Re: [clamav-users] OnAccessScan doesn't prevent Access

2018-11-08 Thread Micah Snyder (micasnyd) 
The negation is intentional, though perhaps it should print a warning.

From the documentation here: 
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/docs/UserManual/Usage.md#On-access-Scanning

Watch your entire filesystem only using the clamd.conf OnAccessMountPath 
option. While this will disable on-access prevention, it will avoid potential 
system lockups caused by fanotify’s blocking functionality.

To use OnAccessPrevention, you'll need to use OnAccessIncludePath instead of 
OnAccessMountPath.

Regards,
Micah



On Nov 8, 2018, at 4:39 AM, Andreas Schulze 
mailto:andreas.schu...@datev.de>> wrote:

Am 08.11.18 um 10:25 schrieb vamp898:
This is how the logs looks like when i do this

Thu Nov  8 10:13:51 2018 -> ScanOnAccess: notifying only for access attempts.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Protecting 
'/var/www/localhost/htdocs/nextcloud/data' and rest of mount.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 52428800 
bytes
Thu Nov  8 10:15:09 2018 -> ScanOnAccess: 
/var/www/localhost/htdocs/nextcloud-14.0.3/data/administrator/files/eicar.com:
 Eicar-Test-Signature FOUND

Any help highly appriciated =)

looks like a bug: 
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155

the second condition should not be negated for my feeling.

--
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] OnAccessScan doesn't prevent Access

2018-11-08 Thread vamp898 

Am 2018-11-08 11:54, schrieb vamp898:

Am 2018-11-08 11:37, schrieb vamp898:

Am 2018-11-08 10:39, schrieb Andreas Schulze:

Am 08.11.18 um 10:25 schrieb vamp898:

This is how the logs looks like when i do this

Thu Nov  8 10:13:51 2018 -> ScanOnAccess: notifying only for access 
attempts.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Protecting 
'/var/www/localhost/htdocs/nextcloud/data' and rest of mount.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 
52428800 bytes
Thu Nov  8 10:15:09 2018 -> ScanOnAccess: 
/var/www/localhost/htdocs/nextcloud-14.0.3/data/administrator/files/eicar.com: 
Eicar-Test-Signature FOUND


Any help highly appriciated =)


looks like a bug:
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155

the second condition should not be negated for my feeling.

Dear Mr. Schulze,

thank you for your email.

Eeeyup, looks like a bug for me too. Maybe someone had one to many
beer writing that part of the code :P

Am i supposed to open the bug report or would/could you do that? (I
dont have an account or something).

If not, please feel free to tell me and i will registert myself there.



Best Regards

Former Avira Employee who exclusively supported DATEV back then when
they had Webgate :P
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

For the reference, i also tested the following

OnAccessMaxFileSize 50M
OnAccessIncludePath /var/www/localhost/htdocs/nextcloud/data
OnAccessDisableDDD yes
OnAccessPrevention yes

And the log looks different

Thu Nov  8 11:52:27 2018 -> ScanOnAccess: preventing access attempts
on malicious files.
Thu Nov  8 11:52:27 2018 -> ScanOnAccess: Protecting directory
'/var/www/localhost/htdocs/nextcloud/data'
Thu Nov  8 11:52:27 2018 -> ScanOnAccess: Max file size limited to
52428800 bytes

but there is still full access to this file, it no longer gets detected 
at all.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Of course, because


OnAccessDisableDDD yes


have to be no.

So that if looks intentional, it looks like it really is supposed to 
deactivate the blocking is OnAccessMountPath is used (it also says so in 
the comment of the config file).


At least i now managed to get this far

Thu Nov  8 11:55:53 2018 -> ScanOnAccess: preventing access attempts on 
malicious files.
Thu Nov  8 11:55:53 2018 -> ScanOnAccess: Max file size limited to 
52428800 bytes
Thu Nov  8 11:55:53 2018 -> ScanOnAccess: Protecting directory 
'/var/www/localhost/htdocs/nextcloud/data' (and all sub-directories)
Thu Nov  8 11:55:53 2018 -> ERROR: ScanOnAccess: Could not watch path 
'/var/www/localhost/htdocs/nextcloud/data', No space left on device


After adjusting the current limits of inotify
fs.inotify.max_queued_events
fs.inotify.max_user_instances
fs.inotify.max_user_watches
user.max_inotify_instances
user.max_inotify_watches

This also was solved. So OnAccessScan WORKSFORME now =)
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] OnAccessScan doesn't prevent Access

2018-11-08 Thread vamp898 

Am 2018-11-08 11:37, schrieb vamp898:

Am 2018-11-08 10:39, schrieb Andreas Schulze:

Am 08.11.18 um 10:25 schrieb vamp898:

This is how the logs looks like when i do this

Thu Nov  8 10:13:51 2018 -> ScanOnAccess: notifying only for access 
attempts.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Protecting 
'/var/www/localhost/htdocs/nextcloud/data' and rest of mount.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 
52428800 bytes
Thu Nov  8 10:15:09 2018 -> ScanOnAccess: 
/var/www/localhost/htdocs/nextcloud-14.0.3/data/administrator/files/eicar.com: 
Eicar-Test-Signature FOUND


Any help highly appriciated =)


looks like a bug:
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155

the second condition should not be negated for my feeling.

Dear Mr. Schulze,

thank you for your email.

Eeeyup, looks like a bug for me too. Maybe someone had one to many
beer writing that part of the code :P

Am i supposed to open the bug report or would/could you do that? (I
dont have an account or something).

If not, please feel free to tell me and i will registert myself there.



Best Regards

Former Avira Employee who exclusively supported DATEV back then when
they had Webgate :P
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

For the reference, i also tested the following

OnAccessMaxFileSize 50M
OnAccessIncludePath /var/www/localhost/htdocs/nextcloud/data
OnAccessDisableDDD yes
OnAccessPrevention yes

And the log looks different

Thu Nov  8 11:52:27 2018 -> ScanOnAccess: preventing access attempts on 
malicious files.
Thu Nov  8 11:52:27 2018 -> ScanOnAccess: Protecting directory 
'/var/www/localhost/htdocs/nextcloud/data'
Thu Nov  8 11:52:27 2018 -> ScanOnAccess: Max file size limited to 
52428800 bytes


but there is still full access to this file, it no longer gets detected 
at all.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] OnAccessScan doesn't prevent Access

2018-11-08 Thread vamp898 

Am 2018-11-08 10:39, schrieb Andreas Schulze:

Am 08.11.18 um 10:25 schrieb vamp898:

This is how the logs looks like when i do this

Thu Nov  8 10:13:51 2018 -> ScanOnAccess: notifying only for access 
attempts.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Protecting 
'/var/www/localhost/htdocs/nextcloud/data' and rest of mount.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 
52428800 bytes
Thu Nov  8 10:15:09 2018 -> ScanOnAccess: 
/var/www/localhost/htdocs/nextcloud-14.0.3/data/administrator/files/eicar.com: 
Eicar-Test-Signature FOUND


Any help highly appriciated =)


looks like a bug:
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155

the second condition should not be negated for my feeling.

Dear Mr. Schulze,

thank you for your email.

Eeeyup, looks like a bug for me too. Maybe someone had one to many beer 
writing that part of the code :P


Am i supposed to open the bug report or would/could you do that? (I dont 
have an account or something).


If not, please feel free to tell me and i will registert myself there.



Best Regards

Former Avira Employee who exclusively supported DATEV back then when 
they had Webgate :P

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] OnAccessScan doesn't prevent Access

2018-11-08 Thread Andreas Schulze 
Am 08.11.18 um 10:25 schrieb vamp898:
> This is how the logs looks like when i do this
> 
> Thu Nov  8 10:13:51 2018 -> ScanOnAccess: notifying only for access attempts.
> Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Protecting 
> '/var/www/localhost/htdocs/nextcloud/data' and rest of mount.
> Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 52428800 
> bytes
> Thu Nov  8 10:15:09 2018 -> ScanOnAccess: 
> /var/www/localhost/htdocs/nextcloud-14.0.3/data/administrator/files/eicar.com:
>  Eicar-Test-Signature FOUND
> 
> Any help highly appriciated =)

looks like a bug: 
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155

the second condition should not be negated for my feeling.

-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml