[clamav-users] IDSESSION debugging

[Wreschnig, Alexander Scott via clamav-users]

Hi all,

I was hoping someone might have some advice on debugging an IDSESSION command 
when streaming content to the clamav daemon. I'm trying to understand why small 
files (<=1 mb) are being processed appropriately but when I scale the file up 
to 2 mb or so, it just spins until it times out. There's nothing in the logs, 
and when I check clamdTOP it doesn't look like anything's actually made it to 
the daemon. Is there a better place to look for debugging information?

Thanks!

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] OnAccess renders system unusable in ~24h

[G.W. Haywood via clamav-users]

Hello again,

On Tue, 24 Sep 2019, Tim Stubbs wrote:


What kinds of threats do you care about?  If for example you're not
expecting your Linux boxes to be attacked by Windows malware you
could reduce the size of the ClamAV databases very significantly
which might improve scanning performance.


Sorry could you point me in the right direction for how to do this?
good hasn't helped me so far?


Check the archives for this list, it's been discussed recently how
to use an empty database.  That might be a good start.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Setting up logrotation

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 24 Sep 2019, Lars Åhman wrote:


Im running clamav as a daemon on a fedora and basically keep it running
24/7 except for an occasional update every now and then.


It isn't clear to me from what you've written that you know what the
ClamAV daemon (clamd) actually does.  Do you?


I want the main clamd log to rotate and have the LogFileMaxSize set
to some small amount for testing purposes and LogRotate set to
yes. I had no prior experience with any log rotation and here I
learned that just these settings alone won't suffice to get the logs
to rotate. Correct me if I'm wrong, but I think I have to set up a
script to /etc/logrotate.d/ as well.


You stand corrected. :/

Log rotation can be done EITHER by the logrotate system (which usually
uses /etc/logrotate.conf and the files in /etc/logrotate.d) OR by some
other system (such as, in this case, a package which provides clamd).
You do not want both of them trying to do it, and IMO it's better to
leave things like that to the logrotate system - which already rotates
a lot of logs for you.  Simply don't set the logrotate configuration
option in clamd.conf (or set it to 'no' which is the default) and then
set up a logrotate configuration by creating a file in /etc/logrotate.d/
like J.R. suggested.  (In clamd.conf, that is, if you actually have a
clamd.conf - but we'll look at that later.)

But it gets worse: you can tell clamd to log to a file, or you can
tell it to use what we call 'syslog' instead.  The more experienced
administrators tend to use syslog because it offers quite a bit more
flexibility than is usually available from just writing to a file,
including being able to log to remote systems and choosing what kind
of messages to log and what to ignore.  There's more than one syslog
daemon that you can use too; I prefer syslog-ng, but let's not get
ahead of ourselves.  The downside is a little more configuration but
it really is worth getting used to syslog-style logging.

You can log both to a file *and* through syslog, but most of the time
that would just be a waste of CPU and storage.

For your introduction to all this I suggest you avoid syslog just now,
tell clamd to log to a file, and tell the logrotate system to do what
it does best by using a snippet like one posted by J.R.


In /etc/logrotate.d/ the only clamav related file is called
"clamav-update", though.


Not being familiar with how RedHat does things, I'll guess that this
is for the 'freshclam' logs.  The databases are normally updated by
the 'freshclam' utility, but they don't have to be.  It will usually
be configured to log things when it runs.


Nothing clamd related. Im pretty lost with the whole log rotation
thing as I can't understand the connection between the scan.conf
settings and the inbuilt logrotate on my fedora.


I can't help you with 'scan.conf' because I don't know what it is,
I've never seen a file of that name.  It doesn't come with ClamAV
when you get the original sources from clamav.net.  I'd hope that
whoever created it also documented it somewhere.  Normally I would
expect a file called 'clamd.conf' for the clamd configuration.  It
doesn't have to be called that name, but it normally is.  If it is
called something else then you can tell clamd on its command line,
see

man clamd

for more information about that.


If possible I want to be able to keep running clamd without
interruption while rotating logs when they get too big.


That's the way it's normally done.  There's one issue to address; when
the log files are rotated, the thing that's logging has to be told
either to close and re-open its log file (so that it starts writing to
the new, empty file instead of carrying on writing to the old one
which now has a different name) or, if it can't do that, simply to
shut down and restart so that it will find the new, empty file anyway.
Logrotate sends a signal to the thing that's logging to tell it to do
this.  You'll note that JR showed a second snippet for freshclam logs,
and he mentioned that he runs freshclam from cron, not as a daemon.
A daemon would need to be told to close and re-open its log after
rotation, but as JR runs his database update process on a schedule
from cron, freshclam shuts down after every update and closes its log
file so that instruction isn't necessary.  Incidentally the logrotate
system runs on a schedule from cron (or something like it) as well.
See

man cron

and

man crontab

Please do note that where JR gets his logs to be written might not be
the same places that you will get yours to be written, so the snippets
are really just templates to give you an idea of what's needed.


How can I achieve this? What configurations do I have to do? What
scripts do I have to set up? How can I affect the names of the
stored logs?


The first three questions should be answered by typing

man logrotate

on your system.  But as this is what we call a 'man' page it will be
very terse information and you might need more help with it. 

Re: [clamav-users] Setting up logrotation

[J.R. via clamav-users]

Log rotation done by clamav is totally separate than your system's log
rotation that is done by a cronjob...

Unless you are doing some serious debugging, there isn't a lot that is
written to the clamd & freshclam log files...

My daily clamd.log is maybe 2 KB, and freshclam.log maybe around 20 KB...

I've never used the internal ClamAV log rotation feature, but if you
want to create a file in your /etc/logrotate.d directory you can do
something like this:

For clamd:

/var/log/clamav/clamd.log {
missingok
notifempty
daily
compress
create 644 clam clam
postrotate
killall -HUP clamd 2>/dev/null || :
endscript
}

For freshclam (note: I run via cron job, not daemon):

/var/log/clamav/freshclam.log {
missingok
notifempty
daily
compress
create 644 clam clam
}

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Needed Apache modules for a private local mirror

[J.R. via clamav-users]

Scott,

The files that would be on the local web server *are* static names...

bytecode.cvd
daily.cvd
main.cvd
safebrowsing.cvd

If your machines can't access the internet by policy, then that is one
route you can go. However, if you are trying to save bandwidth,
letting them download the .diff files regularly would probably be more
beneficial unless you had thousands of machines.

If you were wanting to cache diff files and limit internet access, you
could do something like a proxy (i.e. squid) and configure that way. I
believe it is also mentioned on the clamav page.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Setting up logrotation

[Lars Åhman]

Im running clamav as a daemon on a fedora and basically keep it running
24/7 except for an occasional update every now and then. I want the main
clamd log to rotate and have the LogFileMaxSize set to some small amount
for testing purposes and LogRotate set to yes. I had no prior experience
with any log rotation and here I learned that just these settings alone
won't suffice to get the logs to rotate. Correct me if I'm wrong, but I
think I have to set up a script to /etc/logrotate.d/ as well. In
/etc/logrotate.d/ the only clamav related file is called "clamav-update",
though. Nothing clamd related. Im pretty lost with the whole log rotation
thing as I can't understand the connection between the scan.conf settings
and the inbuilt logrotate on my fedora.

If possible I want to be able to keep running clamd without interruption
while rotating logs when they get too big. How can I achieve this? What
configurations do I have to do? What scripts do I have to set up? How can I
affect the names of the stored logs?

Sorry for such a messy question, I'm really lost with this log rotation
thing and I think I'd need someone to walk me through the whole process.

Thanks!

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] OnAccess and regular scanning

[Micah Snyder (micasnyd) via clamav-users]

ClamAV only has built-in support for OnAccess scanning on Linux.

If there are people claiming that OnAccess scanning can be bypassed, you should 
ask them for more details.  To my knowledge it hasn’t been discussed here 
before, and is the first I have heard of it.

Regards,
Micah


From: clamav-users  on behalf of Al 
Varnell via clamav-users 
Reply-To: ClamAV users ML 
Date: Tuesday, September 24, 2019 at 7:23 AM
To: ClamAV users ML 
Cc: Al Varnell 
Subject: Re: [clamav-users] OnAccess and regular scanning

I suspect it will depend on what platform you are running it on.

-Al-


On Sep 24, 2019, at 04:20, Franky Van Liedekerke via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:

Hi all,

currently I have onaccess scanning up and running just fine in clamav. However, 
some people claim this can be bypassed (so access a file and not force it to be 
scanned), so I have some questions:

- is this true? Can onaccess be bypassed?
- if so: can I force a scan of all files that should be protected by onaccess 
once a week or so? I know clamdscan exists, but you need to provide a folder to 
it, and via cron it seems too much to scan "/". Or maybe force a scan of all 
files that should be protected by onaccess but haven't been accessed/scanned 
yet?

With friendly regards,
Franky

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] OnAccess renders system unusable in ~24h

[Tim Stubbs]

Hi
> What kinds of threats do you care about?  If for example you're not
> expecting your Linux boxes to be attacked by Windows malware you
could
> reduce the size of the ClamAV databases very significantly which
might
> improve scanning performance.

Sorry could you point me in the right direction for how to do this?
good hasn't helped me so far?

thanks
Tim

-Original Message-
From: Tim Stubbs 
Reply-To: ClamAV users ML 
To: clamav-users@lists.clamav.net 
Subject: Re: [clamav-users] OnAccess renders system unusable in ~24h
Date: Tue, 24 Sep 2019 15:12:16 +

Hi,
thanks for the quick response. We have been asked to run Realtime scans
as part of our PCI requirement, otherwise I would agree with you 100%.

that wasn't the best worst, example i had a VM this morning 56 49 47,
which went back to 1 when I stopped clamd. I do however have other VMs
where (with the same config) I've never had an issue.

thanks for that, yes we are a linux house, ill try reducing the DB & I
will reduce the paths and test that. failing that I will take a look at
v102

thank you,
I'll update with my findings.
Tim


-Original Message-
From: G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net
>
Reply-To: ClamAV users ML <
clamav-users@lists.clamav.net
>
To: ClamAV users ML <
clamav-users@lists.clamav.net
>
Cc: G.W. Haywood <
cla...@jubileegroup.co.uk
>
Subject: Re: [clamav-users] OnAccess renders system unusable in ~24h
Date: Tue, 24 Sep 2019 15:39:22 +0100

Hi there,

On Tue, 24 Sep 2019, Tim Stubbs wrote:

> I am running clamd with OnAccess enabled, however its causing the
> load
> on the systems to make them almost unusable within about 24hours.

This may be true, but I'd want to know that the suspicion is justified
(and front and centre I personally think scanning most Linux boxes with
ClamAV is a waste of CPU).

> as you can see sys is at 98% ...

No, I see CPU 27% idle and three clamd processes doing nothing.  But I
do see a load average of around seven.  On my dual CPU 2.7GHz Opterons
I routinely see an average of that sort of figure when they do backups
for a bunch of other machines, and Nagios will whine about it when it
gets over 8, but I don't usually worry about it until it gets into the
double digits.

> it seem clamd is stopping other
> applications from processing somehow. cannot find anything in the
> logs.
> not sure what debugging would be helpful? any advice would be helpful
> here?

My immediate reaction is - if the suspicion is found to be justified -
that you should try to reduce, initially to a bare minimum, the amount
of work which you're asking the machine to do.

> OnAccessIncludePath = "/home", "/root", "/etc", "/sftp", "/boot", \
>  "/opt", "/media", "/mnt"

For example you could remove most of the directories from this list to
see if it helps.  There are other things you might try, like limiting
the number of threads.  But again, I don't see anything in your 'top'
output which tells me that clamd is heavily loading your machine.

What kinds of threats do you care about?  If for example you're not
expecting your Linux boxes to be attacked by Windows malware you could
reduce the size of the ClamAV databases very significantly which might
improve scanning performance.

ClamaV version 0.102 has just been released as a candidate for testing
and I've been running it for some time before the RC was released.  It
contains some significant improvements for on-access scanning and, if
you do intend to persevere with on-access scanning, I'd recommend that
you install the latest version from the source.


--
Thank you,
Tim

[Winner of the 2018 Consumer Credit Awards]

___

clamav-users mailing list
clamav-users@lists.clamav.net

https://lists.clamav.net/mailman/listinfo/clamav-users



Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq


http://www.clamav.net/contact.html#ml


--
Thank you,
Tim

[Winner of the 2018 Consumer Credit Awards]

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] OnAccess renders system unusable in ~24h

[Tim Stubbs]

Hi,
thanks for the quick response. We have been asked to run Realtime scans
as part of our PCI requirement, otherwise I would agree with you 100%.

that wasn't the best worst, example i had a VM this morning 56 49 47,
which went back to 1 when I stopped clamd. I do however have other VMs
where (with the same config) I've never had an issue.

thanks for that, yes we are a linux house, ill try reducing the DB & I
will reduce the paths and test that. failing that I will take a look at
v102

thank you,
I'll update with my findings.
Tim


-Original Message-
From: G.W. Haywood via clamav-users 
Reply-To: ClamAV users ML 
To: ClamAV users ML 
Cc: G.W. Haywood 
Subject: Re: [clamav-users] OnAccess renders system unusable in ~24h
Date: Tue, 24 Sep 2019 15:39:22 +0100

Hi there,

On Tue, 24 Sep 2019, Tim Stubbs wrote:

> I am running clamd with OnAccess enabled, however its causing the
> load
> on the systems to make them almost unusable within about 24hours.

This may be true, but I'd want to know that the suspicion is justified
(and front and centre I personally think scanning most Linux boxes with
ClamAV is a waste of CPU).

> as you can see sys is at 98% ...

No, I see CPU 27% idle and three clamd processes doing nothing.  But I
do see a load average of around seven.  On my dual CPU 2.7GHz Opterons
I routinely see an average of that sort of figure when they do backups
for a bunch of other machines, and Nagios will whine about it when it
gets over 8, but I don't usually worry about it until it gets into the
double digits.

> it seem clamd is stopping other
> applications from processing somehow. cannot find anything in the
> logs.
> not sure what debugging would be helpful? any advice would be helpful
> here?

My immediate reaction is - if the suspicion is found to be justified -
that you should try to reduce, initially to a bare minimum, the amount
of work which you're asking the machine to do.

> OnAccessIncludePath = "/home", "/root", "/etc", "/sftp", "/boot", \
>  "/opt", "/media", "/mnt"

For example you could remove most of the directories from this list to
see if it helps.  There are other things you might try, like limiting
the number of threads.  But again, I don't see anything in your 'top'
output which tells me that clamd is heavily loading your machine.

What kinds of threats do you care about?  If for example you're not
expecting your Linux boxes to be attacked by Windows malware you could
reduce the size of the ClamAV databases very significantly which might
improve scanning performance.

ClamaV version 0.102 has just been released as a candidate for testing
and I've been running it for some time before the RC was released.  It
contains some significant improvements for on-access scanning and, if
you do intend to persevere with on-access scanning, I'd recommend that
you install the latest version from the source.


--
Thank you,
Tim

[Winner of the 2018 Consumer Credit Awards]

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] OnAccess renders system unusable in ~24h

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 24 Sep 2019, Tim Stubbs wrote:


I am running clamd with OnAccess enabled, however its causing the load
on the systems to make them almost unusable within about 24hours.


This may be true, but I'd want to know that the suspicion is justified
(and front and centre I personally think scanning most Linux boxes with
ClamAV is a waste of CPU).


as you can see sys is at 98% ...


No, I see CPU 27% idle and three clamd processes doing nothing.  But I
do see a load average of around seven.  On my dual CPU 2.7GHz Opterons
I routinely see an average of that sort of figure when they do backups
for a bunch of other machines, and Nagios will whine about it when it
gets over 8, but I don't usually worry about it until it gets into the
double digits.


it seem clamd is stopping other
applications from processing somehow. cannot find anything in the logs.
not sure what debugging would be helpful? any advice would be helpful
here?


My immediate reaction is - if the suspicion is found to be justified -
that you should try to reduce, initially to a bare minimum, the amount
of work which you're asking the machine to do.


OnAccessIncludePath = "/home", "/root", "/etc", "/sftp", "/boot", \
 "/opt", "/media", "/mnt"


For example you could remove most of the directories from this list to
see if it helps.  There are other things you might try, like limiting
the number of threads.  But again, I don't see anything in your 'top'
output which tells me that clamd is heavily loading your machine.

What kinds of threats do you care about?  If for example you're not
expecting your Linux boxes to be attacked by Windows malware you could
reduce the size of the ClamAV databases very significantly which might
improve scanning performance.

ClamaV version 0.102 has just been released as a candidate for testing
and I've been running it for some time before the RC was released.  It
contains some significant improvements for on-access scanning and, if
you do intend to persevere with on-access scanning, I'd recommend that
you install the latest version from the source.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] RHEL ScanonAccess includepaths

[CROFT Ian]

Great stuff – that has resolved that error.

Just need to get my head around what should and what should not be 
included/excluded now.

You would of thought there would be a “this is a good layout” for 
inclusions/exclusions for RHEL. Which you could start with in the knowledge you 
aren’t going to kill your system and then add/remove from it as you learn more.

Does anyone know of such a list ?

Cheers

Ian

From: clamav-users  On Behalf Of Franky 
Van Liedekerke via clamav-users
Sent: 24 September 2019 15:17
To: clamav-users@lists.clamav.net
Cc: Franky Van Liedekerke 
Subject: Re: [clamav-users] RHEL ScanonAccess includepaths

While it is not recommended to scan everything under /var (or /var at all), the 
reason it fails is because you have /var submounts (/var/log, /var/tmp).
This is currently a known bug in clamav (I reported it: 
https://bugzilla.clamav.net/show_bug.cgi?id=12306 ), and the workaround in your 
case is:
OnAccessIncludePath /var/log
OnAccessIncludePath /var/tmp
OnAccessIncludePath /var

and then, if you don't want /var/log and /var/tmp, add these in the exclude:

ExcludePath ^/var/log
ExcludePath ^/var/tmp

Franky

Op Dinsdag, 24-09-2019 om 15:30 schreef CROFT Ian:

Hi

We have a need to have OnAccessScanning on our RHEL servers but with some path 
exclusions.

So as I read the manuals etc it seems I have to use the OnAccessIncludePath 
rather than the OnAccessMountPath.

So the filesystem layout is as such :-

/
/boot
/home
/var
/var/log
/var/tmp
/var/log/audit

So I have set up the following IncludePath entries in scan.conf

OnAccessIncludePath /boot
OnAccessIncludePath /dev
OnAccessIncludePath /etc
OnAccessIncludePath /home
OnAccessIncludePath /opt
OnAccessIncludePath /usr
OnAccessIncludePath /var

When then starting the clamd:scan service all path seem to be ok apart from 
/var which gave the following error

ERROR: ScanOnAccess: Could not watch path ‘/var’, No space left on device.

So I increased the number in /proc/sys/fs/inotify/max_user_watches from 8192 to 
32768 ( Only 21551 total directories in the whole of the server so should cover 
it )

So now it doesn’t give me the message about space but gives this message :-

ERROR: ScanOnAccess: Could not watch path ‘/var’, Success

And is still not monitoring for anything under /var ( eicar test files not 
being picked up. ) All other paths seem to be working ok.

Does anybody know where I am going wrong ?

Cheers

Ian


Ian CROFT
Senior Infrastructure Support Analyst
[Sopra Steria]
Sopra Steria
101 Dalton Avenue
Birchwood Park, Cheshire
Warrington WA3 6YF - United Kingdom
Phone: 07966 825245
ian.cro...@soprasteria.com - 
www.soprasteria.co.uk

[cid:image002.png@01D572ED.21574240]
 [cid:image003.png@01D572ED.21574240]   
[cid:image004.png@01D572ED.21574240] 
Before printing, think about the environment.
The content of this message may be confidential, legally privileged and 
protected by law. Unauthorized use, copying or disclosure of any of it may be 
unlawful. If you are not the intended recipient please notify the sender and 
remove it from your system. While attachments to this e-mail are checked for 
viruses, we do not accept any liability for any damage sustained by viruses.

Sopra Steria is the trading name of the following companies (all registered in 
England & Wales): (i) Sopra Steria Limited (No. 04077975) (ii) Sopra Group Ltd 
(No. 01643041) (iii) Sopra Group Holding Ltd (No. 01588948)
Sopra Steria is the trading name of the following companies (all registered in 
England & Wales): (i) Sopra Steria Limited (No. 04077975) (ii) Sopra Group Ltd 
(No. 01643041) (iii) Sopra Group Holding Ltd (No. 01588948)

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] RHEL ScanonAccess includepaths

[Franky Van Liedekerke via clamav-users]

While it is not recommended to scan everything under /var (or /var
at all), the reason it fails is because you have /var submounts
(/var/log, /var/tmp).
This is currently a known bug in clamav (I reported
it: https://bugzilla.clamav.net/show_bug.cgi?id=12306 ), and the
workaround in your case is:



OnAccessIncludePath /var/log



OnAccessIncludePath /var/tmp



OnAccessIncludePath /var


and then, if you don't want /var/log and /var/tmp, add these in the
exclude:

ExcludePath ^/var/log
ExcludePath ^/var/tmp

Franky

Op Dinsdag, 24-09-2019 om 15:30 schreef CROFT Ian:


  

Hi



 



We have a need to have OnAccessScanning on our RHEL servers but with
some path exclusions.



 



So as I read the manuals etc it seems I have to use the
OnAccessIncludePath rather than the OnAccessMountPath.



 



So the filesystem layout is as such :-



 



/



/boot



/home



/var



/var/log



/var/tmp



/var/log/audit



 



So I have set up the following IncludePath entries in scan.conf



 



OnAccessIncludePath /boot



OnAccessIncludePath /dev



OnAccessIncludePath /etc



OnAccessIncludePath /home



OnAccessIncludePath /opt



OnAccessIncludePath /usr



OnAccessIncludePath /var



 



When then starting the clamd:scan service all path seem to be ok apart
from /var which gave the following error



 



ERROR: ScanOnAccess: Could not watch path ‘/var’, No space left on
device.



 



So I increased the number in /proc/sys/fs/inotify/max_user_watches
from 8192 to 32768 ( Only 21551 total directories in the whole of the
server so should cover it )



 



So now it doesn’t give me the message about space but gives this
message :-



 



ERROR: ScanOnAccess: Could not watch path ‘/var’, Success



 



And is still not monitoring for anything under /var ( eicar test files
not being picked up. ) All other paths seem to be working ok.



 



Does anybody know where I am going wrong ?



 



Cheers



 



Ian



 



  
   


Ian CROFT


 

Senior Infrastructure Support Analyst


 
 
  

Sopra Steria

 
 
   

Sopra Steria
101 Dalton Avenue
Birchwood Park, Cheshire
Warrington WA3 6YF - United Kingdom
Phone: 07966 825245
ian.cro...@soprasteria.com - www.soprasteria.co.uk [1]


 
  

 


 [2]  [3]  [4] 

 

Before printing, think about the environment. 
The content of this message may be confidential, legally privileged
and protected by law. Unauthorized use, copying or disclosure of any
of it may be unlawful. If you are not the intended recipient please
notify the sender and remove it from your system. While attachments to
this e-mail are checked for viruses, we do not accept any liability
for any damage sustained by viruses.




 


Sopra Steria is the trading name of the following companies (all
registered in England & Wales): (i) Sopra Steria Limited (No.
04077975) (ii) Sopra Group Ltd (No. 01643041) (iii) Sopra Group
Holding Ltd (No. 01588948) 



Links:
--
[1] http://www.soprasteria.co.uk
[2] https://www.linkedin.com/company/soprasteria
[3] https://twitter.com/SopraSteria_uk
[4] http://blog.soprasteria.co.uk/

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] RHEL ScanonAccess includepaths

[CROFT Ian]

Thanks Ged - much appreciated :-

>> We have a need to have OnAccessScanning on our RHEL servers but with
>> some path exclusions.

>May I ask why? -
Ian Response - Yes the Application folks have deemed certain path not required 
to be scanned and are hoping to avoid any performance issues as well.

>> So as I read the manuals etc it seems I have to use the
>> OnAccessIncludePath rather than the OnAccessMountPath.

>I guess that's right unless you have separate partitions mounted for things 
>like /var, /usr/local, /home and whatever.

>> So the filesystem layout is as such :-
>>
>> /
>> /boot
>> /home
>> /var
>> /var/log
>> /var/tmp
>> /var/log/audit

>Are these all separate mount points/partitions?
Ian Response - Yes

>> So I have set up the following IncludePath entries in scan.conf

>I guess the file scan.conf is something that RH does with ClamAV.
>There is no such file in any of my systems built from source.

>> OnAccessIncludePath /dev

>There be dragons, I wouldn't do that.
Ian response - ok noted.

>> OnAccessIncludePath /var

>I wouldn't do that.
Ian Response - why - I was going to include it then then exclude particular 
directories below it as required. - But the error I am getting wont let me 
include it in the first place.

>> Does anybody know where I am going wrong ?

>Why do you want to scan everything under /var/log?  It seems pointless 
>scanning a bunch of files which are effectively write-only logs.  You
*might* theorize that a text file could have something written to it which 
would compromise a pager or something when you tried to read the log with it, 
but it seems quite a, well, a Stretch of the imagination.

>I would suggest reading the release notes for version 0.102, there are some 
>significant changes for on-acess scanning.
Ian Response - will do.


Sopra Steria is the trading name of the following companies (all registered in 
England & Wales): (i) Sopra Steria Limited (No. 04077975) (ii) Sopra Group Ltd 
(No. 01643041) (iii) Sopra Group Holding Ltd (No. 01588948)

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] RHEL ScanonAccess includepaths

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 24 Sep 2019, CROFT Ian wrote:


We have a need to have OnAccessScanning on our RHEL servers but with
some path exclusions.


May I ask why?


So as I read the manuals etc it seems I have to use the
OnAccessIncludePath rather than the OnAccessMountPath.


I guess that's right unless you have separate partitions mounted for
things like /var, /usr/local, /home and whatever.


So the filesystem layout is as such :-

/
/boot
/home
/var
/var/log
/var/tmp
/var/log/audit


Are these all separate mount points/partitions?


So I have set up the following IncludePath entries in scan.conf


I guess the file scan.conf is something that RH does with ClamAV.
There is no such file in any of my systems built from source.


OnAccessIncludePath /dev


There be dragons, I wouldn't do that.


OnAccessIncludePath /var


I wouldn't do that.


Does anybody know where I am going wrong ?


Why do you want to scan everything under /var/log?  It seems pointless
scanning a bunch of files which are effectively write-only logs.  You
*might* theorize that a text file could have something written to it
which would compromise a pager or something when you tried to read the
log with it, but it seems quite a, well, a Stretch of the imagination.

I would suggest reading the release notes for version 0.102, there are
some significant changes for on-acess scanning.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] RHEL ScanonAccess includepaths

[CROFT Ian]

Hi

We have a need to have OnAccessScanning on our RHEL servers but with some path 
exclusions.

So as I read the manuals etc it seems I have to use the OnAccessIncludePath 
rather than the OnAccessMountPath.

So the filesystem layout is as such :-

/
/boot
/home
/var
/var/log
/var/tmp
/var/log/audit

So I have set up the following IncludePath entries in scan.conf

OnAccessIncludePath /boot
OnAccessIncludePath /dev
OnAccessIncludePath /etc
OnAccessIncludePath /home
OnAccessIncludePath /opt
OnAccessIncludePath /usr
OnAccessIncludePath /var

When then starting the clamd:scan service all path seem to be ok apart from 
/var which gave the following error

ERROR: ScanOnAccess: Could not watch path '/var', No space left on device.

So I increased the number in /proc/sys/fs/inotify/max_user_watches from 8192 to 
32768 ( Only 21551 total directories in the whole of the server so should cover 
it )

So now it doesn't give me the message about space but gives this message :-

ERROR: ScanOnAccess: Could not watch path '/var', Success

And is still not monitoring for anything under /var ( eicar test files not 
being picked up. ) All other paths seem to be working ok.

Does anybody know where I am going wrong ?

Cheers

Ian


Ian CROFT
Senior Infrastructure Support Analyst
[Sopra Steria]
Sopra Steria
101 Dalton Avenue
Birchwood Park, Cheshire
Warrington WA3 6YF - United Kingdom
Phone: 07966 825245
ian.cro...@soprasteria.com - 
www.soprasteria.co.uk

[cid:image002.png@01D572E4.90727DB0]
 [cid:image003.png@01D572E4.90727DB0]   
[cid:image004.png@01D572E4.90727DB0] 
Before printing, think about the environment.
The content of this message may be confidential, legally privileged and 
protected by law. Unauthorized use, copying or disclosure of any of it may be 
unlawful. If you are not the intended recipient please notify the sender and 
remove it from your system. While attachments to this e-mail are checked for 
viruses, we do not accept any liability for any damage sustained by viruses.

Sopra Steria is the trading name of the following companies (all registered in 
England & Wales): (i) Sopra Steria Limited (No. 04077975) (ii) Sopra Group Ltd 
(No. 01643041) (iii) Sopra Group Holding Ltd (No. 01588948)

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] OnAccess renders system unusable in ~24h

[Tim Stubbs]

Hi,
I am running clamd with OnAccess enabled, however its causing the load
on the systems to make them almost unusable within about 24hours.

as you can see sys is at 98%, it seem clamd is stopping other
applications from processing somehow. cannot find anything in the logs.
not sure what debugging would be helpful? any advice would be helpful
here?

# top -bH -d 5 -n 49 -p 134865
top - 12:25:11 up 60 days,  4:29,  1 user,  load average: 7.19, 6.92,
6.71
Threads:   3 total,   0 running,   3 sleeping,   0 stopped,   0 zombie
%Cpu(s):  2.7 us, 70.3 sy,  0.0 ni, 27.0 id,  0.0 wa,  0.0 hi,  0.0
si,  0.0 st
KiB Mem :  5908584 total,   251604 free,  4134244 used,  1522736
buff/cache
KiB Swap:  6291452 total,  5947900 free,   343552 used.  1004892 avail
Mem

   PID USER  PR  NIVIRTRESSHR S %CPU %MEM TIME+
COMMAND
134865 root  35  15 1114568 745700612 S  0.0 12.6   3:20.05
clamd
134867 root  20   0 1114568 745700612 S  0.0 12.6   0:00.00
clamd
134868 root  20   0 1114568 745700612 S  0.0 12.6   1:23.39
clamd

# clamconf
Checking configuration files in /etc

Config file: clamd.d/scan.conf
--
AlertExceedsMax disabled
PreludeEnable disabled
PreludeAnalyzerName disabled
LogFile = "/var/log/clamav/clamav.log"
LogFileUnlock = "yes"
LogFileMaxSize = "1048576"
LogTime = "yes"
LogClean disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate disabled
ExtendedDetectionInfo = "yes"
PidFile = "/var/run/clamd.scan/clamd.pid"
TemporaryDirectory disabled
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/var/run/clamd.scan/clamd.sock"
LocalSocketGroup = "virusgroup"
LocalSocketMode = "666"
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "200"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "10"
ReadTimeout = "180"
CommandReadTimeout = "30"
SendBufTimeout = "200"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "20"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "600"
DisableCache disabled
VirusEvent disabled
ExitOnOOM = "yes"
AllowAllMatchScan = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "root"
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "5000"
BytecodeUnsigned disabled
BytecodeMode = "Auto"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
ScanPE = "yes"
ScanELF = "yes"
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
HeuristicAlerts = "yes"
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
AlertBrokenExecutables disabled
AlertEncrypted disabled
AlertEncryptedArchive disabled
AlertEncryptedDoc disabled
AlertOLE2Macros disabled
AlertPhishingSSLMismatch disabled
AlertPhishingCloak disabled
AlertPartitionIntersection disabled
ScanPDF = "yes"
ScanSWF = "yes"
ScanXMLDOCS = "yes"
ScanHWP3 = "yes"
ScanArchive = "yes"
ForceToDisk disabled
MaxScanTime disabled
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxFiles = "1"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
MaxZipTypeRcg = "1048576"
MaxPartitions = "50"
MaxIconsPE = "100"
MaxRecHWP3 = "16"
PCREMatchLimit = "10"
PCRERecMatchLimit = "2000"
PCREMaxFileSize = "26214400"
ScanOnAccess = "yes"
OnAccessMountPath disabled
OnAccessIncludePath = "/home", "/root", "/etc", "/sftp", "/boot",
"/opt", "/media", "/mnt"
OnAccessExcludePath disabled
OnAccessExcludeRootUID = "yes"
OnAccessExcludeUID disabled
OnAccessMaxFileSize = "5242880"
OnAccessDisableDDD disabled
OnAccessPrevention disabled
OnAccessExtraScanning = "yes"
DevACOnly disabled
DevACDepth disabled
DevPerformance disabled
DevLiblog disabled
DisableCertCheck disabled
AlgorithmicDetection = "yes"
BlockMax disabled
PhishingAlwaysBlockSSLMismatch disabled
PhishingAlwaysBlockCloak disabled
PartitionIntersection disabled
OLE2BlockMacros disabled
ArchiveBlockEncrypted disabled

Config file: freshclam.conf
---
LogFileMaxSize = "2097152"
LogTime = "yes"
LogSyslog = "yes"
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
PidFile = "/var/run/freshclam.pid"
DatabaseDirectory = "/var/lib/clamav"
Foreground disabled
Debug disabled
UpdateLogFile = "/var/log/freshclam.log"
DatabaseOwner = "clamupdate"
Checks = "24"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "172.16.22.8"
PrivateMirror disabled
MaxAttempts = "5"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
DatabaseCustomURL disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled

Re: [clamav-users] OnAccess and regular scanning

[Franky Van Liedekerke via clamav-users]

To be complete: I'm running clamav 0.101.4 on RHEL7 (fully
patched)

Franky

Op Dinsdag, 24-09-2019 om 13:22 schreef Al Varnell via clamav-users:


I suspect it will depend on what platform you are running it on.

-Al-



On Sep 24, 2019, at 04:20, Franky Van Liedekerke via clamav-users 
wrote:

Hi all,

currently I have onaccess scanning up and running just fine in clamav.
However, some people claim this can be bypassed (so access a file and
not force it to be scanned), so I have some questions:

- is this true? Can onaccess be bypassed?
- if so: can I force a scan of all files that should be protected by
onaccess once a week or so? I know clamdscan exists, but you need to
provide a folder to it, and via cron it seems too much to scan "/". Or
maybe force a scan of all files that should be protected by onaccess
but haven't been accessed/scanned yet?

With friendly regards,
Franky 

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] OnAccess and regular scanning

[Al Varnell via clamav-users]

I suspect it will depend on what platform you are running it on.

-Al-

> On Sep 24, 2019, at 04:20, Franky Van Liedekerke via clamav-users 
>  wrote:
> 
> Hi all,
> 
> currently I have onaccess scanning up and running just fine in clamav. 
> However, some people claim this can be bypassed (so access a file and not 
> force it to be scanned), so I have some questions:
> 
> - is this true? Can onaccess be bypassed?
> - if so: can I force a scan of all files that should be protected by onaccess 
> once a week or so? I know clamdscan exists, but you need to provide a folder 
> to it, and via cron it seems too much to scan "/". Or maybe force a scan of 
> all files that should be protected by onaccess but haven't been 
> accessed/scanned yet?
> 
> With friendly regards,
> Franky 


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] OnAccess and regular scanning

[Franky Van Liedekerke via clamav-users]

Hi all,

currently I have onaccess scanning up and running just fine in clamav.
However, some people claim this can be bypassed (so access a file and
not force it to be scanned), so I have some questions:

- is this true? Can onaccess be bypassed?
- if so: can I force a scan of all files that should be protected by
onaccess once a week or so? I know clamdscan exists, but you need to
provide a folder to it, and via cron it seems too much to scan "/". Or
maybe force a scan of all files that should be protected by onaccess
but haven't been accessed/scanned yet?

With friendly regards,
Franky

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml