Mailing List Archive

calmonacc
I'm having issues getting onaccess scanning to scan multiple paths.  If I put only:
OnAccessIncludePath /home

It works fine when I cat eicar.txt.  I get the "clamonacc: /home/jjones/eicar.txt: Eicar-Signature FOUND" in /var/log/messages.

However, when I list multiple paths:
OnAccessIncludePath /bin
OnAccessIncludePath /home
OnAccessIncludePath /lib64
OnAccessIncludePath /mnt
OnAccessIncludePath /run
OnAccessIncludePath /srv
OnAccessIncludePath /tmp
OnAccessIncludePath /boot
OnAccessIncludePath /lib
OnAccessIncludePath /media
OnAccessIncludePath /opt
OnAccessIncludePath /root
OnAccessIncludePath /sbin
OnAccessIncludePath /usr

I get the " clamonacc: ClamInotif: watching" for all the directories like it is working.  But when I cat eicar.txt, I do not get any response from clamonacc nor do I receive any error message.

This is Centos 7
clamd -V
ClamAV 0.102.4/25895/Wed Aug  5 12:44:56 2020

Thanks in advance,
Josh


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: calmonacc [ In reply to ]
Hi Josh,

Trying to use clamonacc as you are, has many implications/limitations that will likely give you a headache or two. I went down that path initially when trying to implement On-Access Scanning, and ended-up deciding to use it in a much more targeted manner after much stress.

I detailed some of these issues under "Caveat of ClamAV’s On-Access Scanning" here: https://medium.com/@aaronbrighton/installation-configuration-of-clamav-antivirus-on-ubuntu-18-04-a6416bab3b41#9a3d

Specifically in your case, my guess is you're running into what I detailed under "3. Watching directory paths that contain special files" specifically, which has an associated bug ticket: https://bugzilla.clamav.net/show_bug.cgi?id=12306

If you turn on clamonacc verbose logging with the "--verbose" switch when running it, do you see an error similar to the following in the clamonacc output/log file:

--------------------------------------
ClamInotif: watching '/var' (and all sub-directories)
ClamInotif: excluding '/var/log' (and all sub-directories)
ERROR: ClamInotif: could not watch path '/var', 3

If so, can you run the following command substituting "/var" for the directory mentioned in the above error, to determine the types of files in the respective directory:

sudo find /var -exec stat -c%F {} \; | sort | uniq

In my experience, I've seen the following types of files causing issues with clamonacc's initialization:

character special file
fifo

Unfortunately, using OnAccessExcludePath doesn't eliminate the issue.

Hope this helps,

Aaron


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: calmonacc [ In reply to ]
Hi Aaron,

Thanks for the response.  As I stated in the original post, I am not monitoring /var.  I'm not getting any errors with "ERROR: ClamInotif: could not watch path", even with verbose logging on.  I had this all working before EPEL switched to the clamonacc version.

Thanks,






On Tuesday, August 18, 2020, 1:30:05 PM EDT, Aaron Brighton via clamav-users <clamav-users@lists.clamav.net> wrote:





Hi Josh,

Trying to use clamonacc as you are, has many implications/limitations that will likely give you a headache or two.  I went down that path initially when trying to implement On-Access Scanning, and ended-up deciding to use it in a much more targeted manner after much stress.

I detailed some of these issues under "Caveat of ClamAV’s On-Access Scanning" here: https://medium.com/@aaronbrighton/installation-configuration-of-clamav-antivirus-on-ubuntu-18-04-a6416bab3b41#9a3d

Specifically in your case, my guess is you're running into what I detailed under "3. Watching directory paths that contain special files" specifically, which has an associated bug ticket: https://bugzilla.clamav.net/show_bug.cgi?id=12306

Bug 12306 – ScanOnAccess: Could not watch path '/var', Success




If you turn on clamonacc verbose logging with the "--verbose" switch when running it, do you see an error similar to the following in the clamonacc output/log file:

--------------------------------------
ClamInotif: watching '/var' (and all sub-directories)
ClamInotif: excluding '/var/log' (and all sub-directories)
ERROR: ClamInotif: could not watch path '/var', 3

If so, can you run the following command substituting "/var" for the directory mentioned in the above error, to determine the types of files in the respective directory:

sudo find /var -exec stat -c%F {} \; | sort | uniq

In my experience, I've seen the following types of files causing issues with clamonacc's initialization:

    character special file
    fifo

Unfortunately, using OnAccessExcludePath doesn't eliminate the issue.

Hope this helps,

Aaron


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


wHelp us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml