Hi Ian, It's my understanding that on-access scanning features in ClamAV 0.100 and 0.101 run in newly created threads for each scan outside of the normal clamd scanning thread pool. It's no surprise to me that clamdtop doesn't observe on-access scan activity in 0.100 or 0.101.
Resource management of these on-access scanning threads were a bit of a problem, which is why "VirusEvent" and "ExtraScanning" features had been disabled. This, and the security concerns regarding scanning malware while clamd is running with root privileges (kinda the opposite of a sandboxed environment) led us to overhaul the on-access scanning features. In ClamAV 0.102 (just released), the on-access scanning feature is now a separate client program called clamonacc that submits scans to clamd similar to how clamdscan and clamav-milter submit scans. Scans triggered by clamonacc should now show up in clamdtop. -Micah On 10/9/19, 8:37 PM, "clamav-users on behalf of Ian via clamav-users" <[email protected] on behalf of [email protected]> wrote: I’m sure I’ve done something wrong, so hopefully I can give enough detail to discover what that is... Ubuntu 18.04.3 LTS (4.15.0-1040-aws) Installed packages: ii clamav 0.100.3+dfsg-0ubuntu0.18.04.1 amd64 anti-virus utility for Unix - command-line interface ii clamav-base 0.100.3+dfsg-0ubuntu0.18.04.1 all anti-virus utility for Unix - base package ii clamav-daemon 0.100.3+dfsg-0ubuntu0.18.04.1 amd64 anti-virus utility for Unix - scanner daemon ii clamav-freshclam 0.100.3+dfsg-0ubuntu0.18.04.1 amd64 anti-virus utility for Unix - virus database update utility ii libclamav7:amd64 0.100.3+dfsg-0ubuntu0.18.04.1 amd64 anti-virus utility for Unix - library I’ve enabled on access scanning (detect only), changed the user to root and (hopefully) adjusted the socket information to work with these adjustments: LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket true LocalSocketGroup root LocalSocketMode 666 ScanOnAccess true ls -la /var/run/clamav/clamd.ctl srw-rw-rw- 1 root root 0 Oct 9 21:14 /var/run/clamav/clamd.ctl Running clamdtop (sudo or otherwise) shows one entry for the daemon running on local. It correctly displays the version of the engine, db version, and dbtime. If I use clamdscan, I see plenty of activity and an appropriate cpu utilization in both clamdtop and regular top. However, if I attempt to access files outside of calling clamdscan, clamdtop remains silent. Running top in a different window shows clamd using plenty of CPU resources, and I see /tmp/clamav*.tmp folders getting created so I know it’s doing work. What have I missed? Apparmor doesn’t seem to be getting in the middle of anything (dmesg and journalctl are silent about clamd) and selinux is disabled. Here’s my clamd.conf contents: LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket true LocalSocketGroup root LocalSocketMode 666 #User clamav ScanMail true ScanArchive true ArchiveBlockEncrypted true MaxDirectoryRecursion 15 FollowDirectorySymlinks false FollowFileSymlinks false ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 LogSyslog false LogRotate true LogFacility LOG_LOCAL6 LogClean false LogVerbose false PreludeEnable no PreludeAnalyzerName ClamAV DatabaseDirectory /var/lib/clamav OfficialDatabaseOnly false SelfCheck 3600 Foreground false Debug false ScanPE true MaxEmbeddedPE 10M ScanOLE2 true ScanPDF true ScanHTML true MaxHTMLNormalize 10M MaxHTMLNoTags 2M MaxScriptNormalize 5M MaxZipTypeRcg 1M ScanSWF true DetectBrokenExecutables false ExitOnOOM false LeaveTemporaryFiles false AlgorithmicDetection true ScanELF true IdleTimeout 30 CrossFilesystems true PhishingSignatures true PhishingScanURLs true PhishingAlwaysBlockSSLMismatch false PhishingAlwaysBlockCloak false PartitionIntersection false DetectPUA true ScanPartialMessages false HeuristicScanPrecedence false StructuredDataDetection false CommandReadTimeout 5 SendBufTimeout 200 MaxQueue 100 ExtendedDetectionInfo true OLE2BlockMacros false ScanOnAccess true AllowAllMatchScan true ForceToDisk false DisableCertCheck false DisableCache false MaxScanSize 100M MaxFileSize 25M MaxRecursion 16 MaxFiles 10000 MaxPartitions 50 MaxIconsPE 100 PCREMatchLimit 10000 PCRERecMatchLimit 5000 PCREMaxFileSize 25M ScanXMLDOCS true ScanHWP3 true MaxRecHWP3 16 StreamMaxLength 25M LogFile /var/log/clamav/clamav.log LogTime true LogFileUnlock false LogFileMaxSize 0 Bytecode true BytecodeSecurity TrustSigned BytecodeTimeout 60000 OnAccessMountPath / OnAccessMountPath /home OnAccessMountPath /var/log OnAccessMountPath /var/tmp OnAccessPrevention false OnAccessMountPath /tmp And the custom rules I added for apparmor in local/usr.sbin.clamd: capability sys_admin, capability dac_read_search, / r, /** r, _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
