[clamav-users] ClamAV - What does the “clamd at scan” service do by default?

Orion Poplawski orion at nwra.com
Mon Jan 27 02:40:55 UTC 2020 

On 1/26/20 3:33 PM, Eduardo Lúcio Amorim Costa wrote:
> People,
> 
> Taking into account this statement by G.W. Haywood...
> 
> "Assuming the package maintainer has not lost his sanity, the service 
> will be configured simply to report findings (for example by logging a 
> message to a system log and, if you use a command-line tool, printing a 
> message on the tty/terminal/whatever)."
> 
> ... and I have one last question (it may sound stupid =D )...
> 
> Is it correct to assume that the "clamd at scan" service, once started, can 
> find threats that already exist on my server? I explain better! Suppose 
> that on my file system I already had a malicious file - identifiable as 
> a threat by ClamAV's heuristics - before my ClamAV installation waiting 
> to be executed by someone unsuspecting. Is it correct to assume that the 
> "clamd at scan" service in its normal operation will eventually find that 
> threat and notify me (log, mail, etc...)?

No, clamd will only process files passed to it from some other program 
like clamdscan or clamav-milter.  I think you really need to read more 
of the documentation to understand what clamd and friends do.

> 
> Thanks! =D
> 
> Em dom., 26 de jan. de 2020 às 17:27, Eduardo Lúcio Amorim Costa 
> <eduardolucioac at gmail.com <mailto:eduardolucioac at gmail.com>> escreveu:
> 
>     Gentlemen,
> 
>     I found your answers very useful, so I took the liberty of
>     publishing them on the thread I opened about the problem on the
>     internet ( https://unix.stackexchange.com/a/564223/61742 ).
> 
>     If you do not want this content to continue to be published, please
>     let me know so I can delete it.
> 
>     Thanks! =D
> 
>     Em dom., 26 de jan. de 2020 às 08:12, G.W. Haywood via clamav-users
>     <clamav-users at lists.clamav.net
>     <mailto:clamav-users at lists.clamav.net>> escreveu:
> 
>         Hi there,
> 
>         On Sat, 25 Jan 2020, Eduardo Lúcio Amorim Costa via clamav-users
>         wrote:
> 
>          > *QUESTION:* What does the "clamav at scan" service do by default
>         if it finds
>          > threats?
> 
>         I do not know exactly which package you are using.  The behaviour of
>         the service provided by a package will depend on how it was
>         configured
>         by the package provider.  Assuming the package maintainer has
>         not lost
>         his sanity, the service will be configured simply to report findings
>         (for example by logging a message to a system log and, if you use a
>         command-line tool, printing a message on the tty/terminal/whatever).
> 
>         Read the documentation on the ClamAV Website for more information:
> 
>         http://www.clamav.net/documents/clam-antivirus-user-manual
> 
>         Copies and parodies of ClamAV documentation elsewhere on the
>         Internet
>         can be out of date, misleading, sometimes incorrect, and
>         occasionally
>         downright dangerous.
> 
>          > *FURTHER QUESTION:* I would like ClamAV to have the "classic"
>         behavior of
>          > an antivirus engine, that is, remove threats automatically.
>         If he doesn't
>          > do this by default what should I do to make him do it?
> 
>         Read the part which says
> 
>         "Be careful!"
> 
>         If you have not yet found that part, keep reading until you do.
> 
>          > *NOTES:*
>          > *I* - The operating system of choice was CentOS 7 and the
>         process used is
>          > described in this tutorial
>          >
>         https://hostpresto.com/community/tutorials/how-to-install-clamav-on-centos-7/
> 
>         Generally speaking I recommend that you avoid tutorials like this
>         because they tend to make decisions for you without the benefit of
>         information about your situation which only you can have.  I
>         recommend
>         that you do NOT attempt to automate threat removal on any Linux
>         system
>         without very careful consideration.  Careless use of ClamAV on a
>         Linux
>         system will do more harm than good.  In particular, this
>         tutorial will
>         have you scan locations in the filesystem which can not safely be
>         scanned with ClamAV, nor with any anti-virus tool.  Keep in mind
>         that,
>         even in a minimal installation, ClamAV scans for much more than just
>         viruses and malware and that the false positive rate is never
>         zero.  I
>         feel that you do not at present understand the issues well enough to
>         consider them sufficiently carefully.
> 
>         I have been using ClamAV for many years, on hundreds of Linux
>         systems.
>         Perhaps this is mainly because of good hygiene but I have not
>         yet seen
>         ClamAV find a Linux virus, nor Linux malware, nor Linux rootkit
>         on any
>         Linux system.  I should be pleased if anyone who has will
>         report, here
>         on this list, what they have found, when they found it, and how they
>         think it got there.  Any Linux system which has been compromised
>         is a
>         danger, and my advice would be to rebuild it from scratch.
> 
>         -- 
> 
>         73,
>         Ged.
> 
>         _______________________________________________
> 
>         clamav-users mailing list
>         clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>         https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
>         Help us build a comprehensive ClamAV guide:
>         https://github.com/vrtadmin/clamav-faq
> 
>         http://www.clamav.net/contact.html#ml
> 
> 
> 
>     -- 
>     *Eduardo Lúcio*
>     LightBase Consultoria em Software Público
>     eduardo.lucio at LightBase.com.br <mailto:eduardo.lucio at LightBase.com.br>
>     *+55-61-3347-1949 - http://brlight.org <http://brlight.org/> -
>     Brasil-DF*
>     **
>     /*Software livre! Abrace essa idéia!*/**
>     */"Aqueles que negam liberdade aos outros não a merecem para si
>     mesmos."/*
>     */Abraham Lincoln
> 
>     /*
> 
> 
> 
> -- 
> *Eduardo Lúcio*
> LightBase Consultoria em Software Público
> eduardo.lucio at LightBase.com.br <mailto:eduardo.lucio at LightBase.com.br>
> *+55-61-3347-1949 - http://brlight.org <http://brlight.org/> - Brasil-DF*
> **
> /*Software livre! Abrace essa idéia!*/**
> */"Aqueles que negam liberdade aos outros não a merecem para si mesmos."/*
> */Abraham Lincoln
> 
> /*


-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200126/cf2b66d1/attachment.bin>

More information about the clamav-users mailing list