On Tue, Jun 15, 2021 at 7:19 PM G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
Hi there,

On Tue, 15 Jun 2021, Lee, Raymond via clamav-users wrote:

> ... I don't want this thread to become a debate about whether or not to
> scan the entire system.  I was just looking for insight into my question
> about clamd and SELinux.

Sure, with you.  FWIW I don't scan Linux systems.  Primarily I use
ClamAV to scan mail, and I'm not especially interested in malware.

As far as SELinux is concerned it seems to me that it's most likely
doing what it's supposed to do.  My personal take on is that there's
no reason on Earth to scan a shadow_t type file with ClamAV, and if
you do let it do that you risk a vulnerability in ClamAV ruining your
whole holiday.  I don't know why you aren't seeing the log messages
which you're expecting to see, perhaps it's a permissions issue too.


I figured it out!  Apparently, there were dontaudit rules that were preventing the SELinux denials from being logged to audit.log.  I temporarily disabled the dontaudit rules with 'semodule -DB' and then re-ran clamdscan with SELinux in Permissive mode.  Then I saw the AVC denial messages in audit.log and was able to use audit2allow to generate a local policy to allow clamd to read the files that it was previously unable to.
 
In case it's interesting, here's the detection performance of some
scanners for the last 40 malicious emails processed by my systems:

  30 fortinet.com
  28 drweb.com
  26 gdatasoftware.com
  26 escanav.com
  26 bitdefender.com
  25 avast.com
  20 sophos.com
  20 ikarus.at
  19 eset.com
   7 f-secure.com
   5 f-prot.com
   3 clamav.net
   0 trendmicro.com

The detection numbers were obtained by manually inspecting attempts to
send suspicious mail to our servers, and after confirming that the mail
was malicious, submitting samples to Jotti's malware scan:

https://virusscan.jotti.org/

This was by no means a scientific experiment.  The sample size was
very samll; the malware chose to be in the study, not the other way
around; some of the 40 samples were almost identical; there may be
issues with the way in which samples were presented to the scanners
which skews the comparitive results.  But as you can see, even the
best performer only found three out of four.


LOL, I guess you get what you pay for.  Maybe I'll install the clamav-unofficial-sigs package to hopefully get a better detection rate.

Thanks for your insight!

--
Kind Regards,
Ray
 
It's food for thought.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Notice: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy the message and attachments without retaining a copy.