Hi Ian,
Sorry about the delayed response. It looks like no one else got back to you.
I'll try to answer inline, best I can...
Micah
On 10/11/19, 11:46 AM, "clamav-users on behalf of Ian via clamav-users"
<clamav-users-boun...@lists.clamav.net on behalf of
clamav-users@lists.clamav.net> wrote:
> 1) Does OnAccessPrevention mean that it blocks access to files when they are
> in the queue, while scanned, and forevermore if detected as malicious, or is
> it a subset of this? Conversely, if OnAccessPrevention is disabled, can I
> expect a performance boost since there should be no blocking at any point in
> the processing pipeline?
I believe you're correct in your initial guess. If Prevention is enabled, it
would block access while in queue, while scanned, and forevermore if detected
as malicious. Yes, there is a notable performance boost if monitoring very
active directories if prevention is disabled - In my own testing it was
particularly noticable in 0.102 with clamonacc + clamd. In less active
directories, the on-access prevention blocking isn't really noticeable.
> 2) I’ve seen log entries like this when OnAccessPrevention is disabled, but
> it’s not clear if this was a file clamd would have temporarily blocked access
> to had it been able to get a lock on the file before it was removed?
>
> ScanOnAccess: /tmp/MLbtUsOc (deleted): (null) FOUND
>
> I assume linux doesn’t provide a means where clamd can easily hook into
> kernel file create events to do something like create additional hard links
> to transient files so that it can leisurely scan them while letting the
> originating app think it has deleted the file and move on?
I don't know if it's possible to use the same feature that Prevention uses to
temporarily block access just long enough to make a hard link so the file isn't
deleted before it is scanned. That seems like a clever idea. I'll see if we
can look into it.
> 3) Is OnAccessPrevention global? There are directories where I’d like to
> know about findings but not otherwise act on, however I would prefer to
> enable prevention for other areas of the system.
>
> Related, is it possible to have different actions depending on different
> types/families of malicious files? For instance if I’m running a linux
> system, I may be more concerned with native binaries than Windows executables.
Prevention is global. In 0.102 you can run multiple clamonacc clients, and use
the clamonacc --config-file=FILE command line option to specify different
configs to get this effect. Regarding different actions, I don't think there
is a way to do different actions by file type.
> 4) LeaveTemporaryFiles — is there a version of this but only when a
> detection is found? Or a LeaveHardlinks for found items that I can later
> investigate myself?
LeaveTemporaryFiles will only leave behind stuff that is extracted in the
course of a scan (normalized file content, archive contents, etc). It's useful
for analysts to investigate file contents, and write signatures - but probably
less useful for investigating a detection. The clamonacc --copy=DIRECTORY
command line should provide that functionality.
> Thanks and sorry for the grouping of questions — I didn’t want to spam the
> list with different threads.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
