FWIW, it seems that what happened was the Docker build process stripped out some characters from the eincar string (not shown in here but hard coded in the Dockerfile and represented by eincar_test_string) when executing the instruction
RUN echo "eincar_test_string" > /home/Ubuntu/clam_test/clam_test_subdir/eincar.txt in the Dockerfile I used to build the image for running clamonacc. Not sure why that is. On Thu, 13 Nov 2025, 15:31 THOMAS JORDAN, <[email protected]> wrote: > Operator error. I had managed somehow to drop a dollar sign from the > middle of the eicar string I was writing to a file in the clamonacc Docker > build. I went back and compared the md5sum against the one I'd originally > copied from the web (my eyesight is not what it once was). Now both the > clamonacc and clamd logs report that eicar signature was found and the file > is moved to quarantine directory. So it looks like it is working fine after > all. Thanks all for your help and apologies for being a biff in this > instance. > > On Thu, 13 Nov 2025, 15:19 Newcomer01 via clamav-users, < > [email protected]> wrote: > >> okay please check https://docs.clamav.net/manual/Usage/Scanning.html >> >> Von / From: Thomas Jordan <[email protected]> >> An / To: Newcomer01 <[email protected]> >> Gesendet / Sent: Mittwoch, November 13, 2025 um 15:25 (at 03:25 PM) +0100 >> Betreff / Subject: Re: [clamav-users] clamonacc detects file and says >> scanning of file has started but then nothing happens >> >> I have now downloaded and installed the latest 1.5.1 deb package and >> still get exactly the same result. >> Is there nothing I can look at to see where it is getting stuck? Any >> configuration option that I might be unaware of? The log output is just not >> helpful. >> >> On Thu, 13 Nov 2025, 13:05 Newcomer01 via clamav-users, < >> [email protected]> wrote: >> >>> with classical i mean the non LTS version >>> >>> Von / From: Thomas Jordan <[email protected]> >>> An / To: Newcomer01 <[email protected]> >>> Gesendet / Sent: Mittwoch, November 13, 2025 um 13:23 (at 01:23 PM) >>> +0100 >>> Betreff / Subject: Re: [clamav-users] clamonacc detects file and says >>> scanning of file has started but then nothing happens >>> >>> clamd –version - ClamAV 1.4.3/27818/Mon Nov 10 10:44:43 2025 >>> >>> Ubuntu version (cat /etc/release) - VERSION="24.04.3 LTS (Noble Numbat)" >>> >>> What do you mean by 'classical' 24.04? >>> >>> On Thu, 13 Nov 2025, 02:57 Newcomer01 via clamav-users, < >>> [email protected]> wrote: >>> >>>> on Ubuntu 24.04 LTS it should be 1.4.3, on classical 24.04 maybe a >>>> newer one >>>> >>>> Von / From: Thomas Jordan <[email protected]> >>>> An / To: Newcomer01 <[email protected]> >>>> Gesendet / Sent: Mittwoch, November 13, 2025 um 00:08 (at 12:08 AM) >>>> +0100 >>>> Betreff / Subject: Re: [clamav-users] clamonacc detects file and says >>>> scanning of file has started but then nothing happens >>>> >>>> Ubuntu 24.04 and whatever version of ClamAV got installed by apt today, >>>> I'll confirm exact version when I get back into work tomorrow. >>>> >>>> On Wed, 12 Nov 2025, 21:30 Newcomer01 via clamav-users, < >>>> [email protected]> wrote: >>>> >>>>> which Ubuntu Version is running and which ClamAV Version? >>>>> >>>>> Von / From: Tom Jordan Via Clamav-Users >>>>> <[email protected]> >>>>> An / To: Newcomer01 <[email protected]> >>>>> CC / CC: Tom Jordan <[email protected]> >>>>> Gesendet / Sent: Dienstag, November 12, 2025 um 21:46 (at 09:46 PM) >>>>> +0100 >>>>> Betreff / Subject: [clamav-users] clamonacc detects file and says >>>>> scanning of file has started but then nothing happens >>>>> >>>>> Hi, >>>>> >>>>> So I couldn't get the clamonacc scanner running on the host VM to >>>>> detect files in the Docker container by watching the overlay file system >>>>> where the Docker filesystems are mounted on the host. It seemsa like that >>>>> is not possible with clam tools, so I am trying a different configuration >>>>> now (a helpful suggestion from Andrew Aitchison). I have clamonacc running >>>>> in the Docker container (clamonacc --move=/infected --foreground >>>>> --log=/tmp/clamonacc.log --verbose), and clamd server running in the host >>>>> VM (clamd --foreground --debug), with communication between the two via a >>>>> TCP port/IP address configured in clamd.conf, which container and host >>>>> each >>>>> have a copy of same. >>>>> >>>>> Now the clamonacc running in the container can ping the clamd: >>>>> >>>>> >>>>> >>>>> tpj@tpj-VirtualBox: clamonacc --ping 10 >>>>> >>>>> PONG >>>>> >>>>> >>>>> >>>>> which suggests the TCP address/port configuration is correct between >>>>> the two. Also, when I shell into the clamonacc container and access an >>>>> eincar.txt test malware file that I installed when building the container, >>>>> the clamonacc detects me touching the file and indicates scanning has >>>>> begun, as seen from its log output: >>>>> >>>>> >>>>> >>>>> ClamFanotif: attempting to feed consumer queue >>>>> >>>>> ClamWorker: performing scanning on file >>>>> '/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt' >>>>> >>>>> >>>>> >>>>> But then nothing else happens, there is no notification about >>>>> einvar.txt being a malware file and it is not moved to the quarantine >>>>> folder. There is nothing further in the clamonacc log and nothing appears >>>>> in the clamd log indicating that scanning has taken place at that end. The >>>>> logging is not particularly verbose and I can't see how to get any further >>>>> information out about what has happened. >>>>> >>>>> >>>>> >>>>> If I just create an innocuous file such as >>>>> >>>>> >>>>> >>>>> echo "hello" > test.txt >>>>> >>>>> >>>>> >>>>> in the same directory /home/ubuntu/clam_test/clam_test_sub_dir/, I see >>>>> the following log messages from clamonacc: >>>>> >>>>> >>>>> >>>>> ClamFanotif: attempting to feed consumer queue >>>>> >>>>> ClamWorker: performing scanning on file >>>>> '/home/ubuntu/clam_test/clam_test_sub_dir/test.txt' >>>>> >>>>> >>>>> >>>>> but test.txt is an benign file, this just shows that clamonacc sees >>>>> all files on the watched path. >>>>> >>>>> >>>>> >>>>> Why is this not working? It feels like I'm nearly there but it doesn't >>>>> work. Is there anything else I can do to get more information out? >>>>> >>>>> >>>>> >>>>> I'm using the following in clamd.conf: >>>>> >>>>> >>>>> >>>>> OnAccessIncludePath /home/ubuntu >>>>> >>>>> OnAccessExcludeUname clamav >>>>> >>>>> #OnAccessPrevention yes >>>>> >>>>> >>>>> >>>>> and here is the complete log output from clamonacc: >>>>> >>>>> >>>>> >>>>> root@7b58bc699d7b:/# clamonacc --move=/infected --foreground >>>>> --log=/tmp/clamonacc.log --verbose >>>>> >>>>> -------------------------------------- >>>>> >>>>> ClamClient: client setup to scan via streaming >>>>> >>>>> Clamonacc: daemon is remote >>>>> >>>>> ClamFanotif: kernel-level blocking feature disabled ... >>>>> >>>>> ClamFanotif: max file size limited to 5242880 bytes >>>>> >>>>> ClamScanQueue: initializing event queue consumer ... (5) threads in >>>>> thread pool >>>>> >>>>> Clamonacc: beginning event loops >>>>> >>>>> ClamFanotif: starting fanotify event loop with process id (67) ... >>>>> >>>>> ClamInotif: starting inotify event loop ... >>>>> >>>>> ClamInotif: dynamically determining directory hierarchy... >>>>> >>>>> ClamInotif: watching '/home/ubuntu' (and all sub-directories) >>>>> >>>>> Excluding temp directory: /tmp >>>>> >>>>> ClamScanQueue: waiting to consume events ... >>>>> >>>>> ClamInotif: NVM, didn't actually need to exclude '/tmp' >>>>> >>>>> ClamFanotif: attempting to feed consumer queue >>>>> >>>>> ClamFanotif: attempting to feed consumer queue >>>>> >>>>> ClamMisc: $/proc/76 vanished before UIDs could be excluded; scanning >>>>> anyway >>>>> >>>>> ClamFanotif: attempting to feed consumer queue >>>>> >>>>> ClamWorker: performing scanning on file >>>>> '/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt.copy' >>>>> >>>>> ClamWorker: performing scanning on file >>>>> '/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt' >>>>> >>>>> ClamWorker: performing scanning on file >>>>> '/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt' >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> and from clamd: >>>>> >>>>> >>>>> >>>>> tpj@ubuntu_box:/# clamd --foreground --debug >>>>> >>>>> Limits: Global time limit set to 120000 milliseconds. >>>>> >>>>> Limits: Global size limit set to 419430400 bytes. >>>>> >>>>> Limits: File size limit set to 104857600 bytes. >>>>> >>>>> Limits: Recursion level limit set to 17. >>>>> >>>>> Limits: Files limit set to 10000. >>>>> >>>>> Limits: Core-dump limit is 18446744073709551615. >>>>> >>>>> Limits: MaxEmbeddedPE limit set to 41943040 bytes. >>>>> >>>>> Limits: MaxHTMLNormalize limit set to 41943040 bytes. >>>>> >>>>> Limits: MaxHTMLNoTags limit set to 8388608 bytes. >>>>> >>>>> Limits: MaxScriptNormalize limit set to 20971520 bytes. >>>>> >>>>> Limits: MaxZipTypeRcg limit set to 1048576 bytes. >>>>> >>>>> Limits: MaxPartitions limit set to 50. >>>>> >>>>> Limits: MaxIconsPE limit set to 100. >>>>> >>>>> Limits: MaxRecHWP3 limit set to 16. >>>>> >>>>> Limits: PCREMatchLimit limit set to 100000. >>>>> >>>>> Limits: PCRERecMatchLimit limit set to 2000. >>>>> >>>>> Limits: PCREMaxFileSize limit set to 104857600. >>>>> >>>>> Archive support enabled. >>>>> >>>>> Image (graphics) scanning support enabled. >>>>> >>>>> Detection using image fuzzy hash enabled. >>>>> >>>>> AlertExceedsMax heuristic detection disabled. >>>>> >>>>> Heuristic alerts enabled. >>>>> >>>>> Portable Executable support enabled. >>>>> >>>>> ELF support enabled. >>>>> >>>>> Mail files support enabled. >>>>> >>>>> OLE2 support enabled. >>>>> >>>>> PDF support enabled. >>>>> >>>>> SWF support enabled. >>>>> >>>>> HTML support enabled. >>>>> >>>>> XMLDOCS support enabled. >>>>> >>>>> HWP3 support enabled. >>>>> >>>>> OneNote support enabled. >>>>> >>>>> Self checking every 600 seconds. >>>>> >>>>> Listening daemon: PID: 14 >>>>> >>>>> MaxQueue set to: 100 >>>>> >>>>> SelfCheck: Database status OK. >>>>> >>>>> SelfCheck: Database status OK. >>>>> >>>>> SelfCheck: Database status OK. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Any help as always much appreciated. >>>>> >>>>> >>>>> >>>>> Thomas >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> >>>>> Manage your clamav-users mailing list subscription / >>>>> unsubscribe:https://lists.clamav.net/mailman/listinfo/clamav-users >>>>> >>>>> >>>>> Help us build a comprehensive ClamAV >>>>> guide:https://github.com/Cisco-Talos/clamav-documentation >>>>> https://docs.clamav.net/#mailing-lists-and-chat >>>>> >>>>> >>>>> _______________________________________________ >>>>> >>>>> Manage your clamav-users mailing list subscription / unsubscribe: >>>>> https://lists.clamav.net/mailman/listinfo/clamav-users >>>>> >>>>> >>>>> Help us build a comprehensive ClamAV guide: >>>>> https://github.com/Cisco-Talos/clamav-documentation >>>>> >>>>> https://docs.clamav.net/#mailing-lists-and-chat >>>>> >>>> >>>> _______________________________________________ >>>> >>>> Manage your clamav-users mailing list subscription / unsubscribe: >>>> https://lists.clamav.net/mailman/listinfo/clamav-users >>>> >>>> >>>> Help us build a comprehensive ClamAV guide: >>>> https://github.com/Cisco-Talos/clamav-documentation >>>> >>>> https://docs.clamav.net/#mailing-lists-and-chat >>>> >>> >>> _______________________________________________ >>> >>> Manage your clamav-users mailing list subscription / unsubscribe: >>> https://lists.clamav.net/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/Cisco-Talos/clamav-documentation >>> >>> https://docs.clamav.net/#mailing-lists-and-chat >>> >> >> _______________________________________________ >> >> Manage your clamav-users mailing list subscription / unsubscribe: >> https://lists.clamav.net/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/Cisco-Talos/clamav-documentation >> >> https://docs.clamav.net/#mailing-lists-and-chat >> >
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
