I was wodering if anyone could comment on the situation that the on-access
scanning does not seem to work properly
thank you very much for your help
ZF
On Wednesday, August 10, 2016 7:17 PM, Z F <[email protected]> wrote:
Dear Mickey
I apologize for a delay
ps aux|grep clamclamav 1895 0.0 0.0 132388 12084 ? Ss 14:58
0:00 /usr/bin/freshclam -d --foreground=trueroot 1939 0.0 1.2 614312
409072 ? Ssl 14:58 0:11 /usr/sbin/clamd --foreground=true
So I think clamd is running as root
I have setup an LXD container and would like clamav to monitor the home
directory of that container. this is because the home directory of the
container is exported via sambato windows users. So the directory which is
monitored is /var/lib/lxd/containers/myportalclamav is running on the host (not
inside LXD)
ls -ld /var/lib/lxd/containers/myportal
drwxr-xr-x 4 165536 165536 /var/lib/lxd/containers/myportal
section of the clamav log /var/log/clamav/clamav.log
Wed Aug 10 14:58:28 2016 -> +++ Started at Wed Aug 10 14:58:28 2016Wed Aug 10
14:58:28 2016 -> Received 1 file descriptor(s) from systemd.Wed Aug 10 14:58:28
2016 -> clamd daemon 0.99 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)Wed Aug 10
14:58:28 2016 -> Running as user root (UID 0, GID 0)Wed Aug 10 14:58:28 2016 ->
Log file size limited to 4294967295bytes.Wed Aug 10 14:58:28 2016 -> Reading
databases from /var/lib/clamavWed Aug 10 14:58:28 2016 -> Not loading PUA
signatures.Wed Aug 10 14:58:28 2016 -> Bytecode: Security mode set to
"TrustSigned".Wed Aug 10 14:58:39 2016 -> Loaded 4713019 signatures.Wed Aug 10
14:58:41 2016 -> TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from
systemd.Wed Aug 10 14:58:41 2016 -> LOCAL: Received AF_UNIX SOCK_STREAM socket
from systemd.Wed Aug 10 14:58:41 2016 -> Limits: Global size limit set to
104857600 bytes.Wed Aug 10 14:58:41 2016 -> Limits: File size limit set to
26214400 bytes.Wed Aug 10 14:58:41 2016 -> Limits: Recursion level limit set to
16.Wed Aug 10 14:58:41 2016 -> Limits: Files limit set to 10000.Wed Aug 10
14:58:41 2016 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.Wed Aug 10
14:58:41 2016 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.Wed Aug
10 14:58:41 2016 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.Wed Aug 10
14:58:41 2016 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.Wed Aug
10 14:58:41 2016 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.Wed Aug 10
14:58:41 2016 -> Limits: MaxPartitions limit set to 50.Wed Aug 10 14:58:41 2016
-> Limits: MaxIconsPE limit set to 100.Wed Aug 10 14:58:41 2016 -> Limits:
PCREMatchLimit limit set to 10000.Wed Aug 10 14:58:41 2016 -> Limits:
PCRERecMatchLimit limit set to 5000.Wed Aug 10 14:58:41 2016 -> Limits:
PCREMaxFileSize limit set to 26214400.Wed Aug 10 14:58:41 2016 -> Archive
support enabled.Wed Aug 10 14:58:41 2016 -> Algorithmic detection enabled.Wed
Aug 10 14:58:41 2016 -> Portable Executable support enabled.Wed Aug 10 14:58:41
2016 -> ELF support enabled.Wed Aug 10 14:58:41 2016 -> Mail files support
enabled.Wed Aug 10 14:58:41 2016 -> OLE2 support enabled.Wed Aug 10 14:58:41
2016 -> PDF support enabled.Wed Aug 10 14:58:41 2016 -> SWF support enabled.Wed
Aug 10 14:58:41 2016 -> HTML support enabled.Wed Aug 10 14:58:41 2016 -> Self
checking every 3600 seconds.Wed Aug 10 14:58:41 2016 -> ERROR: ScanOnAccess:
fanotify_init failed: Operation not permittedWed Aug 10 14:58:41 2016 ->
ScanOnAccess: clamd must be started by rootWed Aug 10 15:58:41 2016 ->
SelfCheck: Database status OK.Wed Aug 10 16:58:41 2016 -> SelfCheck: Database
status OK.Wed Aug 10 17:58:41 2016 -> SelfCheck: Database status OK.
cat /boot/config-4.4.0-34-generic|grep -i
fanotifyCONFIG_FANOTIFY=yCONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
auditd is not installedselinux is not installed either
dpkg -l|grep selinuxii libselinux1:amd64 2.4-3build2
amd64 SELinux runtime shared libraries
dpkg -l|grep auditii libaudit-common 1:2.4.5-1ubuntu2
all Dynamic library for security auditing - common filesii
libaudit1:amd64 1:2.4.5-1ubuntu2 amd64
Dynamic library for security auditing
the configuration. I took the default configuration from ubuntu 16.04and
inserted this section
#ScanOnAccess falseScanOnAccess trueOnAccessIncludePath
/var/lib/lxd/containers/myportal/home OnAccessPrevention
trueOnAccessExtraScanning true
Can you see from this what the problem is?
thank you very much for your help
ZF
On Monday, August 8, 2016 12:15 PM, Mickey Sola <[email protected]> wrote:
So, to be clear. Setting "User" to "root" in clamd.conf does not begin the
clamd instance with elevated permissions. You actually need to run clamd as the
root user for that option to work at all.
Assuming you've run clamd as root, I'd be interested to know the group/owner
and other attributes of /home/user/DownloadsOnAccessPrevention as well as any
accompanying selinux diagnostics in audit.log (or avc.log if you aren't running
auditd).
Cheers,
Mickey
On Mon, Aug 8, 2016 at 11:28 AM, Z F <[email protected]> wrote:
Have you tried running clamd itself with root permissions?
e.g. $sudo clamd [options
Yes i did same result....I did not use any options...
-Mickey
On Sun, Aug 7, 2016 at 1:18 AM, Z F <[email protected]> wrote:
> I have noticed in /var/log/clamav/clamav.log
>
> Sun Aug 7 01:14:28 2016 -> ERROR: ScanOnAccess: fanotify_init failed:
> Operation not permittedSun Aug 7 01:14:28 2016 -> ScanOnAccess: clamd must
> be started by root
>
> in /etc/clamav/clamd.conf
> I had User clamav
> then I changed to User rootand rebooted but this did not helpnot sure if
> even User should be set to root. I thought clamav is better choice
> thank you very much for your help
> ZF
>
>
> On Sunday, August 7, 2016 1:06 AM, Z F <[email protected]> wrote:
>
>
>
> Dear clamav
> I have used these instructions to setup on-access scan
> ClamAV® blog: Configuring On-Access Scanning in ClamAV
>
>
> canOnAccess trueOnAccessIncludePath /home/user/ DownloadsOnAccessPrevention
> true
> OnAccessExtraScanning true
> the installed version is
> 0.99+dfsg-1ubuntu1.1
>
> on ubutnu 16.04grep FANOTIFY /boot/config-4.4.0-31-generic
> CONFIG_FANOTIFY=yCONFIG_ FANOTIFY_ACCESS_PERMISSIONS=y
> I have made a test virus file
> http://www.eicar.org/86-0- Intended-use.html
> but the test file can be still accessed.
> could someone suggest what I did wrong?thank you
> ZF
>
> |
> | |
> ClamAV® blog: Configuring On-Access Scanning in ClamAV
> | |
>
> |
>
>
>
>
>
>
> ______________________________ _________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/ clamav-faq
>
> http://www.clamav.net/contact. html#ml
>
______________________________ _________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/ clamav-faq
http://www.clamav.net/contact. html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
