[clamav-users] Can't access file ERROR - clamdscan - 0.103.7-1

An Schall an.schall at gmail.com
Mon Nov 7 14:01:40 UTC 2022 

Hi there,

the command we are using is:

sudo -H clamdscan -v -c /etc/clamd.d/scan.conf --multiscan --fdpass

We do see the errors in /var/log/clamdscan.log as defined in the
configuration file /etc/clamd.d/scan.conf (see below). The exact error
messages are as follows:

Mon Nov  7 13:50:21 2022 ->
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamconf:
Can't access file ERROR
Mon Nov  7 13:50:21 2022 ->
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdscan:
Can't access file ERROR
Mon Nov  7 13:50:21 2022 ->
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamconf:
Can't access file ERROR
Mon Nov  7 13:50:21 2022 ->
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdscan:
Can't access file ERROR
Mon Nov  7 13:50:21 2022 ->
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdtop:
Can't access file ERROR

Basically, all the files that we try to scan are triggering the above
error. For some files though the scan fives an "OK" and not above
error message. However, we fail to see any system / correlation for
which files the scans fail and for which the scans are successful. It
seems rather random.

Below you can find the output of clamconf -n:

Checking configuration files in /etc

Config file: clamd.d/scan.conf
------------------------------
LogFile = "/var/log/clamdscan-SD-XXXXX.scan"
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogClean = "yes"
LogSyslog = "yes"
LogFacility = "LOG_AUTHPRIV"
LogVerbose = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
PidFile = "/run/clamd.scan/clamd.pid"
TemporaryDirectory = "/data/tmp"
LocalSocket = "/run/clamd.scan/clamd.sock"
MaxThreads = "30"
MaxQueue = "200"
ExcludePath = ".*\.nc$", ".*\.bin$", ".*\.xml$", ".*\.hdf$", ".*\.h5$"
MaxDirectoryRecursion = "200"
FollowDirectorySymlinks = "yes"
FollowFileSymlinks = "yes"
User = "clamscan"
MaxScanTime = "1200000"
MaxScanSize = "4194304000"
MaxFileSize = "4194304000"
MaxRecursion = "200"
MaxFiles = "5000000"
MaxZipTypeRcg = "5242880"

Config file: freshclam.conf
---------------------------
DatabaseMirror = "database.clamav.net"

mail/clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.7
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2
PCRE2 ICONV JSON

Database information
--------------------
Database directory: /var/lib/clamav
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 15:21:51 2021
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
daily.cld: version 26713, sigs: 2010145, built on Mon Nov  7 08:52:07 2022
Total number of signatures: 8657664

Platform information
--------------------
uname: Linux 4.18.0-372.32.1.el8_6.x86_64 #1 SMP Fri Oct 7 12:35:10
EDT 2022 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a2180800800000000080500

Build information
-----------------
GNU C: 8.5.0 20210514 (Red Hat 8.5.0-10) (8.5.0)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -g -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
-fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -g -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
-fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
LDFLAGS: -Wl,-z,relro -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed
-lprelude
Configure: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix='
'--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--localstatedir=/var' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--enable-milter' '--disable-clamav' '--disable-static'
'--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check'
'--enable-dns' '--with-dbdir=/var/lib/clamav'
'--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath'
'--disable-silent-rules' '--enable-clamdtop' '--enable-prelude'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
'LDFLAGS=-Wl,-z,relro -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed'
'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
-fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 128, dconf: 128

As mentioned earlier, for all the files that were failed to scan, we
tried to check access permissions, whether they exist, etc. pp. Those
are regular files with correctly configured ACLs. I also tried to run
clamdscan as root but it results in a similar problem.

Interestingly, when first escalating privileges via "sudo su" and then
running clamdscan against a folder within the home directory of the
user from which the privileges were escalated (i.e. foo), we receive
the following error:

[root at epp-3o-w1 av-scans]# clamdscan -v -c /etc/clamd.d/scan.conf
/home/foo/test/
/home/foo/test: File path check failure: Permission denied. ERROR
/home/foo/test: File path check failure: Permission denied. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 2
Time: 0.000 sec (0 m 0 s)
Start Date: 2022:11:07 13:57:07
End Date:   2022:11:07 13:57:07

# ls -dlsa /home/foo/test/
0 drwxr-xr-x 2 foo sudo 292 Nov  3 10:35 /home/foo/test/

Unfortunately, due to a very strict configuration management we cannot
downgrade to 0.103.6 anymore.

Am Mo., 7. Nov. 2022 um 14:17 Uhr schrieb G.W. Haywood via
clamav-users <clamav-users at lists.clamav.net>:
>
> Hi there,
>
> On Mon, 7 Nov 2022, An Schall via clamav-users wrote:
>
> > we do have 2 workstations running RHEL 8 and clamav / clamd using an
> > identical software stack / configuration. In particular we integrate
> > the clamav packages via the RHEL EPEL repos. So far we have been using
> > 0.103.6-1.el8 without any issues. We have started upgrading to
> > 0.103.7-1.el8 on one of the both workstations. Since then, when using
> > clamdscan, we receive the below issue:
> >
> > Can't access file ERROR
>
> Given your problem description I've had trouble understanding how you
> might have come to see exactly this error, please tell us what you did
> to get it and when and where you see the error (e.g. stderr, logfile).
> If this is not the exact error please cut-and-paste it from the screen
> or whatever you need to do to show the error *exactly*.
>
> With any luck there'll be a log entry telling you which file caused
> the problem.  Have you looked in the logs to see what (if anything) is
> there?  It might be helpful to know the file's name, if it is a file
> which cannot be accessed, and if not it may be helpful to know that
> too.  It may be (see [*] below) you need to tweak your configuration
> to write the logs.
>
> > We have been investigating the issue with respect to access control
> > related issues. However, even when using "root" as the clamdscan user
> > we receive the error.
>
> Have you tried running the clamd daemon itself as root?
>
> > From an ACL perspective, we see no systematic cause for this issue.
>
> Have you checked by downgrading to 0.103.6 that the error goes away?
>
> > We therefore want to check whether this error has been experienced
> > by others as well and thus may relate to a bug in version
> > 0.103.7-1.el8 of clamdscan.
>
> The latest version of 0.103.x was released a week ago.  Early days so
> anything's possible.  I don't use security software packaged by distro
> and I only scan mail, using clamd and my own milters, so I'm afraid I
> can't help directly with that question.  However, since it went live
> here on 1 November 2022 I can say that I've seen no unexpected issues
> with clamd from ClamAV version 0.103.7 running on armv7l 64-bit; this
> probably won't help you very much. :(
>
> > Below you can find the output of clamconf:
>
> The output of 'clamconf -n' might be easier for us to digest.
>
> [*] Are you sure that you've shown us the right configuration?
>
> --
>
> 73,
> Ged.
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

More information about the clamav-users mailing list