Re: [clamav-users] using clamdscan and clamd to do complete file system scan
On Tue, Apr 28, 2015 at 8:17 PM, Al Varnell alvarn...@mac.com wrote: Quite the opposite is true. The default is to scan up to 15 directories deep. Questions such as these are most easily solved by reading the appropriate man, in this case clamdscan.1 which reads in part: EXAMPLES (0) To scan a one file: clamdscan file (1) To scan a current working directory: clamdscan (2) To scan all files in /home: clamdscan /home Well, then there must either be a misconfiguration, or a defect in the Amazon Linux distribution of clamd and clamdscan, because when I do something like this... # clamdscan /bin /bin: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.351 sec (0 m 0 s) # It doesn't seem to actually do anything interesting..., nothing scanned, pehaps the fact that the summary is missing so many other items is a clue to some other problem, but it just looks like it's not doing recursing through the directories. it's completely different than when i run a clamscan... # clamscan /bin /bin/ksh93: OK /bin/cp: OK /bin/rpm: OK /bin/zcat: OK /bin/gzip: OK ...snip... --- SCAN SUMMARY --- Known viruses: 3798768 Engine version: 0.98.6 Scanned directories: 1 Scanned files: 88 Infected files: 0 Data scanned: 7.89 MB Data read: 7.90 MB (ratio 1.00:1) Time: 7.358 sec (0 m 7 s) # As far as I know there is nothing special about the configuration. All values related to recursion seem to be Ok to me. (in fact most of the recursion values in clamd.conf seem only to apply to recursion within an archive file encountered during the scan. At this point my find | xargs clamdscan solution is working. If someone on the ClamAV team want's more details about what's happening with my clamdscan i'm happy to provide them. /John ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] using clamdscan and clamd to do complete file system scan
El 30/04/15 a las 11:58, John McGowan escibió: On Tue, Apr 28, 2015 at 8:17 PM, Al Varnell alvarn...@mac.com wrote: Quite the opposite is true. The default is to scan up to 15 directories deep. Questions such as these are most easily solved by reading the appropriate man, in this case clamdscan.1 which reads in part: EXAMPLES (0) To scan a one file: clamdscan file (1) To scan a current working directory: clamdscan (2) To scan all files in /home: clamdscan /home Well, then there must either be a misconfiguration, or a defect in the Amazon Linux distribution of clamd and clamdscan, because when I do something like this... clamdscan scanning is made by clamd, this process use to run with non-root privileges ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] using clamdscan and clamd to do complete file system scan
I agree with everything you've said. In my situation I'm simply choosing the least path of resistance in making a PCI QSA happy. For years i've been able to not do AV on our Linux hosting environment because the systems were not commonly affected. The Auditors opinions (warranted or not) on that are different now, so I'm just trying to demonstrate diligence. by having ClamAV installed and scanning some key directories. /John On Wed, Apr 29, 2015 at 12:27 PM, G.W. Haywood cla...@jubileegroup.co.uk wrote: Hi there, On Wed, 29 Apr 2015, John McGowan wrote: ... I suspect that most people use clamdscan to do one off scanning, (mail servers, etc) My suspicion is that most people don't do it at all on Linux boxes. There is absolutely no point in scanning the entire filesystem on a typical Linux box for millions of Windows viruses, since they won't be there. It would be a complete waste of effort and resources, and I certainly never do it on the dozens of Linux boxes that I run. There might be a case for scanning parts of a Linux filesystem if it's used for example as a file server for Windows clients. Amongst other scanners I use clamd via a Sendmail milter to scan both incoming and outgoing mail on my mail servers, but mainly because the third-party signatures catch lots of unwanted mail. And even now there are a few people Out There who are still using Windows boxes; it would be bad if any person in my employ unwittingly passed a virus-ridden message from one Windows user to another, even if the machines which my people use are completely immune to infection by practically all of the malware for which the mail systems are scanning. The mail is scanned on the fly and it never gets as far as being written to the filesystem if any of the scanners detects something which one might consider unpleasant. ... I'm looking for more of a traditional daily scan the entire file system solution. I'm not sure that there's anything 'traditional' about scanning Linux boxes for viruses. I've never found one in that way, but I've found literally many thousands by scanning Windows boxes in the same way. Incidentally if you do scan a Linux filesystem, don't scan things like /proc and /dev because you might not like the results. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- John McGowan Lynch2 792 West Bartlett Road Bartlett, Illinois 60103 www.lynch2.com direct: 630.473.3185 main:847.608.6900 Ext 4110 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] using clamdscan and clamd to do complete file system scan
clamdscan scanning is made by clamd, this process use to run with non-root privileges Knowing that I wanted clamd to be able to scan any part of the file system, I did reconfigure clamd to run as root by commenting out the config param that change the user that clamd ran as. So I don't think this issue is permissions related. But I could still be wrong. I tried it without changing who clamd was running as and got completely different permissions errors than what I'm seeing now. /John ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] using clamdscan and clamd to do complete file system scan
El 30/04/15 a las 11:58, John McGowan escibió: # clamdscan /bin have you tried: clamdscan -v /bin ? it seems that normally only infected files are shown René ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] using clamdscan and clamd to do complete file system scan
On 4/30/2015 10:06 AM, John McGowan wrote: clamdscan scanning is made by clamd, this process use to run with non-root privileges Knowing that I wanted clamd to be able to scan any part of the file system, I did reconfigure clamd to run as root by commenting out the config param that change the user that clamd ran as. So I don't think this issue is permissions related. But I could still be wrong. I tried it without changing who clamd was running as and got completely different permissions errors than what I'm seeing now. /John I strongly suggest using clamscan rather than clamdscan for system scanning. The performance advantage of clamd and its pre-loaded databases is largely irrelevant when scanning a large number of files and you won't have permission problems. You also avoid running clamd with root permissions, which is potentially unsafe. In some cases, using clamscan may actually be faster than clamdscan. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] using clamdscan and clamd to do complete file system scan
El 30/04/15 a las 12:13, René Bellora escibió: El 30/04/15 a las 11:58, John McGowan escibió: # clamdscan /bin have you tried: clamdscan -v /bin ? sorry to answer to myself, -v makes no difference in this case but clamdscan is actually scanning, it just doesn't show files that are ok René ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] using clamdscan and clamd to do complete file system scan
Hi there, On Wed, 29 Apr 2015, John McGowan wrote: ... I suspect that most people use clamdscan to do one off scanning, (mail servers, etc) My suspicion is that most people don't do it at all on Linux boxes. There is absolutely no point in scanning the entire filesystem on a typical Linux box for millions of Windows viruses, since they won't be there. It would be a complete waste of effort and resources, and I certainly never do it on the dozens of Linux boxes that I run. There might be a case for scanning parts of a Linux filesystem if it's used for example as a file server for Windows clients. Amongst other scanners I use clamd via a Sendmail milter to scan both incoming and outgoing mail on my mail servers, but mainly because the third-party signatures catch lots of unwanted mail. And even now there are a few people Out There who are still using Windows boxes; it would be bad if any person in my employ unwittingly passed a virus-ridden message from one Windows user to another, even if the machines which my people use are completely immune to infection by practically all of the malware for which the mail systems are scanning. The mail is scanned on the fly and it never gets as far as being written to the filesystem if any of the scanners detects something which one might consider unpleasant. ... I'm looking for more of a traditional daily scan the entire file system solution. I'm not sure that there's anything 'traditional' about scanning Linux boxes for viruses. I've never found one in that way, but I've found literally many thousands by scanning Windows boxes in the same way. Incidentally if you do scan a Linux filesystem, don't scan things like /proc and /dev because you might not like the results. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] using clamdscan and clamd to do complete file system scan
Quite the opposite is true. The default is to scan up to 15 directories deep. Questions such as these are most easily solved by reading the appropriate man, in this case clamdscan.1 which reads in part: EXAMPLES (0) To scan a one file: clamdscan file (1) To scan a current working directory: clamdscan (2) To scan all files in /home: clamdscan /home -Al- -- Al Varnell Mountain View, CA On Tue, Apr 28, 2015 at 11:33AM, John McGowan wrote: Hi, I've been banging my head trying to figure this out on my own for the better part of a day now. I'm running Amazon Linux, have got the proper clamav packages installed to have the following stuff working. * clamd is running * clamscan runs from the command line * clamdscan runs from the command line However, clamdscan doesn't recursively crawl the file system, it only seems to want to scan a single file. Before i craft a find | xargs clamdscan type of solution for this, can I just get confirmation that recursive scanning with just clamdscan is not possible? I suspect that most people use clamdscan to do one off scanning, (mail servers, etc) In my use case I want to leverage clamd, so that I can take advantage of the SysLogging capabilities of clamd, but I'm looking for more of a traditional daily scan the entire file system solution. smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] using clamdscan and clamd to do complete file system scan
Hi, I've been banging my head trying to figure this out on my own for the better part of a day now. I'm running Amazon Linux, have got the proper clamav packages installed to have the following stuff working. * clamd is running * clamscan runs from the command line * clamdscan runs from the command line However, clamdscan doesn't recursively crawl the file system, it only seems to want to scan a single file. Before i craft a find | xargs clamdscan type of solution for this, can I just get confirmation that recursive scanning with just clamdscan is not possible? I suspect that most people use clamdscan to do one off scanning, (mail servers, etc) In my use case I want to leverage clamd, so that I can take advantage of the SysLogging capabilities of clamd, but I'm looking for more of a traditional daily scan the entire file system solution. -- /John ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] using clamdscan and clamd to do complete file system scan
Clamdscan with clamd should scan directories recursively. Check out clamd configuration parameters FollowDirectorySymlinks and FollowFileSymlinks in case they apply. Steve On Tue, Apr 28, 2015 at 2:33 PM, John McGowan j...@lynch2.com wrote: Hi, I've been banging my head trying to figure this out on my own for the better part of a day now. I'm running Amazon Linux, have got the proper clamav packages installed to have the following stuff working. * clamd is running * clamscan runs from the command line * clamdscan runs from the command line However, clamdscan doesn't recursively crawl the file system, it only seems to want to scan a single file. Before i craft a find | xargs clamdscan type of solution for this, can I just get confirmation that recursive scanning with just clamdscan is not possible? I suspect that most people use clamdscan to do one off scanning, (mail servers, etc) In my use case I want to leverage clamd, so that I can take advantage of the SysLogging capabilities of clamd, but I'm looking for more of a traditional daily scan the entire file system solution. -- /John ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml