Hi

Thank you for your support

output of clamconf -n:

 

Config file: clamd.conf

-----------------------

LogFile = "/var/log/clamav/clamav.log"

LogFileMaxSize = "5242880"

LogTime = "yes"

LogClean = "yes"

LogSyslog = "yes"

LogRotate = "yes"

ExtendedDetectionInfo = "yes"

LocalSocket = "/tmp/clamd.socket"

LocalSocketMode = "660"

User = "root"

OnAccessIncludePath = "/home"

OnAccessExcludeUname = "root"

OnAccessPrevention = "yes"

 

Config file: freshclam.conf

---------------------------

DatabaseMirror = "database.clamav.net"

HTTPProxyServer = "172.16.130.185"

HTTPProxyPort = "3128"

 

Config file: clamav-milter.conf

-------------------------------

ERROR: Please edit the example config file /usr/local/etc/clamav-milter.conf

 

Software settings

-----------------

Version: 0.104.2

Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR

 

Database information

--------------------

Database directory: /usr/local/share/clamav

bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 07:21:51 2021

daily.cld: version 26477, sigs: 1975702, built on Thu Mar 10 01:34:39 2022

Total number of signatures: 1975794

 

Platform information

--------------------

uname: Linux 3.10.0-1160.59.1.el7.x86_64 #1 SMP Wed Feb 23 16:47:03 UTC 2022 x86_64

OS: Linux, ARCH: x86_64, CPU: x86_64

zlib version: 1.2.11 (1.2.11), compile flags: a9

platform id: 0x0a218e8e0800000002040805

 

Build information

-----------------

GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44) (4.8.5)

sizeof(void*) = 8

Engine flevel: 142, dconf: 142

 

My main question is whether clamav can prevent malicious files from being run by the root user?

 

Thankful

 

From: G.W. Haywood via clamav-users
Sent: Sunday, March 13, 2022 3:40 PM
To: Mohsen Ghahremani via clamav-users
Cc: G.W. Haywood
Subject: Re: [clamav-users] Prevent root users from running infected files

 

Hi there,

 

On Sun, 13 Mar 2022, Mohsen Ghahremani via clamav-users wrote:

 

> I run clamd and clamonacc with root user and clamd.conf file is

> configured as follows:

>

>                 User root

>

> OnAccessIncludePath / home

>

> OnAccessExcludeUname root

>

> OnAccessPrevention yes

 

This is not sufficient information (and your configuration of the

OnAccessIncludePath option looks wrong - did you mean '/home'?).

 

Please instead provide the full, unedited output of

 

clamconf -n

 

and I repeat - without *any* editing on your part so that we can see

your configuration correctly.

 

> In this case, if I run a malicious file with other users, clamav

> prevents it from running, and if I run the same file with the root

> user, it does nothing.

>

> How can I configure calmav to prevent malicious files from being

> executed by the root user?

 

Please read the man page for clamd.conf where the exclusions are fully

explained.  There are more of them than you have listed in your post.

 

--

 

73,

Ged.

 

_______________________________________________

 

clamav-users mailing list

clamav-users@lists.clamav.net

https://lists.clamav.net/mailman/listinfo/clamav-users

 

 

Help us build a comprehensive ClamAV guide:

https://github.com/vrtadmin/clamav-faq

 

http://www.clamav.net/contact.html#ml

 

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml