls -la /var/run/clamav/clamd.ctl 
    srw-rw-rw- 1 root root 0 Oct  9 21:14 /var/run/clamav/clamd.ctl
    Running clamdtop (sudo or otherwise) shows one entry for the daemon running on local.  It correctly displays the version of the engine, db version, and dbtime.
    If I use clamdscan, I see plenty of activity and an appropriate cpu utilization in both clamdtop and regular top.
    However, if I attempt to access files outside of calling clamdscan, clamdtop remains silent.  Running top in a different window shows clamd using plenty of CPU resources, and I see /tmp/clamav*.tmp folders getting created so I know it’s doing work.
    What have I missed?  Apparmor doesn’t seem to be getting in the middle of anything (dmesg and journalctl are silent about clamd) and selinux is disabled.
    Here’s my clamd.conf contents:
    LocalSocket /var/run/clamav/clamd.ctl
    FixStaleSocket true
    LocalSocketGroup root
    LocalSocketMode 666
    #User clamav
    ScanMail true
    ScanArchive true
    ArchiveBlockEncrypted true
    MaxDirectoryRecursion 15
    FollowDirectorySymlinks false
    FollowFileSymlinks false
    ReadTimeout 180
    MaxThreads 12
    MaxConnectionQueueLength 15
    LogSyslog false
    LogRotate true
    LogFacility LOG_LOCAL6
    LogClean false
    LogVerbose false
    PreludeEnable no
    PreludeAnalyzerName ClamAV
    DatabaseDirectory /var/lib/clamav
    OfficialDatabaseOnly false
    SelfCheck 3600
    Foreground false
    Debug false
    ScanPE true
    MaxEmbeddedPE 10M
    ScanOLE2 true
    ScanPDF true
    ScanHTML true
    MaxHTMLNormalize 10M
    MaxHTMLNoTags 2M
    MaxScriptNormalize 5M
    MaxZipTypeRcg 1M
    ScanSWF true
    DetectBrokenExecutables false
    ExitOnOOM false
    LeaveTemporaryFiles false
    AlgorithmicDetection true
    ScanELF true
    IdleTimeout 30
    CrossFilesystems true
    PhishingSignatures true
    PhishingScanURLs true
    PhishingAlwaysBlockSSLMismatch false
    PhishingAlwaysBlockCloak false
    PartitionIntersection false
    DetectPUA true
    ScanPartialMessages false
    HeuristicScanPrecedence false
    StructuredDataDetection false
    CommandReadTimeout 5
    SendBufTimeout 200
    MaxQueue 100
    ExtendedDetectionInfo true
    OLE2BlockMacros false
    ScanOnAccess true
    AllowAllMatchScan true
    ForceToDisk false
    DisableCertCheck false
    DisableCache false
    MaxScanSize 100M
    MaxFileSize 25M
    MaxRecursion 16
    MaxFiles 10000
    MaxPartitions 50
    MaxIconsPE 100
    PCREMatchLimit 10000
    PCRERecMatchLimit 5000
    PCREMaxFileSize 25M
    ScanXMLDOCS true
    ScanHWP3 true
    MaxRecHWP3 16
    StreamMaxLength 25M
    LogFile /var/log/clamav/clamav.log
    LogTime true
    LogFileUnlock false
    LogFileMaxSize 0
    Bytecode true
    BytecodeSecurity TrustSigned
    BytecodeTimeout 60000
    OnAccessMountPath /
    OnAccessMountPath /home
    OnAccessMountPath /var/log
    OnAccessMountPath /var/tmp
    OnAccessPrevention false
    OnAccessMountPath /tmp
    And the custom rules I added for apparmor in local/usr.sbin.clamd:
    capability sys_admin,
    capability dac_read_search,
    /	r,
    /**	r,
    clamav-users mailing list
    clamav-users at lists.clamav.net
    Help us build a comprehensive ClamAV guide:

More information about the clamav-users mailing list