[clamav-users] On access scanning causes system lockup with certain directories
Maarten Broekman
maarten.broekman at gmail.com
Wed Apr 13 11:54:39 UTC 2022
I'm not sure if this IS the answer, but my guess would be that ClamAV needs
to access files in /usr/lib64... And it has to scan (and come back with an
OK result) before access is allowed... resulting in scans being blocked
which, in turn, results in ALL processes being blocked while waiting on the
scans to complete.
--Maarten
On Wed, Apr 13, 2022 at 7:49 AM Oorschot, R. van (IVO Rechtspraak) via
clamav-users <clamav-users at lists.clamav.net> wrote:
> Hi all
>
> I'm setting up a test environment with ClamAV and on access scanning and
> came across some problems.
>
> When I add the directories /etc and /usr to the OnAccessIncludePath list,
> the machine totally locks up.
> All connected sessions lock up too. Only a reboot of the machine is the
> solution.
> When /etc (or /usr) is the only OnAccessIncludePath entry the same thing
> (lockup/hang) happens.
>
> For /usr I found a workaround: OnAccessExcludePath /usr/lib64
> This way the machine stays stable.
>
> Putting SElinux in permissive mode gives the same negative result (lockup).
>
> Has somebody got an idea what could be the cause of these lockups?
> Excluding etc and usr wouldn't be a quite satisfying solution.
>
> Cheers,
> Roland
>
> Here's the set up:
> Red Hat Linux 8.5
> SELinux turned on (antivirus_can_scan_system / clamd_use_jit are set)
>
> The machine has a clean install. Dedicated to this POC.
>
> This is the ClamAV scan.conf:
>
> LogFile /var/log/clamd.scan
> LogTime yes
> LogSyslog yes
> TemporaryDirectory /tmp
> LocalSocket /run/clamd.scan/clamd.sock
> LocalSocketGroup virusgroup
> FixStaleSocket yes
> ExcludePath ^/proc/
> ExcludePath ^/sys/
> ExcludePath ^/dev/
> User clamscan
> OnAccessMaxThreads 10
> OnAccessIncludePath /home
> OnAccessIncludePath /boot
> OnAccessIncludePath /root
> OnAccessIncludePath /etc
> OnAccessIncludePath /usr
> OnAccessIncludePath /opt
> OnAccessExcludePath ^/proc/
> OnAccessExcludePath ^/sys/
> OnAccessExcludePath ^/dev/
> OnAccessExcludePath /usr/lib64
> OnAccessPrevention yes
> OnAccessDenyOnError yes
> OnAccessExcludeUname clamupdate
>
>
> ________________________________
>
> Informatie van de Raad voor de rechtspraak, de rechtbanken, de
> gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220413/b5b045b2/attachment.htm>
More information about the clamav-users
mailing list