Hi there, On Wed, 12 May 2021, Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users wrote:
Trying to configure clamav/clamonacc on RHEL8. I am new to clamav.
Welcome to the list. :)
Do the status of these services look correct??? ... Any feedback would be helpful.
I hung back a bit after seeing your mail hoping that someone else will step in who's using what you're using, but as nobody has I'll chip in. I don't use the tools that you are using to manage services, so I can't tell you if they're making sense, but I can suggest ways to investigate which will apply to any Linux/Unix system. I also don't use on-access scanning - I only use ClamAV for scanning mail, and with some of the third-party databases - so our use cases are very different. The first thing I'd check is that there's a process running (and only one process) called clamd, that it's using around a gigabyte of RAM, which seems to be the case, and that it responds to a PING. You can check that it's running with the 'top' utility. Sort top's output on the screen by memory usage. The clamd daemon will probably be at the top of the list. Unless you have lots of file access to areas protected by the on-access scanning, most of the time it probably won't be using much CPU. Give it something to scan and it will use a core. Be aware that it can take a while for the daemon to start, because it has a lot of work to do to populate the signature database in RAM; anywhere between a few seconds and a few minutes, depending on the system spec. While it's starting, clamd will use a lot of CPU. You can watch that with top. The 'PING' command isn't the 'ping' that you'd use to check that some network interface is alive. It's sent to the daemon over the socket to which it's configured to listen. You can use something like netcat or telnet to communicate with the daemon. See the clamd 'man' page. I run a separate clamd server on our network and so I use TCP sockets. Here's a cut'n'paste of me sending a PING command to the daemon from my laptop: laptop3:~$ >>> telnet 192.168.4.7 3313 Trying 192.168.4.7... Connected to 192.168.4.7. Escape character is '^]'. PING PONG [1620857300] Connection closed by foreign host. laptop3:~$ >>> I typed the 'telnet' command line and the word 'PING' (plus 'enter'). I routinely run a patched clamd. You won't see the number in square brackets in your output (it's just the seconds since the epoch of the last DB reload). Also the port in the clamd.conf example is usually 3310, not 3313. See that, and the clamd.conf 'man' page, for more info. Also very possibly your distro doesn't have a file called clamd.conf, I wish they wouldn't do things like that but it happens. You may need to poke around a bit to find all the bits of configuration, I don't know. The second thing I'd check (if I were to use on-access scanning, which I don't) would be that the configuration is actually causing scans to take place on access. Drop the EICAR test file in a protected place, and try to list it with a pager or something. That should give you an access denied error. Can you tell us a bit more about how you want to use ClamAV? My list address only accepts mail from this list. HTH -- 73, Ged. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
