That sounds like shell variable substitution, where a dollar followed by
the name of a variable is replaced with the value of that variable (or
nothing if a value hasn't been set). If you use single quotes instead
of double quotes around the eicar test string, that will probably
suppress substitutions.
Mark.
THOMAS JORDAN via clamav-users wrote:
FWIW, it seems that what happened was the Docker build process stripped
out some characters from the eincar string (not shown in here but hard
coded in the Dockerfile and represented by eincar_test_string) when
executing the instruction
RUN echo "eincar_test_string" >
/home/Ubuntu/clam_test/clam_test_subdir/eincar.txt
in the Dockerfile I used to build the image for running clamonacc.
Not sure why that is.
On Thu, 13 Nov 2025, 15:31 THOMAS JORDAN, <[email protected]
<mailto:[email protected]>> wrote:
Operator error. I had managed somehow to drop a dollar sign from the
middle of the eicar string I was writing to a file in the clamonacc
Docker build. I went back and compared the md5sum against the one
I'd originally copied from the web (my eyesight is not what it once
was). Now both the clamonacc and clamd logs report that eicar
signature was found and the file is moved to quarantine directory.
So it looks like it is working fine after all. Thanks all for your
help and apologies for being a biff in this instance.
On Thu, 13 Nov 2025, 15:19 Newcomer01 via clamav-users,
<[email protected]
<mailto:[email protected]>> wrote:
__
okay please check https://docs.clamav.net/manual/Usage/Scanning.html
Von / From: Thomas Jordan <mailto:[email protected]>
An / To: Newcomer01 <mailto:[email protected]>
Gesendet / Sent: Mittwoch, November 13, 2025 um 15:25 (at 03:25
PM) +0100
Betreff / Subject: Re: [clamav-users] clamonacc detects file
and says scanning of file has started but then nothing happens
I have now downloaded and installed the latest 1.5.1 deb
package and still get exactly the same result.
Is there nothing I can look at to see where it is getting
stuck? Any configuration option that I might be unaware of?
The log output is just not helpful.
On Thu, 13 Nov 2025, 13:05 Newcomer01 via clamav-users,
<[email protected]
<mailto:[email protected]>> wrote:
with classical i mean the non LTS version
Von / From: Thomas Jordan <mailto:[email protected]>
An / To: Newcomer01 <mailto:[email protected]>
Gesendet / Sent: Mittwoch, November 13, 2025 um 13:23 (at
01:23 PM) +0100
Betreff / Subject: Re: [clamav-users] clamonacc detects
file and says scanning of file has started but then
nothing happens
clamd –version - ClamAV 1.4.3/27818/Mon Nov 10 10:44:43 2025
Ubuntu version (cat /etc/release) - VERSION="24.04.3 LTS
(Noble Numbat)"
What do you mean by 'classical' 24.04?
On Thu, 13 Nov 2025, 02:57 Newcomer01 via clamav-users,
<[email protected]
<mailto:[email protected]>> wrote:
on Ubuntu 24.04 LTS it should be 1.4.3, on classical
24.04 maybe a newer one
Von / From: Thomas Jordan
<mailto:[email protected]>
An / To: Newcomer01 <mailto:[email protected]>
Gesendet / Sent: Mittwoch, November 13, 2025 um
00:08 (at 12:08 AM) +0100
Betreff / Subject: Re: [clamav-users] clamonacc
detects file and says scanning of file has started
but then nothing happens
Ubuntu 24.04 and whatever version of ClamAV got
installed by apt today, I'll confirm exact version
when I get back into work tomorrow.
On Wed, 12 Nov 2025, 21:30 Newcomer01 via
clamav-users, <[email protected]
<mailto:[email protected]>> wrote:
which Ubuntu Version is running and which ClamAV
Version?
Von / From: Tom Jordan Via Clamav-Users
<mailto:[email protected]>
An / To: Newcomer01 <mailto:[email protected]>
CC / CC: Tom Jordan
<mailto:[email protected]>
Gesendet / Sent: Dienstag, November 12, 2025 um
21:46 (at 09:46 PM) +0100
Betreff / Subject: [clamav-users] clamonacc
detects file and says scanning of file has
started but then nothing happens
Hi,
So I couldn't get the clamonacc scanner running
on the host VM to detect files in the Docker
container by watching the overlay file system
where the Docker filesystems are mounted on the
host. It seemsa like that is not possible with
clam tools, so I am trying a different
configuration now (a helpful suggestion from
Andrew Aitchison). I have clamonacc running in
the Docker container (clamonacc
--move=/infected --foreground
--log=/tmp/clamonacc.log --verbose), and clamd
server running in the host VM (clamd
--foreground --debug), with communication
between the two via a TCP port/IP address
configured in clamd.conf, which container and
host each have a copy of same.
Now the clamonacc running in the container can
ping the clamd:
tpj@tpj-VirtualBox: clamonacc --ping 10
PONG
which suggests the TCP address/port
configuration is correct between the two. Also,
when I shell into the clamonacc container and
access an eincar.txt test malware file that I
installed when building the container, the
clamonacc detects me touching the file and
indicates scanning has begun, as seen from its
log output:
ClamFanotif: attempting to feed consumer queue
ClamWorker: performing scanning on file
'/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt'
But then nothing else happens, there is no
notification about einvar.txt being a malware
file and it is not moved to the quarantine
folder. There is nothing further in the
clamonacc log and nothing appears in the clamd
log indicating that scanning has taken place at
that end. The logging is not particularly
verbose and I can't see how to get any further
information out about what has happened.
If I just create an innocuous file such as
echo "hello" > test.txt
in the same directory
/home/ubuntu/clam_test/clam_test_sub_dir/, I
see the following log messages from clamonacc:
ClamFanotif: attempting to feed consumer queue
ClamWorker: performing scanning on file
'/home/ubuntu/clam_test/clam_test_sub_dir/test.txt'
but test.txt is an benign file, this just shows
that clamonacc sees all files on the watched path.
Why is this not working? It feels like I'm
nearly there but it doesn't work. Is there
anything else I can do to get more information out?
I'm using the following in clamd.conf:
OnAccessIncludePath /home/ubuntu
OnAccessExcludeUname clamav
#OnAccessPrevention yes
and here is the complete log output from clamonacc:
root@7b58bc699d7b:/# clamonacc --move=/infected
--foreground --log=/tmp/clamonacc.log --verbose
--------------------------------------
ClamClient: client setup to scan via streaming
Clamonacc: daemon is remote
ClamFanotif: kernel-level blocking feature
disabled ...
ClamFanotif: max file size limited to 5242880 bytes
ClamScanQueue: initializing event queue
consumer ... (5) threads in thread pool
Clamonacc: beginning event loops
ClamFanotif: starting fanotify event loop with
process id (67) ...
ClamInotif: starting inotify event loop ...
ClamInotif: dynamically determining directory
hierarchy...
ClamInotif: watching '/home/ubuntu' (and all
sub-directories)
Excluding temp directory: /tmp
ClamScanQueue: waiting to consume events ...
ClamInotif: NVM, didn't actually need to
exclude '/tmp'
ClamFanotif: attempting to feed consumer queue
ClamFanotif: attempting to feed consumer queue
ClamMisc: $/proc/76 vanished before UIDs could
be excluded; scanning anyway
ClamFanotif: attempting to feed consumer queue
ClamWorker: performing scanning on file
'/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt.copy'
ClamWorker: performing scanning on file
'/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt'
ClamWorker: performing scanning on file
'/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt'
and from clamd:
tpj@ubuntu_box:/# clamd --foreground --debug
Limits: Global time limit set to 120000
milliseconds.
Limits: Global size limit set to 419430400 bytes.
Limits: File size limit set to 104857600 bytes.
Limits: Recursion level limit set to 17.
Limits: Files limit set to 10000.
Limits: Core-dump limit is 18446744073709551615.
Limits: MaxEmbeddedPE limit set to 41943040 bytes.
Limits: MaxHTMLNormalize limit set to 41943040
bytes.
Limits: MaxHTMLNoTags limit set to 8388608 bytes.
Limits: MaxScriptNormalize limit set to
20971520 bytes.
Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Limits: MaxPartitions limit set to 50.
Limits: MaxIconsPE limit set to 100.
Limits: MaxRecHWP3 limit set to 16.
Limits: PCREMatchLimit limit set to 100000.
Limits: PCRERecMatchLimit limit set to 2000.
Limits: PCREMaxFileSize limit set to 104857600.
Archive support enabled.
Image (graphics) scanning support enabled.
Detection using image fuzzy hash enabled.
AlertExceedsMax heuristic detection disabled.
Heuristic alerts enabled.
Portable Executable support enabled.
ELF support enabled.
Mail files support enabled.
OLE2 support enabled.
PDF support enabled.
SWF support enabled.
HTML support enabled.
XMLDOCS support enabled.
HWP3 support enabled.
OneNote support enabled.
Self checking every 600 seconds.
Listening daemon: PID: 14
MaxQueue set to: 100
SelfCheck: Database status OK.
SelfCheck: Database status OK.
SelfCheck: Database status OK.
Any help as always much appreciated.
Thomas
_______________________________________________
Manage your clamav-users mailing list subscription /
unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list
subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription /
unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription /
unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
