Re: [clamav-users] OnAccessScan doesn't prevent Access
Am 2018-11-08 10:39, schrieb Andreas Schulze: Am 08.11.18 um 10:25 schrieb vamp898: This is how the logs looks like when i do this Thu Nov 8 10:13:51 2018 -> ScanOnAccess: notifying only for access attempts. Thu Nov 8 10:13:51 2018 -> ScanOnAccess: Protecting '/var/www/localhost/htdocs/nextcloud/data' and rest of mount. Thu Nov 8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 52428800 bytes Thu Nov 8 10:15:09 2018 -> ScanOnAccess: /var/www/localhost/htdocs/nextcloud-14.0.3/data/administrator/files/eicar.com: Eicar-Test-Signature FOUND Any help highly appriciated =) looks like a bug: https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155 the second condition should not be negated for my feeling. Dear Mr. Schulze, thank you for your email. Eeeyup, looks like a bug for me too. Maybe someone had one to many beer writing that part of the code :P Am i supposed to open the bug report or would/could you do that? (I dont have an account or something). If not, please feel free to tell me and i will registert myself there. Best Regards Former Avira Employee who exclusively supported DATEV back then when they had Webgate :P ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] OnAccessScan doesn't prevent Access
Am 2018-11-08 11:37, schrieb vamp898: Am 2018-11-08 10:39, schrieb Andreas Schulze: Am 08.11.18 um 10:25 schrieb vamp898: This is how the logs looks like when i do this Thu Nov 8 10:13:51 2018 -> ScanOnAccess: notifying only for access attempts. Thu Nov 8 10:13:51 2018 -> ScanOnAccess: Protecting '/var/www/localhost/htdocs/nextcloud/data' and rest of mount. Thu Nov 8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 52428800 bytes Thu Nov 8 10:15:09 2018 -> ScanOnAccess: /var/www/localhost/htdocs/nextcloud-14.0.3/data/administrator/files/eicar.com: Eicar-Test-Signature FOUND Any help highly appriciated =) looks like a bug: https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155 the second condition should not be negated for my feeling. Dear Mr. Schulze, thank you for your email. Eeeyup, looks like a bug for me too. Maybe someone had one to many beer writing that part of the code :P Am i supposed to open the bug report or would/could you do that? (I dont have an account or something). If not, please feel free to tell me and i will registert myself there. Best Regards Former Avira Employee who exclusively supported DATEV back then when they had Webgate :P ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml For the reference, i also tested the following OnAccessMaxFileSize 50M OnAccessIncludePath /var/www/localhost/htdocs/nextcloud/data OnAccessDisableDDD yes OnAccessPrevention yes And the log looks different Thu Nov 8 11:52:27 2018 -> ScanOnAccess: preventing access attempts on malicious files. Thu Nov 8 11:52:27 2018 -> ScanOnAccess: Protecting directory '/var/www/localhost/htdocs/nextcloud/data' Thu Nov 8 11:52:27 2018 -> ScanOnAccess: Max file size limited to 52428800 bytes but there is still full access to this file, it no longer gets detected at all. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] OnAccessScan doesn't prevent Access
Am 2018-11-08 11:54, schrieb vamp898: Am 2018-11-08 11:37, schrieb vamp898: Am 2018-11-08 10:39, schrieb Andreas Schulze: Am 08.11.18 um 10:25 schrieb vamp898: This is how the logs looks like when i do this Thu Nov 8 10:13:51 2018 -> ScanOnAccess: notifying only for access attempts. Thu Nov 8 10:13:51 2018 -> ScanOnAccess: Protecting '/var/www/localhost/htdocs/nextcloud/data' and rest of mount. Thu Nov 8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 52428800 bytes Thu Nov 8 10:15:09 2018 -> ScanOnAccess: /var/www/localhost/htdocs/nextcloud-14.0.3/data/administrator/files/eicar.com: Eicar-Test-Signature FOUND Any help highly appriciated =) looks like a bug: https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155 the second condition should not be negated for my feeling. Dear Mr. Schulze, thank you for your email. Eeeyup, looks like a bug for me too. Maybe someone had one to many beer writing that part of the code :P Am i supposed to open the bug report or would/could you do that? (I dont have an account or something). If not, please feel free to tell me and i will registert myself there. Best Regards Former Avira Employee who exclusively supported DATEV back then when they had Webgate :P ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml For the reference, i also tested the following OnAccessMaxFileSize 50M OnAccessIncludePath /var/www/localhost/htdocs/nextcloud/data OnAccessDisableDDD yes OnAccessPrevention yes And the log looks different Thu Nov 8 11:52:27 2018 -> ScanOnAccess: preventing access attempts on malicious files. Thu Nov 8 11:52:27 2018 -> ScanOnAccess: Protecting directory '/var/www/localhost/htdocs/nextcloud/data' Thu Nov 8 11:52:27 2018 -> ScanOnAccess: Max file size limited to 52428800 bytes but there is still full access to this file, it no longer gets detected at all. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Of course, because OnAccessDisableDDD yes have to be no. So that if looks intentional, it looks like it really is supposed to deactivate the blocking is OnAccessMountPath is used (it also says so in the comment of the config file). At least i now managed to get this far Thu Nov 8 11:55:53 2018 -> ScanOnAccess: preventing access attempts on malicious files. Thu Nov 8 11:55:53 2018 -> ScanOnAccess: Max file size limited to 52428800 bytes Thu Nov 8 11:55:53 2018 -> ScanOnAccess: Protecting directory '/var/www/localhost/htdocs/nextcloud/data' (and all sub-directories) Thu Nov 8 11:55:53 2018 -> ERROR: ScanOnAccess: Could not watch path '/var/www/localhost/htdocs/nextcloud/data', No space left on device After adjusting the current limits of inotify fs.inotify.max_queued_events fs.inotify.max_user_instances fs.inotify.max_user_watches user.max_inotify_instances user.max_inotify_watches This also was solved. So OnAccessScan WORKSFORME now =) ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Detection as PUA.Andr.Trojan.Generic-6878612-0
Hi there, since a few days we get a _lot_ detections for PUA.Andr.Trojan.Generic-6878612-0 Office Documents, ZIP Docuemnts, JPEG Images (containing nothing as JPEG) are all more and more detected at this type. Not all of them but way too much to see a real pattern what the actual issue is :( Is that something known? Best Regards ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml