[clamav-users] Clamd OnAccess + OnAccessPrevention performance questions (linux)...
Micah Snyder (micasnyd)
micasnyd at cisco.com
Wed Oct 16 09:53:48 EDT 2019
Sorry about the delayed response. It looks like no one else got back to you. I'll try to answer inline, best I can...
On 10/11/19, 11:46 AM, "clamav-users on behalf of Ian via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:
> 1) Does OnAccessPrevention mean that it blocks access to files when they are in the queue, while scanned, and forevermore if detected as malicious, or is it a subset of this? Conversely, if OnAccessPrevention is disabled, can I expect a performance boost since there should be no blocking at any point in the processing pipeline?
I believe you're correct in your initial guess. If Prevention is enabled, it would block access while in queue, while scanned, and forevermore if detected as malicious. Yes, there is a notable performance boost if monitoring very active directories if prevention is disabled - In my own testing it was particularly noticable in 0.102 with clamonacc + clamd. In less active directories, the on-access prevention blocking isn't really noticeable.
> 2) I’ve seen log entries like this when OnAccessPrevention is disabled, but it’s not clear if this was a file clamd would have temporarily blocked access to had it been able to get a lock on the file before it was removed?
> ScanOnAccess: /tmp/MLbtUsOc (deleted): (null) FOUND
> I assume linux doesn’t provide a means where clamd can easily hook into kernel file create events to do something like create additional hard links to transient files so that it can leisurely scan them while letting the originating app think it has deleted the file and move on?
I don't know if it's possible to use the same feature that Prevention uses to temporarily block access just long enough to make a hard link so the file isn't deleted before it is scanned. That seems like a clever idea. I'll see if we can look into it.
> 3) Is OnAccessPrevention global? There are directories where I’d like to know about findings but not otherwise act on, however I would prefer to enable prevention for other areas of the system.
> Related, is it possible to have different actions depending on different types/families of malicious files? For instance if I’m running a linux system, I may be more concerned with native binaries than Windows executables.
Prevention is global. In 0.102 you can run multiple clamonacc clients, and use the clamonacc --config-file=FILE command line option to specify different configs to get this effect. Regarding different actions, I don't think there is a way to do different actions by file type.
> 4) LeaveTemporaryFiles — is there a version of this but only when a detection is found? Or a LeaveHardlinks for found items that I can later investigate myself?
LeaveTemporaryFiles will only leave behind stuff that is extracted in the course of a scan (normalized file content, archive contents, etc). It's useful for analysts to investigate file contents, and write signatures - but probably less useful for investigating a detection. The clamonacc --copy=DIRECTORY command line should provide that functionality.
> Thanks and sorry for the grouping of questions — I didn’t want to spam the list with different threads.
More information about the clamav-users