Hi,
So I couldn't get the clamonacc scanner running on the host VM to detect
files in the Docker container by watching the overlay file system where
the Docker filesystems are mounted on the host. It seemsa like that is
not possible with clam tools, so I am trying a different configuration
now (a helpful suggestion from Andrew Aitchison). I have clamonacc
running in the Docker container (clamonacc --move=/infected --foreground
--log=/tmp/clamonacc.log --verbose), and clamd server running in the
host VM (clamd --foreground --debug), with communication between the two
via a TCP port/IP address configured in clamd.conf, which container and
host each have a copy of same.
Now the clamonacc running in the container can ping the clamd:
tpj@tpj-VirtualBox: clamonacc --ping 10
PONG
which suggests the TCP address/port configuration is correct between the
two. Also, when I shell into the clamonacc container and access an
eincar.txt test malware file that I installed when building the
container, the clamonacc detects me touching the file and indicates
scanning has begun, as seen from its log output:
ClamFanotif: attempting to feed consumer queue
ClamWorker: performing scanning on file
'/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt'
But then nothing else happens, there is no notification about einvar.txt
being a malware file and it is not moved to the quarantine folder. There
is nothing further in the clamonacc log and nothing appears in the clamd
log indicating that scanning has taken place at that end. The logging is
not particularly verbose and I can't see how to get any further
information out about what has happened.
If I just create an innocuous file such as
echo "hello" > test.txt
in the same directory /home/ubuntu/clam_test/clam_test_sub_dir/, I see
the following log messages from clamonacc:
ClamFanotif: attempting to feed consumer queue
ClamWorker: performing scanning on file
'/home/ubuntu/clam_test/clam_test_sub_dir/test.txt'
but test.txt is an benign file, this just shows that clamonacc sees all
files on the watched path.
Why is this not working? It feels like I'm nearly there but it doesn't
work. Is there anything else I can do to get more information out?
I'm using the following in clamd.conf:
OnAccessIncludePath /home/ubuntu
OnAccessExcludeUname clamav
#OnAccessPrevention yes
and here is the complete log output from clamonacc:
root@7b58bc699d7b:/# clamonacc --move=/infected --foreground
--log=/tmp/clamonacc.log --verbose
--------------------------------------
ClamClient: client setup to scan via streaming
Clamonacc: daemon is remote
ClamFanotif: kernel-level blocking feature disabled ...
ClamFanotif: max file size limited to 5242880 bytes
ClamScanQueue: initializing event queue consumer ... (5) threads in
thread pool
Clamonacc: beginning event loops
ClamFanotif: starting fanotify event loop with process id (67) ...
ClamInotif: starting inotify event loop ...
ClamInotif: dynamically determining directory hierarchy...
ClamInotif: watching '/home/ubuntu' (and all sub-directories)
Excluding temp directory: /tmp
ClamScanQueue: waiting to consume events ...
ClamInotif: NVM, didn't actually need to exclude '/tmp'
ClamFanotif: attempting to feed consumer queue
ClamFanotif: attempting to feed consumer queue
ClamMisc: $/proc/76 vanished before UIDs could be excluded; scanning anyway
ClamFanotif: attempting to feed consumer queue
ClamWorker: performing scanning on file
'/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt.copy'
ClamWorker: performing scanning on file
'/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt'
ClamWorker: performing scanning on file
'/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt'
and from clamd:
tpj@ubuntu_box:/# clamd --foreground --debug
Limits: Global time limit set to 120000 milliseconds.
Limits: Global size limit set to 419430400 bytes.
Limits: File size limit set to 104857600 bytes.
Limits: Recursion level limit set to 17.
Limits: Files limit set to 10000.
Limits: Core-dump limit is 18446744073709551615.
Limits: MaxEmbeddedPE limit set to 41943040 bytes.
Limits: MaxHTMLNormalize limit set to 41943040 bytes.
Limits: MaxHTMLNoTags limit set to 8388608 bytes.
Limits: MaxScriptNormalize limit set to 20971520 bytes.
Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Limits: MaxPartitions limit set to 50.
Limits: MaxIconsPE limit set to 100.
Limits: MaxRecHWP3 limit set to 16.
Limits: PCREMatchLimit limit set to 100000.
Limits: PCRERecMatchLimit limit set to 2000.
Limits: PCREMaxFileSize limit set to 104857600.
Archive support enabled.
Image (graphics) scanning support enabled.
Detection using image fuzzy hash enabled.
AlertExceedsMax heuristic detection disabled.
Heuristic alerts enabled.
Portable Executable support enabled.
ELF support enabled.
Mail files support enabled.
OLE2 support enabled.
PDF support enabled.
SWF support enabled.
HTML support enabled.
XMLDOCS support enabled.
HWP3 support enabled.
OneNote support enabled.
Self checking every 600 seconds.
Listening daemon: PID: 14
MaxQueue set to: 100
SelfCheck: Database status OK.
SelfCheck: Database status OK.
SelfCheck: Database status OK.
Any help as always much appreciated.
Thomas
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
