[clamav-users] clamscan: permission denied on many files being used by another process

[G.W. Haywood]

Hi there,

On Tue, 13 Jul 2021, Michael Wang wrote:

> My question is how I can let clamscan to read a file, as I have
> shown that even I cannot "more" a file used by another process as
> administrator.

As I explained in my earler reply to you:

>> It's up to you to arrange for the scanner to have permission to do
>> what you want it to do.

Obviously ClamAV can't protect you from a malicious program in a file
if you run the program in the file before you scan it with ClamAV.  It
is very likely that the first thing that a malicious program will do
will be to seek out anti-virus software and either disable it or make
it appear to give a clean bill of health to the malicious program.

If you cannot scan a file with ClamAV because another process is using
it then it is already too late to scan it.  You have simply failed to
use ClamAV in the way in which it is designed.

Your operating system has its own ideas about security.  The little I
know about Windows makes me wonder if the main idea isn't to bamboozle
the average user by making things incredibly complicated, but whatever
it does either you have to work with it or you have to work around it.
I would recommend working with it, because working around it will lead
to many problems.  You have to learn about the systems and tools that
you're using to be able to get the best out of them; you need to learn
(1) what ClamAV is designed to do, and also (because you seem to have
some ideas about that which aren't what the rest of us have) what it
is *not* designed to do; and (2) how to arrange for ClamAV to be able
to do what it is intended to do on your system.  If it won't do what
you want it to do because it was never designed to do that in the
first place, then there's really no point grumbling about it.

> If clamscan cannot scan a file used by another process, then I question the
> usefulness of the software because a hacker can just install a virus file
> and use it, clamscan will not be able to detect it.

You are right to question the usefulness of any security tool, but not
for the reasons which you give, which make no sense.  If a hacker can
install a "virus file" then you have already lost the battle, because
he can presumably also compromise ClamAV itself.  And if ClamAV were
to attempt to defeat the security features of the operating system, I
should consider it to be a security threat.  Having gained a toe-hold
your hacker could use it to fully compromise the system.

To get back to the basics:

ClamAV is a suite of tools for you to use.

ClamAV looks for threats in files and data streams.

The ClamAV team provides ClamAV, and what we call a signature database
which is just a bunch of files which contain descriptions of threats.
The descriptions are given in a variety of forms, with which you need
to become familiar.

There are third parties who add many more signatures to the database.
You don't need to worry about them yet but bear it in mind for later.

You can add your own signatures, and also Yara rules.  Later.

You provide the files and the data streams for ClamAV to scan.

It's as simple as that.

-- 

73,
Ged.