Re: [Clamav-users] Changing permissions on virusfiles

Mon, 24 Jul 2006 13:14:06 -0700

I haven't tried this yet myself, but mayhap you could leave --move off, and define a permission-changing script in virusevent.d? And are these activation instructions debian-specific or universal - i haven't found much explaining this vs. the VirusEvent directive in the clamd.conf
"Note also that the clamd package contains an empty directory /etc/clamav/virusevent.d/ Admins and other packagers are encouraged to use this directory to store scripts that should be executed after a virus is detected. To enable the feature, you will have to add: 

  VirusEvent /bin/run-parts --lsbsysinit /etc/clamav/virusevent.d/

  to /etc/clamav/clamd.conf"



(And are those activation instructions debian-specific or universal - i 
haven't found much explaining this vs. the VirusEvent directive in the 
clamd.conf:)


*VirusEvent* *COMMAND*
             Execute the COMMAND when virus is found. In the  command  string
             %v  and %f will be replaced by a virus name and an infected file
             name respectively.  *SECURITY* *WARNING:* *Make* *sure* *the* 
*virus*  *event*
             *command*  *cannot* *be* *exploited* *eg.* *by* *using* *some* 
*special* *file* *name*
             *when* *%f* *is* *in* *use.* *Always* *use* *a* *full* *path* *to* 
*the* *command.*  *Never*
             *delete/move* *files* *with* *this* *directive* *!*
             Default: disabled.

So perhaps a

VirusEvent "/bin/chown root:root %f;chmod 0400 %f;/echo-or-log-or-something %v found 
in %f!"

?

Jens Strohschnitter wrote:


ClamAV works fine in our environment, but our old scanner (sweep) has a
parameter
with them I can set permissions on the file after identified as virus to
root.root/400.
For clamav I found only the parameter --move.
Is there a chance to set permissions to root.root/400 and not to move the
file ?

     


"Richard Collyer" <[EMAIL PROTECTED]> wrote:

AFAIK ClamAV moves viruses into a folder "quarantine". Could you not then
just run a cron every minute or so to change the perms to root:root and
400? Or as I do delete the files every seven days.

   



Hi

thats a solution. Sophos-Sweep changes permission on virusfile on same folder

were the file is stored. 
So if I need to move file back quarantined by clamav to --move-folder, I don't 
know where file was stored before clamav moved file. 
But if there is no way to change permission on file without moving to quarantine, 
it is no problem for us. I can look at the log, where it was stored before its quarantine.




 




--
Rob Munsch
Solutions For Progress IT
www.solutionsforprogress.com

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html






















					Reply via email to