[clamav-users] clamonacc RHEL8

Thu May 13 07:44:34 UTC 2021

Hi there,

On Wed, 12 May 2021, Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users wrote:

> Trying to configure clamav/clamonacc on RHEL8.  I am new to clamav.

Welcome to the list. :)

> Do the status of these services look correct???
>  ...
> Any feedback would be helpful.

I hung back a bit after seeing your mail hoping that someone else will
step in who's using what you're using, but as nobody has I'll chip in.

I don't use the tools that you are using to manage services, so I can't
tell you if they're making sense, but I can suggest ways to investigate
which will apply to any Linux/Unix system.  I also don't use on-access
scanning - I only use ClamAV for scanning mail, and with some of the
third-party databases - so our use cases are very different.

The first thing I'd check is that there's a process running (and only
one process) called clamd, that it's using around a gigabyte of RAM,
which seems to be the case, and that it responds to a PING.

You can check that it's running with the 'top' utility.  Sort top's
output on the screen by memory usage.  The clamd daemon will probably
be at the top of the list.  Unless you have lots of file access to
areas protected by the on-access scanning, most of the time it
probably won't be using much CPU.  Give it something to scan and it
will use a core.  Be aware that it can take a while for the daemon to
start, because it has a lot of work to do to populate the signature
database in RAM; anywhere between a few seconds and a few minutes,
depending on the system spec.  While it's starting, clamd will use a
lot of CPU.  You can watch that with top.

The 'PING' command isn't the 'ping' that you'd use to check that some
network interface is alive.  It's sent to the daemon over the socket
to which it's configured to listen.  You can use something like netcat
or telnet to communicate with the daemon.  See the clamd 'man' page.
I run a separate clamd server on our network and so I use TCP sockets.
Here's a cut'n'paste of me sending a PING command to the daemon from
my laptop:

laptop3:~$ >>> telnet 192.168.4.7 3313
Trying 192.168.4.7...
Connected to 192.168.4.7.
Escape character is '^]'.
PING
PONG [1620857300]
Connection closed by foreign host.
laptop3:~$ >>>

I typed the 'telnet' command line and the word 'PING' (plus 'enter').
I routinely run a patched clamd.  You won't see the number in square
brackets in your output (it's just the seconds since the epoch of the
last DB reload).  Also the port in the clamd.conf example is usually
3310, not 3313.  See that, and the clamd.conf 'man' page, for more info.
Also very possibly your distro doesn't have a file called clamd.conf, I
wish they wouldn't do things like that but it happens.  You may need to
poke around a bit to find all the bits of configuration, I don't know.

The second thing I'd check (if I were to use on-access scanning, which
I don't) would be that the configuration is actually causing scans to
take place on access.  Drop the EICAR test file in a protected place,
and try to list it with a pager or something.  That should give you an
access denied error.

Can you tell us a bit more about how you want to use ClamAV?

My list address only accepts mail from this list.

HTH

-- 

73,
Ged.