On Jul 6, 2010, at 3:12 PM, Török Edwin wrote: >> Interesting, I made my VirusEvent line look like this in clamd.conf: >> >> VirusEvent /bin/cp /Library/mytestfile.txt /Library/mytestfile2.txt > > Does the 'clamav' user have the right to create files in /Library? > > Note that even if you run clamd as root, a 'User clamav' directive in > clamd.conf it will drop privileges. > > Try copying a file to /tmp, or even simpler just 'touch /tmp/foo'.
The "run as another user" directive in my clamd.conf file looks like this: # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges #User clamav So, I am interpreting this to mean that clamd will retain its privileges (i.e., run as root). Is that a correct interpretation? In Activity Monitor, the User "owning" clamd is described as root. I have tried both of these commands on the VirusEvent line: VirusEvent /bin/cp /tmp/mytestfile.txt /tmp/mytestfile2.txt and VirusEvent touch /tmp/mytestfile.txt Unfortunately, it does not seem that either event fires, even though the scan does find EICAR. What is the most sensible way to verify that clamd is looking at the correct config file? This is the one that I am updating: /usr/local/ClamXav/etc/clamd.conf Thanks, Russ _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
