Re: [clamav-users] ScanOnAccess, OnAccessPrevention and move to quarantine

2017-12-13 Thread Mickey Sola 
Unfortunately, the ExcludeUID option in 0.99.2 is broken due to an
oversight in how clam's optparser handles numbered lists which include 0.
You can follow along with the resolution of that issue here:
https://bugzilla.clamav.net/show_bug.cgi?id=11978

An important takeaway for you in that thread, as a RHEL 7 user, is that
your SELinux targeted policy will prevent clamd from stating /proc/PID
entirely--breaking the ExcludeUID functionality even farther. A second
takeaway might be the patches you can apply to rebuild clam locally with
the new fixes which might help solve the issue you're seeing.

Hope this helps you a bit. Sorry things weren't quite right the first go
round--that's my bad.

- Mickey

On Wed, Dec 13, 2017 at 2:37 AM, Juan Asensio Sánchez 
wrote:

> Hi, I am trying to configure clamd (running as user root) with ScanOnAccess
> enabled and "OnAccessExcludeUID 0". Basically, our web app allows the user
> to upload files using a WS (the web server runs as user , not root),
> and then a batch job processes the file. I have also enabled
> OnAccessPrevention, so in case of an upload with an infected file, the
> batch job can't access (but root user could do it, as per
> OnAccessExcludeUID). I have also created a script configured in VirusEvent
> so we are alerted when a virus is detected. The problem is that, as the
> file remains, the batch job is always trying to process the file, throwing
> errors. I have tried to move the file to a quarantine folder using the
> VirusEvent script, but the server completely freezes; after the tests, I
> have read in some webs that we shouldn't move or delete the infected file
> inside that script.
>
> So, what could be a solution? How can I move the file to a quarantine
> folder using this configuration? Is there a better/alternative solution?
>
> # uname -a
> Linux xxx 3.10.0-693.11.1.el7.x86_64 #1 SMP Fri Oct 27 05:39:05 EDT
> 2017 x86_64 x86_64 x86_64 GNU/Linux
>
> # cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 7.4 (Maipo)
>
> # rpm -qa | grep clam
> clamav-filesystem-0.99.2-8.el7.noarch
> clamav-server-systemd-0.99.2-8.el7.noarch
> clamav-update-0.99.2-8.el7.x86_64
> clamav-data-0.99.2-8.el7.noarch
> clamav-server-0.99.2-8.el7.x86_64
> clamav-scanner-0.99.2-8.el7.noarch
> clamav-0.99.2-8.el7.x86_64
> clamav-lib-0.99.2-8.el7.x86_64
> clamav-scanner-systemd-0.99.2-8.el7.noarch
>
> Thanks.
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ScanOnAccess, OnAccessPrevention and move to quarantine

2017-12-12 Thread Juan Asensio Sánchez 
Hi, I am trying to configure clamd (running as user root) with ScanOnAccess
enabled and "OnAccessExcludeUID 0". Basically, our web app allows the user
to upload files using a WS (the web server runs as user , not root),
and then a batch job processes the file. I have also enabled
OnAccessPrevention, so in case of an upload with an infected file, the
batch job can't access (but root user could do it, as per
OnAccessExcludeUID). I have also created a script configured in VirusEvent
so we are alerted when a virus is detected. The problem is that, as the
file remains, the batch job is always trying to process the file, throwing
errors. I have tried to move the file to a quarantine folder using the
VirusEvent script, but the server completely freezes; after the tests, I
have read in some webs that we shouldn't move or delete the infected file
inside that script.

So, what could be a solution? How can I move the file to a quarantine
folder using this configuration? Is there a better/alternative solution?

# uname -a
Linux xxx 3.10.0-693.11.1.el7.x86_64 #1 SMP Fri Oct 27 05:39:05 EDT
2017 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.4 (Maipo)

# rpm -qa | grep clam
clamav-filesystem-0.99.2-8.el7.noarch
clamav-server-systemd-0.99.2-8.el7.noarch
clamav-update-0.99.2-8.el7.x86_64
clamav-data-0.99.2-8.el7.noarch
clamav-server-0.99.2-8.el7.x86_64
clamav-scanner-0.99.2-8.el7.noarch
clamav-0.99.2-8.el7.x86_64
clamav-lib-0.99.2-8.el7.x86_64
clamav-scanner-systemd-0.99.2-8.el7.noarch

Thanks.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml