This patch adds the "ClamukoBlockAccess" config directive to clamd.conf.
When this directive is set to "yes" (which is the default), Clamuko will
instruct Dazuko to block access to an infected file. (This is how things
are currently set up.) If the directive is set to "no", then Dazuko will
be told not to block read access. The infection is still logged, but the
user can keep accessing the file. It turns Clamuko from a "full stop"
into a "warning sign".
Rationale: we found the blocking to be inconvenient to end users when a
file is a known "false positive". We also want to handle infections
without confounding the end user too much, such as with a script that
monitors the logs and mails the administrator when something is amiss.
Not blocking off a file also makes it possible to move it to a different
partition for quarantaining.
Possible objections against this patch: this hampers security and
prevention of harm; the name of the option is ambiguous since "block"
can also refer to a block device (feel free to change); and there are
other and possibly better ways to do the same thing, like clamfs or an
inotify-based solution. Comments and changes are welcome.
With kind regards,
--Alfred Klomp
--
Bokxing IT
Elektronicaweg 14a
2628 XG Delft
T: 088-00 164 00
F: 015-25 609 77
support@bokxing.nl
www.bokxing.nl
KvK: 27194486
When this directive is set to "yes" (which is the default), Clamuko will
instruct Dazuko to block access to an infected file. (This is how things
are currently set up.) If the directive is set to "no", then Dazuko will
be told not to block read access. The infection is still logged, but the
user can keep accessing the file. It turns Clamuko from a "full stop"
into a "warning sign".
Rationale: we found the blocking to be inconvenient to end users when a
file is a known "false positive". We also want to handle infections
without confounding the end user too much, such as with a script that
monitors the logs and mails the administrator when something is amiss.
Not blocking off a file also makes it possible to move it to a different
partition for quarantaining.
Possible objections against this patch: this hampers security and
prevention of harm; the name of the option is ambiguous since "block"
can also refer to a block device (feel free to change); and there are
other and possibly better ways to do the same thing, like clamfs or an
inotify-based solution. Comments and changes are welcome.
With kind regards,
--Alfred Klomp
--
Bokxing IT
Elektronicaweg 14a
2628 XG Delft
T: 088-00 164 00
F: 015-25 609 77
support@bokxing.nl
www.bokxing.nl
KvK: 27194486
Attached Files:
-
clamuko-block-access.patch (4.54 KB)