[clamav-users] ScanOnAccess, OnAccessPrevention and move to quarantine

[Juan Asensio Sánchez]

Hi, I am trying to configure clamd (running as user root) with ScanOnAccess
enabled and "OnAccessExcludeUID 0". Basically, our web app allows the user
to upload files using a WS (the web server runs as user , not root),
and then a batch job processes the file. I have also enabled
OnAccessPrevention, so in case of an upload with an infected file, the
batch job can't access (but root user could do it, as per
OnAccessExcludeUID). I have also created a script configured in VirusEvent
so we are alerted when a virus is detected. The problem is that, as the
file remains, the batch job is always trying to process the file, throwing
errors. I have tried to move the file to a quarantine folder using the
VirusEvent script, but the server completely freezes; after the tests, I
have read in some webs that we shouldn't move or delete the infected file
inside that script.

So, what could be a solution? How can I move the file to a quarantine
folder using this configuration? Is there a better/alternative solution?

# uname -a
Linux xxx 3.10.0-693.11.1.el7.x86_64 #1 SMP Fri Oct 27 05:39:05 EDT
2017 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.4 (Maipo)

# rpm -qa | grep clam
clamav-filesystem-0.99.2-8.el7.noarch
clamav-server-systemd-0.99.2-8.el7.noarch
clamav-update-0.99.2-8.el7.x86_64
clamav-data-0.99.2-8.el7.noarch
clamav-server-0.99.2-8.el7.x86_64
clamav-scanner-0.99.2-8.el7.noarch
clamav-0.99.2-8.el7.x86_64
clamav-lib-0.99.2-8.el7.x86_64
clamav-scanner-systemd-0.99.2-8.el7.noarch

Thanks.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Extradatabase import foxhole database

[Reindl Harald]

Am 12.12.2017 um 17:47 schrieb Emanuel:

what would be the correct way to execute the rsync command?

*--files-from=filelist.txt???*


create a file "filelist.txt":
foxhole_all.cdb
foxhole_all.ndb
foxhole_filename.cdb
foxhole_generic.cdb
foxhole_js.cdb
foxhole_js.ndb
foxhole_mail.cdb

man rsync


El 12/12/17 a las 11:48, Reindl Harald escribió:



Am 12.12.2017 um 15:44 schrieb Emanuel:
it's possible import only the foxhole database from 
http://sanesecurity.com/usage/linux-scripts/??


just download the files and put them into the signature folder - on 
most systems /var/lib/clamav


rsync --no-motd -ctuzS --files-from=filelist.txt 
rsync://rsync.sanesecurity.net/sanesecurity/ ./


foxhole is very generic and don't need much updates

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Extradatabase import foxhole database

[Emanuel]

what would be the correct way to execute the rsync command?

*--files-from=filelist.txt???*

Regards.!


El 12/12/17 a las 11:48, Reindl Harald escribió:



Am 12.12.2017 um 15:44 schrieb Emanuel:
it's possible import only the foxhole database from 
http://sanesecurity.com/usage/linux-scripts/??


just download the files and put them into the signature folder - on 
most systems /var/lib/clamav


rsync --no-motd -ctuzS --files-from=filelist.txt 
rsync://rsync.sanesecurity.net/sanesecurity/ ./


foxhole is very generic and don't need much updates
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


--
envialosimple.com   
Emanuel Gonzalez
IT / Departamento Emails
emanuel.gonza...@donweb.com 
www.envialosimple.com 
by donweb 

Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
confidenciales, de uso exclusivo para el destinatario del mismo. La 
divulgación y/o uso del mismo sin autorización por parte de DonWeb.com 
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o 
alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por 
favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are 
confidential and intended solely for the addressees. Any unauthorised 
use or dissemination is prohibited by DonWeb.com.

DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem 
conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais 
ela foi endereçada, por favor destrua-a e a todos os seus eventuais 
anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de 
quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, 
retornando-a para o autor.


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Extradatabase import foxhole database

[Reindl Harald]

Am 12.12.2017 um 15:44 schrieb Emanuel:
it's possible import only the foxhole database from 
http://sanesecurity.com/usage/linux-scripts/??


just download the files and put them into the signature folder - on most 
systems /var/lib/clamav


rsync --no-motd -ctuzS --files-from=filelist.txt 
rsync://rsync.sanesecurity.net/sanesecurity/ ./


foxhole is very generic and don't need much updates
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Extradatabase import foxhole database

[Emanuel]

Hello,

it's possible import only the foxhole database from 
http://sanesecurity.com/usage/linux-scripts/??


how??

Regards, Emanuel.

--
envialosimple.com   
Emanuel Gonzalez
IT / Departamento Emails
emanuel.gonza...@donweb.com 
www.envialosimple.com 
by donweb 

Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
confidenciales, de uso exclusivo para el destinatario del mismo. La 
divulgación y/o uso del mismo sin autorización por parte de DonWeb.com 
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o 
alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por 
favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are 
confidential and intended solely for the addressees. Any unauthorised 
use or dissemination is prohibited by DonWeb.com.

DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem 
conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais 
ela foi endereçada, por favor destrua-a e a todos os seus eventuais 
anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de 
quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, 
retornando-a para o autor.


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml