Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. users
clamonaccess scanning doesnot see /tmp/eicar.com
clamav-users at lists
Jul 6, 2020, 1:28 AM
Post #1 of 4 (680 views)
Permalink
Hello,

I'm running clamav 0.102.3 on RedHat 7.8 servers.
When i use OnAccessMountPath and place the file "eicar.com" in /tmp directory i see a messages in /var/log/messages.

clamd[3994]: Self checking every 1800 seconds.
clamd[3994]: lstat() failed on: /etc/shadow
clamd[3994]: /tmp/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND
clamd[3994]: /tmp/eicar3.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND
clamd[3994]: lstat() failed on: /etc/selinux/config
clamd[3994]: lstat() failed on: /etc/selinux/semanage.conf
clamd[3994]: lstat() failed on: /etc/selinux/targeted/seusers
clamd[3994]: lstat() failed on: /etc/selinux/targeted/semanage.read.LOCK
clamd[3994]: lstat() failed on: /etc/selinux/targeted/active/commit_num
clamd[3994]: lstat() failed on: /etc/selinux/targeted/active/seusers

I also see lots of following messages:
clamonacc: ClamMisc: $/proc/4899 vanished before UIDs could be excluded; scanning anyway
clamonacc: ClamMisc: $/proc/4896 vanished before UIDs could be excluded; scanning anyway
clamonacc: ClamMisc: $/proc/4900 vanished before UIDs could be excluded; scanning anyway
clamonacc: ClamMisc: $/proc/4900 vanished before UIDs could be excluded; scanning anyway

However when i use "OnAccessIncludePath /tmp", i don see this message after placing this "eicar.com"
file in /tmp.

clamd[4819]: XMLDOCS support enabled.
clamd[4819]: HWP3 support enabled.
clamd[4819]: Self checking every 1800 seconds.
clamd[4819]: SelfCheck: Database status OK.
clamd[4819]: SelfCheck: Database status OK.

clamonacc: ClamInotif: watching '/tmp' (and all sub-directories)

Please tell me what i'm doing wrong ?

Thanks in advance, Met vriendelijke groet,

Eric van Rheenen
Linux beheer
Raadhuisplein 10, 9751AN Haren

E-Mail: Eric.van.Rheenen@groningen.nl<mailto:Eric.van.Rheenen@groningen.nl>
Ericvan.Rheenen@ts.fujitsu.com
Telefoon: +31 (0)6 1640 2686
Re: clamonaccess scanning doesnot see /tmp/eicar.com [ In reply to ]
clamav-users at lists
Jul 6, 2020, 4:15 AM
Post #2 of 4 (680 views)
Permalink
Hi there,

On Mon, 6 Jul 2020, Eric van Rheenen via clamav-users wrote:

> I'm running clamav 0.102.3 on RedHat 7.8 servers.
> When i use OnAccessMountPath ...
> [...]
> Please tell me what i'm doing wrong ?

It is not clear to me that you are doing anything wrong, at least in
part because it is not clear to me exactly what you are trying to do,
and you have edited the log content som much that I, at least, do not
understand it (and does /var/log/messages really have no timestamps)?

You give the OnAccessIncludePath value as '/tmp' but you do not make
clear the value assigned to 'OnAccessMountPath'. Please clarify. In
the first example, did you expect clamd to be looking at /etc (and at
things you _know_ that it will not be able to read) as well as /tmp?

In each case, to trigger scanning, how was the test file accessed?

Have you read 'https://www.clamav.net/documents/on-access-scanning'
and in particular the 'Curl' requirements?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: clamonaccess scanning doesnot see /tmp/eicar.com [ In reply to ]
clamav-users at lists
Jul 7, 2020, 1:39 AM
Post #3 of 4 (678 views)
Permalink
Hello,
Hope this clearify it more.

I use following curl version:
[erirhe1d@gglvboft001 tmp]$ curl -V
curl 7.68.0-DEV (x86_64-unknown-linux-gnu) libcurl/7.68.0-DEV OpenSSL/1.0.2k-fips zlib/1.2.7 libssh2/1.8.0
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS HTTPS-proxy Largefile libz NTLM NTLM_WB SSL UnixSockets

My /etc/clamd.d/scan.conf (comment stripped)

LogFile /var/log/clamav/clamd.scan.log
LogFileMaxSize 2M
LogTime yes
LogSyslog yes
LogRotate yes
ExtendedDetectionInfo yes
PidFile /var/run/clamd.scan/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /var/lib/clamav

LocalSocket /var/run/clamd.scan/clamd.sock
LocalSocketGroup virusgroup
LocalSocketMode 660
FixStaleSocket yes

ExcludePath ^/proc/
ExcludePath ^/sys/

User clamscan

AlertBrokenExecutables yes
AlertEncrypted yes
AlertEncryptedArchive yes
AlertEncryptedDoc yes

ScanELF yes
ScanHTML yes

OnAccessIncludePath /bin
OnAccessIncludePath /sbin
OnAccessIncludePath /boot
OnAccessIncludePath /data
OnAccessIncludePath /etc
OnAccessIncludePath /lib
OnAccessIncludePath /lib64
OnAccessIncludePath /srv
OnAccessIncludePath /tmp
OnAccessIncludePath /usr
OnAccessIncludePath /var

OnAccessExcludePath /proc
OnAccessExcludePath /sys

OnAccessExtraScanning yes

OnAccessExcludeRootUID yes

OnAccessExcludeUID 994

OnAccessExcludeUname clamav
OnAccessExcludeUname clamscan

Bytecode yes


File: /var/log/messages
Jul 7 09:52:14 gglvboft001 systemd: Starting clamd scanner (scan) daemon...
Jul 7 09:52:14 gglvboft001 clamd[13246]: Received 0 file descriptor(s) from systemd.
Jul 7 09:52:14 gglvboft001 clamd[13246]: clamd daemon 0.102.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jul 7 09:52:14 gglvboft001 clamd[13246]: Running as user clamscan (UID 994, GID 988)
Jul 7 09:52:14 gglvboft001 clamd[13246]: Log file size limited to 2097152 bytes.
Jul 7 09:52:14 gglvboft001 clamd[13246]: Reading databases from /var/lib/clamav
Jul 7 09:52:14 gglvboft001 clamd[13246]: Not loading PUA signatures.
Jul 7 09:52:14 gglvboft001 clamd[13246]: Bytecode: Security mode set to "TrustSigned".
Jul 7 09:52:26 gglvboft001 clamd[13246]: Loaded 7752884 signatures.
Jul 7 09:52:28 gglvboft001 clamd[13246]: LOCAL: Unix socket file /var/run/clamd.scan/clamd.sock
Jul 7 09:52:28 gglvboft001 clamd[13246]: LOCAL: Setting connection queue length to 200
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: Global time limit set to 120000 milliseconds.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: Global size limit set to 104857600 bytes.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: File size limit set to 26214400 bytes.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: Recursion level limit set to 16.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: Files limit set to 10000.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxScriptNormalize limit set to 5242880 bytes.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxPartitions limit set to 50.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxIconsPE limit set to 100.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxRecHWP3 limit set to 16.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: PCREMatchLimit limit set to 100000.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: PCRERecMatchLimit limit set to 2000.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: PCREMaxFileSize limit set to 26214400.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Archive support enabled.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Alerting of encrypted archives _and_ documents enabled.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Alerting of encrypted archives _and_ documents enabled.
Jul 7 09:52:28 gglvboft001 clamd[13259]: Alerting of encrypted documents enabled.
Jul 7 09:52:29 gglvboft001 clamd[13259]: AlertExceedsMax heuristic detection disabled.
Jul 7 09:52:29 gglvboft001 clamd[13259]: Heuristic alerts enabled.
Jul 7 09:52:29 gglvboft001 clamd[13259]: Portable Executable support enabled.
Jul 7 09:52:29 gglvboft001 clamd[13259]: ELF support enabled.
Jul 7 09:52:29 gglvboft001 clamd[13259]: Alerting on broken executables enabled.
Jul 7 09:52:29 gglvboft001 clamd[13259]: Mail files support enabled.
Jul 7 09:52:29 gglvboft001 clamd[13259]: OLE2 support enabled.
Jul 7 09:52:29 gglvboft001 clamd[13259]: PDF support enabled.
Jul 7 09:52:29 gglvboft001 clamd[13259]: SWF support enabled.
Jul 7 09:52:29 gglvboft001 clamd[13259]: HTML support enabled.
Jul 7 09:52:29 gglvboft001 clamd[13259]: XMLDOCS support enabled.
Jul 7 09:52:29 gglvboft001 clamd[13259]: HWP3 support enabled.
Jul 7 09:52:29 gglvboft001 clamd[13259]: Self checking every 600 seconds.
Jul 7 09:52:31 gglvboft001 systemd: Started clamd scanner (scan) daemon.
Jul 7 09:52:41 gglvboft001 systemd: Started Clam AntiVirus userspace daemon for OnAccess Scanning.
Jul 7 09:52:41 gglvboft001 clamonacc: ClamInotif: watching '/bin' (and all sub-directories)
Jul 7 09:52:41 gglvboft001 clamonacc: ClamInotif: watching '/sbin' (and all sub-directories)
Jul 7 09:52:41 gglvboft001 clamonacc: ClamInotif: watching '/boot' (and all sub-directories)
Jul 7 09:52:41 gglvboft001 clamonacc: ClamInotif: watching '/data' (and all sub-directories)
Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/etc' (and all sub-directories)
Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/lib' (and all sub-directories)
Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/lib64' (and all sub-directories)
Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/srv' (and all sub-directories)
Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/tmp' (and all sub-directories)
Jul 7 09:52:43 gglvboft001 clamonacc: ClamInotif: watching '/usr' (and all sub-directories)
Jul 7 09:52:43 gglvboft001 clamonacc: ClamInotif: watching '/var' (and all sub-directories)
Jul 7 09:55:27 gglvboft001 su: (to root) erirhe1d on pts/0


My test:
[erirhe1d@gglvboft001 tmp]$ date
Tue Jul 7 09:54:39 CEST 2020
[erirhe1d@gglvboft001 tmp]$ ls -lia eicar.com
118 -rw-r--r--. 1 erirhe1d erirhe1d 68 Jul 3 09:42 eicar.com
[erirhe1d@gglvboft001 tmp]$ cp eicar.com eicar1.com
[erirhe1d@gglvboft001 tmp]$ cat eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*[erirhe1d@gglvboft001 tmp]$
[erirhe1d@gglvboft001 tmp]$ more eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
[erirhe1d@gglvboft001 tmp]$
[erirhe1d@gglvboft001 tmp]$ date
Tue Jul 7 09:55:20 CEST 2020
[erirhe1d@gglvboft001 tmp]$

No warning in /var/log/messages ?????

Now commented out "OnAccessIncludePath" and set "OnAccessMountPath" in /etc/clamd.d/scan.conf.
Restarted clamd@scan and clamonacc.

OnAccessMountPath /boot
OnAccessMountPath /
OnAccessMountPath /srv
OnAccessMountPath /var
OnAccessMountPath /tmp
OnAccessMountPath /data
OnAccessMountPath /var/log/audit

/var/log/messages:
Jul 7 10:02:06 gglvboft001 systemd: Starting clamd scanner (scan) daemon...
Jul 7 10:02:06 gglvboft001 clamd[13861]: Received 0 file descriptor(s) from systemd.
Jul 7 10:02:06 gglvboft001 clamd[13861]: clamd daemon 0.102.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jul 7 10:02:06 gglvboft001 clamd[13861]: Running as user clamscan (UID 994, GID 988)
Jul 7 10:02:06 gglvboft001 clamd[13861]: Log file size limited to 2097152 bytes.
Jul 7 10:02:06 gglvboft001 clamd[13861]: Reading databases from /var/lib/clamav
Jul 7 10:02:06 gglvboft001 clamd[13861]: Not loading PUA signatures.
Jul 7 10:02:06 gglvboft001 clamd[13861]: Bytecode: Security mode set to "TrustSigned".
Jul 7 10:02:18 gglvboft001 clamd[13861]: Loaded 7752884 signatures.
Jul 7 10:02:21 gglvboft001 clamd[13861]: LOCAL: Unix socket file /var/run/clamd.scan/clamd.sock
Jul 7 10:02:21 gglvboft001 clamd[13861]: LOCAL: Setting connection queue length to 200
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: Global time limit set to 120000 milliseconds.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: Global size limit set to 104857600 bytes.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: File size limit set to 26214400 bytes.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: Recursion level limit set to 16.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: Files limit set to 10000.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxScriptNormalize limit set to 5242880 bytes.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxPartitions limit set to 50.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxIconsPE limit set to 100.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxRecHWP3 limit set to 16.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: PCREMatchLimit limit set to 100000.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: PCRERecMatchLimit limit set to 2000.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: PCREMaxFileSize limit set to 26214400.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Archive support enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Alerting of encrypted archives _and_ documents enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Alerting of encrypted archives _and_ documents enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Alerting of encrypted documents enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: AlertExceedsMax heuristic detection disabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Heuristic alerts enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Portable Executable support enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: ELF support enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Alerting on broken executables enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Mail files support enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: OLE2 support enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: PDF support enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: SWF support enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: HTML support enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: XMLDOCS support enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: HWP3 support enabled.
Jul 7 10:02:21 gglvboft001 clamd[13874]: Self checking every 600 seconds.
Jul 7 10:02:23 gglvboft001 systemd: Started clamd scanner (scan) daemon.
Jul 7 10:02:33 gglvboft001 systemd: Started Clam AntiVirus userspace daemon for OnAccess Scanning.
Jul 7 10:02:59 gglvboft001 clamd[13874]: lstat() failed on: /var/spool/postfix/maildrop/DF960218984
Jul 7 10:02:59 gglvboft001 clamd[13874]: lstat() failed on: /var/spool/postfix/incoming/E5C134E
Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13774 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:00 gglvboft001 clamd[13874]: lstat() failed on: /var/spool/postfix/maildrop/DF960218984
Jul 7 10:03:25 gglvboft001 clamd[13874]: /tmp/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND
Jul 7 10:03:25 gglvboft001 clamonacc: /tmp/eicar.com: Win.Test.EICAR_HDB-1 FOUND
Jul 7 10:03:25 gglvboft001 clamd[13874]: /tmp/eicar2.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f: 68) FOUND
Jul 7 10:03:25 gglvboft001 clamonacc: /tmp/eicar2.com: Win.Test.EICAR_HDB-1 FOUND
Jul 7 10:03:41 gglvboft001 su: (to root) erirhe1d on pts/0
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13992 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13992 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway
Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway

My test:
[erirhe1d@gglvboft001 tmp]$ date
Tue Jul 7 10:03:15 CEST 2020
[erirhe1d@gglvboft001 tmp]$ cp eicar.com eicar2.com
[erirhe1d@gglvboft001 tmp]$ date
Tue Jul 7 10:03:36 CEST 2020

My disks:
[root@gglvboft001 ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
??sda1 8:1 0 512M 0 part /boot
??sda2 8:2 0 19.5G 0 part
??system-lv--root 253:0 0 8G 0 lvm /
??system-lv--swap 253:1 0 2G 0 lvm [SWAP]
??system-lv--srv 253:4 0 2G 0 lvm /srv
??system-lv--var 253:5 0 4G 0 lvm /var
??system-lv--tmp 253:6 0 2G 0 lvm /tmp
sdb 8:16 0 100G 0 disk
??sdb1 8:17 0 100G 0 part
??datavg-lv--data 253:2 0 4G 0 lvm /data
??datavg-lv--audit 253:3 0 1G 0 lvm /var/log/audit

[erirhe1d@gglvboft001 tmp]$

Met vriendelijke groet,

Eric van Rheenen
Linux beheer
Raadhuisplein 10, 9751AN Haren

E-Mail: Eric.van.Rheenen@groningen.nl<mailto:Eric.van.Rheenen@groningen.nl>
Ericvan.Rheenen@ts.fujitsu.com
Telefoon: +31 (0)6 1640 2686
Re: clamonaccess scanning doesnot see /tmp/eicar.com [ In reply to ]
clamav-users at lists
Jul 7, 2020, 2:47 AM
Post #4 of 4 (677 views)
Permalink
If my understanding is correct, then the IncludePath will only cause the monitoring of directories that are not mount points.
But because /tmp is a mounted filesystem, IncludePath might be monitoring the directory underneath the mounted filesystem (if it is monitoring anything at all), NOT the mounted filesystem.

A quick test would be for you to unmount /tmp and drop the test file into /tmp without restarting ClamAV. If it detects it, then ClamAV was monitoring the underlying directory. If it doesn’t detect it, then ClamAV is testing to see if a directory is a mount point and ignoring it if the path is a mount point.

Maarten Broekman

Sent from a tiny keyboard

> On Jul 7, 2020, at 04:40, Eric van Rheenen via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?
> Hello,
> Hope this clearify it more.
>
> I use following curl version:
> [erirhe1d@gglvboft001 tmp]$ curl -V
> curl 7.68.0-DEV (x86_64-unknown-linux-gnu) libcurl/7.68.0-DEV OpenSSL/1.0.2k-fips zlib/1.2.7 libssh2/1.8.0
> Release-Date: [unreleased]
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
> Features: AsynchDNS HTTPS-proxy Largefile libz NTLM NTLM_WB SSL UnixSockets
>
> My /etc/clamd.d/scan.conf (comment stripped)
>
> LogFile /var/log/clamav/clamd.scan.log
> LogFileMaxSize 2M
> LogTime yes
> LogSyslog yes
> LogRotate yes
> ExtendedDetectionInfo yes
> PidFile /var/run/clamd.scan/clamd.pid
> TemporaryDirectory /tmp
> DatabaseDirectory /var/lib/clamav
>
> LocalSocket /var/run/clamd.scan/clamd.sock
> LocalSocketGroup virusgroup
> LocalSocketMode 660
> FixStaleSocket yes
>
> ExcludePath ^/proc/
> ExcludePath ^/sys/
>
> User clamscan
>
> AlertBrokenExecutables yes
> AlertEncrypted yes
> AlertEncryptedArchive yes
> AlertEncryptedDoc yes
>
> ScanELF yes
> ScanHTML yes
>
> OnAccessIncludePath /bin
> OnAccessIncludePath /sbin
> OnAccessIncludePath /boot
> OnAccessIncludePath /data
> OnAccessIncludePath /etc
> OnAccessIncludePath /lib
> OnAccessIncludePath /lib64
> OnAccessIncludePath /srv
> OnAccessIncludePath /tmp
> OnAccessIncludePath /usr
> OnAccessIncludePath /var
>
> OnAccessExcludePath /proc
> OnAccessExcludePath /sys
>
> OnAccessExtraScanning yes
>
> OnAccessExcludeRootUID yes
>
> OnAccessExcludeUID 994
>
> OnAccessExcludeUname clamav
> OnAccessExcludeUname clamscan
>
> Bytecode yes
>
>
> File: /var/log/messages
> Jul 7 09:52:14 gglvboft001 systemd: Starting clamd scanner (scan) daemon...
> Jul 7 09:52:14 gglvboft001 clamd[13246]: Received 0 file descriptor(s) from systemd.
> Jul 7 09:52:14 gglvboft001 clamd[13246]: clamd daemon 0.102.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
> Jul 7 09:52:14 gglvboft001 clamd[13246]: Running as user clamscan (UID 994, GID 988)
> Jul 7 09:52:14 gglvboft001 clamd[13246]: Log file size limited to 2097152 bytes.
> Jul 7 09:52:14 gglvboft001 clamd[13246]: Reading databases from /var/lib/clamav
> Jul 7 09:52:14 gglvboft001 clamd[13246]: Not loading PUA signatures.
> Jul 7 09:52:14 gglvboft001 clamd[13246]: Bytecode: Security mode set to "TrustSigned".
> Jul 7 09:52:26 gglvboft001 clamd[13246]: Loaded 7752884 signatures.
> Jul 7 09:52:28 gglvboft001 clamd[13246]: LOCAL: Unix socket file /var/run/clamd.scan/clamd.sock
> Jul 7 09:52:28 gglvboft001 clamd[13246]: LOCAL: Setting connection queue length to 200
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: Global time limit set to 120000 milliseconds.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: Global size limit set to 104857600 bytes.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: File size limit set to 26214400 bytes.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: Recursion level limit set to 16.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: Files limit set to 10000.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxEmbeddedPE limit set to 10485760 bytes.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxHTMLNormalize limit set to 10485760 bytes.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxHTMLNoTags limit set to 2097152 bytes.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxScriptNormalize limit set to 5242880 bytes.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxZipTypeRcg limit set to 1048576 bytes.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxPartitions limit set to 50.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxIconsPE limit set to 100.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxRecHWP3 limit set to 16.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: PCREMatchLimit limit set to 100000.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: PCRERecMatchLimit limit set to 2000.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: PCREMaxFileSize limit set to 26214400.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Archive support enabled.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Alerting of encrypted archives _and_ documents enabled.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Alerting of encrypted archives _and_ documents enabled.
> Jul 7 09:52:28 gglvboft001 clamd[13259]: Alerting of encrypted documents enabled.
> Jul 7 09:52:29 gglvboft001 clamd[13259]: AlertExceedsMax heuristic detection disabled.
> Jul 7 09:52:29 gglvboft001 clamd[13259]: Heuristic alerts enabled.
> Jul 7 09:52:29 gglvboft001 clamd[13259]: Portable Executable support enabled.
> Jul 7 09:52:29 gglvboft001 clamd[13259]: ELF support enabled.
> Jul 7 09:52:29 gglvboft001 clamd[13259]: Alerting on broken executables enabled.
> Jul 7 09:52:29 gglvboft001 clamd[13259]: Mail files support enabled.
> Jul 7 09:52:29 gglvboft001 clamd[13259]: OLE2 support enabled.
> Jul 7 09:52:29 gglvboft001 clamd[13259]: PDF support enabled.
> Jul 7 09:52:29 gglvboft001 clamd[13259]: SWF support enabled.
> Jul 7 09:52:29 gglvboft001 clamd[13259]: HTML support enabled.
> Jul 7 09:52:29 gglvboft001 clamd[13259]: XMLDOCS support enabled.
> Jul 7 09:52:29 gglvboft001 clamd[13259]: HWP3 support enabled.
> Jul 7 09:52:29 gglvboft001 clamd[13259]: Self checking every 600 seconds.
> Jul 7 09:52:31 gglvboft001 systemd: Started clamd scanner (scan) daemon.
> Jul 7 09:52:41 gglvboft001 systemd: Started Clam AntiVirus userspace daemon for OnAccess Scanning.
> Jul 7 09:52:41 gglvboft001 clamonacc: ClamInotif: watching '/bin' (and all sub-directories)
> Jul 7 09:52:41 gglvboft001 clamonacc: ClamInotif: watching '/sbin' (and all sub-directories)
> Jul 7 09:52:41 gglvboft001 clamonacc: ClamInotif: watching '/boot' (and all sub-directories)
> Jul 7 09:52:41 gglvboft001 clamonacc: ClamInotif: watching '/data' (and all sub-directories)
> Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/etc' (and all sub-directories)
> Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/lib' (and all sub-directories)
> Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/lib64' (and all sub-directories)
> Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/srv' (and all sub-directories)
> Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/tmp' (and all sub-directories)
> Jul 7 09:52:43 gglvboft001 clamonacc: ClamInotif: watching '/usr' (and all sub-directories)
> Jul 7 09:52:43 gglvboft001 clamonacc: ClamInotif: watching '/var' (and all sub-directories)
> Jul 7 09:55:27 gglvboft001 su: (to root) erirhe1d on pts/0
>
>
> My test:
> [erirhe1d@gglvboft001 tmp]$ date
> Tue Jul 7 09:54:39 CEST 2020
> [erirhe1d@gglvboft001 tmp]$ ls -lia eicar.com
> 118 -rw-r--r--. 1 erirhe1d erirhe1d 68 Jul 3 09:42 eicar.com
> [erirhe1d@gglvboft001 tmp]$ cp eicar.com eicar1.com
> [erirhe1d@gglvboft001 tmp]$ cat eicar.com
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*[erirhe1d@gglvboft001 tmp]$
> [erirhe1d@gglvboft001 tmp]$ more eicar.com
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> [erirhe1d@gglvboft001 tmp]$
> [erirhe1d@gglvboft001 tmp]$ date
> Tue Jul 7 09:55:20 CEST 2020
> [erirhe1d@gglvboft001 tmp]$
>
> No warning in /var/log/messages ?????
>
> Now commented out "OnAccessIncludePath" and set "OnAccessMountPath" in /etc/clamd.d/scan.conf.
> Restarted clamd@scan and clamonacc.
>
> OnAccessMountPath /boot
> OnAccessMountPath /
> OnAccessMountPath /srv
> OnAccessMountPath /var
> OnAccessMountPath /tmp
> OnAccessMountPath /data
> OnAccessMountPath /var/log/audit
>
> /var/log/messages:
> Jul 7 10:02:06 gglvboft001 systemd: Starting clamd scanner (scan) daemon...
> Jul 7 10:02:06 gglvboft001 clamd[13861]: Received 0 file descriptor(s) from systemd.
> Jul 7 10:02:06 gglvboft001 clamd[13861]: clamd daemon 0.102.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
> Jul 7 10:02:06 gglvboft001 clamd[13861]: Running as user clamscan (UID 994, GID 988)
> Jul 7 10:02:06 gglvboft001 clamd[13861]: Log file size limited to 2097152 bytes.
> Jul 7 10:02:06 gglvboft001 clamd[13861]: Reading databases from /var/lib/clamav
> Jul 7 10:02:06 gglvboft001 clamd[13861]: Not loading PUA signatures.
> Jul 7 10:02:06 gglvboft001 clamd[13861]: Bytecode: Security mode set to "TrustSigned".
> Jul 7 10:02:18 gglvboft001 clamd[13861]: Loaded 7752884 signatures.
> Jul 7 10:02:21 gglvboft001 clamd[13861]: LOCAL: Unix socket file /var/run/clamd.scan/clamd.sock
> Jul 7 10:02:21 gglvboft001 clamd[13861]: LOCAL: Setting connection queue length to 200
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: Global time limit set to 120000 milliseconds.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: Global size limit set to 104857600 bytes.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: File size limit set to 26214400 bytes.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: Recursion level limit set to 16.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: Files limit set to 10000.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxEmbeddedPE limit set to 10485760 bytes.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxHTMLNormalize limit set to 10485760 bytes.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxHTMLNoTags limit set to 2097152 bytes.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxScriptNormalize limit set to 5242880 bytes.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxZipTypeRcg limit set to 1048576 bytes.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxPartitions limit set to 50.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxIconsPE limit set to 100.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxRecHWP3 limit set to 16.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: PCREMatchLimit limit set to 100000.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: PCRERecMatchLimit limit set to 2000.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: PCREMaxFileSize limit set to 26214400.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Archive support enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Alerting of encrypted archives _and_ documents enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Alerting of encrypted archives _and_ documents enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Alerting of encrypted documents enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: AlertExceedsMax heuristic detection disabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Heuristic alerts enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Portable Executable support enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: ELF support enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Alerting on broken executables enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Mail files support enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: OLE2 support enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: PDF support enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: SWF support enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: HTML support enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: XMLDOCS support enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: HWP3 support enabled.
> Jul 7 10:02:21 gglvboft001 clamd[13874]: Self checking every 600 seconds.
> Jul 7 10:02:23 gglvboft001 systemd: Started clamd scanner (scan) daemon.
> Jul 7 10:02:33 gglvboft001 systemd: Started Clam AntiVirus userspace daemon for OnAccess Scanning.
> Jul 7 10:02:59 gglvboft001 clamd[13874]: lstat() failed on: /var/spool/postfix/maildrop/DF960218984
> Jul 7 10:02:59 gglvboft001 clamd[13874]: lstat() failed on: /var/spool/postfix/incoming/E5C134E
> Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13774 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:00 gglvboft001 clamd[13874]: lstat() failed on: /var/spool/postfix/maildrop/DF960218984
> Jul 7 10:03:25 gglvboft001 clamd[13874]: /tmp/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND
> Jul 7 10:03:25 gglvboft001 clamonacc: /tmp/eicar.com: Win.Test.EICAR_HDB-1 FOUND
> Jul 7 10:03:25 gglvboft001 clamd[13874]: /tmp/eicar2.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f: 68) FOUND
> Jul 7 10:03:25 gglvboft001 clamonacc: /tmp/eicar2.com: Win.Test.EICAR_HDB-1 FOUND
> Jul 7 10:03:41 gglvboft001 su: (to root) erirhe1d on pts/0
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13992 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13992 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway
> Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway
>
> My test:
> [erirhe1d@gglvboft001 tmp]$ date
> Tue Jul 7 10:03:15 CEST 2020
> [erirhe1d@gglvboft001 tmp]$ cp eicar.com eicar2.com
> [erirhe1d@gglvboft001 tmp]$ date
> Tue Jul 7 10:03:36 CEST 2020
>
> My disks:
> [root@gglvboft001 ~]# lsblk
> NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
> sda 8:0 0 20G 0 disk
> ??sda1 8:1 0 512M 0 part /boot
> ??sda2 8:2 0 19.5G 0 part
> ??system-lv--root 253:0 0 8G 0 lvm /
> ??system-lv--swap 253:1 0 2G 0 lvm [SWAP]
> ??system-lv--srv 253:4 0 2G 0 lvm /srv
> ??system-lv--var 253:5 0 4G 0 lvm /var
> ??system-lv--tmp 253:6 0 2G 0 lvm /tmp
> sdb 8:16 0 100G 0 disk
> ??sdb1 8:17 0 100G 0 part
> ??datavg-lv--data 253:2 0 4G 0 lvm /data
> ??datavg-lv--audit 253:3 0 1G 0 lvm /var/log/audit
>
> [erirhe1d@gglvboft001 tmp]$
>
> Met vriendelijke groet,
>
> Eric van Rheenen
> Linux beheer
> Raadhuisplein 10, 9751AN Haren
>
> E-Mail: Eric.van.Rheenen@groningen.nl
> Ericvan.Rheenen@ts.fujitsu.com
> Telefoon: +31 (0)6 1640 2686
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal