Hi,
I am trying to configure Scan On Access with ProFTPD server to block acccess to
file (not only mark as FOUND):
Mon Aug 10 10:09:35 2015 -> ScanOnAccess: /home/xyz/eicar.txt:
{HEX}EICAR.TEST.UNOFFICIAL(69630e4574ec6798239b091cda43dca0:69) FOUND
Mon Aug 10 10:09:39 2015 -> ScanOnAccess: /home/xyz/Revelation.exe:
SecuriteInfo.com.W32.HackTool.BUS.5819.UNOFFICIAL(5fbc923249818c4b0489b85c1abf0357:69632)
FOUND
Mon Aug 10 10:09:44 2015 -> ScanOnAccess: /home/xyz/Revelation.exe:
SecuriteInfo.com.W32.HackTool.BUS.5819.UNOFFICIAL(5fbc923249818c4b0489b85c1abf0357:69632)
FOUND
For some reason I am able to upload infected files to server and above log
entries appear only during access (download, view), even not during delete.
I can live with that if it is only possible to detect during downloading from
FTP or opening, but I would like to able block access to file if something is
detected.
clamav.conf:
ScanOnAccess true
OnAccessMaxFileSize 50M
#OnAccessIncludePath /var/ftp
OnAccessIncludePath /home/xyz
OnAccessExcludeUID 0
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
