Mailing List Archive

> I would like to get advice or feedback about the use of clamav on a
> samba share server.
>
> I have a fresh install of samba on a centos 7 (share server), and I
> would like to know if it makes sense to install clamav on this centos 7
> box ?
>
> Because all workstations on which domain users mount the samba share
> have already an antivirus program.
>
> What is the best practice ?

Are you pushing antivirus updates out to all the workstations to make
sure they are always up to date?

You could enable 'on access' scanning on the CentOS box, however the
amount of load it would create would be dependent on the usage level I
suppose.

Having an extra layer of scanning IMO is always good. Different
anti-virus programs seem to catch different things just because of the
sheer volume of new viruses and such that come out every day.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello,

Thank you for your answer.

Yes, all workstations have antivirus updates, this is a commercial
antivirus.

What do you mean by "You could enable 'on access' scanning on the CentOS
box" ?
Is there a special to start clamav with mode 'on access' ?

What is this 'on acess' mode ?


Le 25/07/2019 à 18:49, J.R. via clamav-users a écrit :
>> I would like to get advice or feedback about the use of clamav on a
>> samba share server.
>>
>> I have a fresh install of samba on a centos 7 (share server), and I
>> would like to know if it makes sense to install clamav on this centos 7
>> box ?
>>
>> Because all workstations on which domain users mount the samba share
>> have already an antivirus program.
>>
>> What is the best practice ?
> Are you pushing antivirus updates out to all the workstations to make
> sure they are always up to date?
>
> You could enable 'on access' scanning on the CentOS box, however the
> amount of load it would create would be dependent on the usage level I
> suppose.
>
> Having an extra layer of scanning IMO is always good. Different
> anti-virus programs seem to catch different things just because of the
> sheer volume of new viruses and such that come out every day.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> What do you mean by "You could enable 'on access' scanning
> on the CentOS box" ?
> Is there a special to start clamav with mode 'on access' ?
>
> What is this 'on acess' mode ?

https://www.clamav.net/documents/on-access-scanning

https://www.clamav.net/documents/scanning#on-access-scanning

https://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html

Hope that helps...

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

All,

On a related topic: the next version of ClamAV (v0.102) will include a new on-access scanning client that is a separate program from clamd. The way in which on-access scanning is configured will change a little as a result. The separate scanning client will be more stable and will improve the security posture somewhat because clamd will not have to be run as root.

Look forward to the beta for 0.102 to be published in the coming weeks.

Regards,
Micah

?On 7/26/19, 9:32 AM, "clamav-users on behalf of J.R. via clamav-users" <clamav-users-bounces@lists.clamav.net on behalf of clamav-users@lists.clamav.net> wrote:

> What do you mean by "You could enable 'on access' scanning
> on the CentOS box" ?
> Is there a special to start clamav with mode 'on access' ?
>
> What is this 'on acess' mode ?

https://www.clamav.net/documents/on-access-scanning

https://www.clamav.net/documents/scanning#on-access-scanning

https://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html

Hope that helps...

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello again,

I read the docs from the links, but may you please help me to understand
what 'on access' scanning will do / can do ?

I installed clamav on my centos 7 box, but not yet start the clamav service.

I have set in /etc/clamd.d/scan.conf
ScanOnAccess yes
OnAccessIncludePath /home/usertest

When I will start the clamav servce :

Does clamav will scan only /home/usertest ?

What will happen if clamav detect virus or malware already present in
/home/usertest ?
Will it quarantine the infected files ?

What will happen if the user try to copy an infected files in his
/home/usertest (via samba) ?
Will it be impossible for him to copy the infected files ?

I would like to reassure before start the clamav service, and avoid any
users complaints against me.

Best Regards,

EdG


Le 26/07/2019 à 10:30, J.R. via clamav-users a écrit :
>> What do you mean by "You could enable 'on access' scanning
>> on the CentOS box" ?
>> Is there a special to start clamav with mode 'on access' ?
>>
>> What is this 'on acess' mode ?
> https://www.clamav.net/documents/on-access-scanning
>
> https://www.clamav.net/documents/scanning#on-access-scanning
>
> https://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html
>
> Hope that helps...
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Edouard,

If you are unsure how it works then it is best to try it out on a stand
alone set-up that is not in use by other users.

Set up a clean system with samba and clamav and use you own host to
connect to it so that no other users are involved. You can then try
various things without risk of upsetting other users.

It is never a good thing to install new software that you are not
familiar with on a live system without first trying it out on a test
system.

Regards
Mark Fortescue

On 26/07/2019 16:29, Edouard Guigné wrote:
> Hello again,
>
> I read the docs from the links, but may you please help me to understand
> what 'on access' scanning will do / can do ?
>
> I installed clamav on my centos 7 box, but not yet start the clamav
> service.
>
> I have set in /etc/clamd.d/scan.conf
> ScanOnAccess yes
> OnAccessIncludePath /home/usertest
>
> When I will start the clamav servce :
>
> Does clamav will scan only /home/usertest ?
>
> What will happen if clamav detect virus or malware already present in
> /home/usertest ?
> Will it quarantine the infected files ?
>
> What will happen if the user try to copy an infected files in his
> /home/usertest (via samba) ?
> Will it be impossible for him to copy the infected files ?
>
> I would like to reassure before start the clamav service, and avoid any
> users complaints against me.
>
> Best Regards,
>
> EdG
>
>
> Le 26/07/2019 à 10:30, J.R. via clamav-users a écrit :
>>> What do you mean by "You could enable 'on access' scanning
>>> on the CentOS box" ?
>>> Is there a special to start clamav with mode 'on access' ?
>>>
>>> What is this 'on acess' mode ?
>> https://www.clamav.net/documents/on-access-scanning
>>
>> https://www.clamav.net/documents/scanning#on-access-scanning
>>
>> https://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html
>>
>>
>> Hope that helps...
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

EdG,

I will try to respond to your questions inline, below...

On 7/26/19, 11:30 AM, "clamav-users on behalf of Edouard Guigné" <clamav-users-bounces@lists.clamav.net on behalf of eguigne@pasteur-cayenne.fr> wrote:

Hello again,

I read the docs from the links, but may you please help me to understand
what 'on access' scanning will do / can do ?

On-access scanning enables clamd to detect when a file has been accessed and automatically scan it. Depending on your settings, it may simply log the alert in your clamd.log file, or it may block access to the file if the scan verdict is not clean (i.e. a signature matched on the file).
In 0.101 and prior versions, `clamd` must be run with root privileges in order for on-access scanning to work.

As a heads up, in the next version (v0.102) a separate utility named `clamonacc` will be provided that you run as root which can either pass the file descriptor to clamd, in which case clamd must be able to read the file -- or it can stream the file to clamd, in which clamd need not have access to the original file. The streaming method is of course slower, so it may not work for every use case.

I installed clamav on my centos 7 box, but not yet start the clamav service.

I have set in /etc/clamd.d/scan.conf
ScanOnAccess yes
OnAccessIncludePath /home/usertest

When I will start the clamav servce :

Does clamav will scan only /home/usertest ?

When a file in /home/usertest is accessed, clamd will scan the file.
You can also use `clamdscan` to manually scan other files outside of /home/usertest

What will happen if clamav detect virus or malware already present in
/home/usertest ?
Will it quarantine the infected files ?

It will write the scan result to your clamd.log file.
If you set: OnAccessPrevention yes, it will prevent you from accessing the file.

With the new `clamonacc` tool in the next version (v0.102), you will be able to remove, move, or copy the file as well - much like you can today with `clamdscan`. In addition, the VirusEvent feature, used to execute a script and notify the user that something was detected, will work again. As I understand it, VirusEvent feature only works with clamdscan in versions 0.101 and 0.100 and does not presently work for on-access scanning.

What will happen if the user try to copy an infected files in his
/home/usertest (via samba) ?
Will it be impossible for him to copy the infected files ?

In 0.101.2 the ExtraScanning feature which detects file-move and file-copy events is disabled, due to instability issues. If you enable OnAccessPrevention, the users will be able to copy the infected file from the share to the watched location (/home/usertest), but it should be impossible to read, write, or execute the infected file.

For the next version (v0.102), if ExtraScanning and OnAccessPrevention are enabled, the users won't be able to copy the infected file to the watched location.

I would like to reassure before start the clamav service, and avoid any
users complaints against me.

As Mark Fortescue suggested, please try it out on a test system to see if you are satisfied with how it works.

Do also bear in mind that you will have to update how you configure and run on-access scanning when you upgrade to the next version.

Respectfully,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

?On 7/26/19, 11:30 AM, "clamav-users on behalf of Edouard Guigné" <clamav-users-bounces@lists.clamav.net on behalf of eguigne@pasteur-cayenne.fr> wrote:

Hello again,

I read the docs from the links, but may you please help me to understand
what 'on access' scanning will do / can do ?

I installed clamav on my centos 7 box, but not yet start the clamav service.

I have set in /etc/clamd.d/scan.conf
ScanOnAccess yes
OnAccessIncludePath /home/usertest

When I will start the clamav servce :

Does clamav will scan only /home/usertest ?

What will happen if clamav detect virus or malware already present in
/home/usertest ?
Will it quarantine the infected files ?

What will happen if the user try to copy an infected files in his
/home/usertest (via samba) ?
Will it be impossible for him to copy the infected files ?

I would like to reassure before start the clamav service, and avoid any
users complaints against me.

Best Regards,

EdG


Le 26/07/2019 à 10:30, J.R. via clamav-users a écrit :
>> What do you mean by "You could enable 'on access' scanning
>> on the CentOS box" ?
>> Is there a special to start clamav with mode 'on access' ?
>>
>> What is this 'on acess' mode ?
> https://www.clamav.net/documents/on-access-scanning
>
> https://www.clamav.net/documents/scanning#on-access-scanning
>
> https://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html
>
> Hope that helps...
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello,

Thank you very much for your help.

I have limited OnAccessIncludePath to /home/usertest in order to test
only with this directory
As you indicate, it is better to use a test system first.

On the centos 7, clamav version is 0.101

I can use clamdscan with VirusEvent as a cron task ; only to scan /home
during the night by exemple
For this purpose, I do not think to have the need to start clamd service
with  On-Access enable

Le 29/07/2019 à 12:26, Micah Snyder (micasnyd) via clamav-users a écrit :
> EdG,
>
> I will try to respond to your questions inline, below...
>
> On 7/26/19, 11:30 AM, "clamav-users on behalf of Edouard Guigné" <clamav-users-bounces@lists.clamav.net on behalf of eguigne@pasteur-cayenne.fr> wrote:
>
> Hello again,
>
> I read the docs from the links, but may you please help me to understand
> what 'on access' scanning will do / can do ?
>
> On-access scanning enables clamd to detect when a file has been accessed and automatically scan it. Depending on your settings, it may simply log the alert in your clamd.log file, or it may block access to the file if the scan verdict is not clean (i.e. a signature matched on the file).
> In 0.101 and prior versions, `clamd` must be run with root privileges in order for on-access scanning to work.
>
> As a heads up, in the next version (v0.102) a separate utility named `clamonacc` will be provided that you run as root which can either pass the file descriptor to clamd, in which case clamd must be able to read the file -- or it can stream the file to clamd, in which clamd need not have access to the original file. The streaming method is of course slower, so it may not work for every use case.
>
> I installed clamav on my centos 7 box, but not yet start the clamav service.
>
> I have set in /etc/clamd.d/scan.conf
> ScanOnAccess yes
> OnAccessIncludePath /home/usertest
>
> When I will start the clamav servce :
>
> Does clamav will scan only /home/usertest ?
>
> When a file in /home/usertest is accessed, clamd will scan the file.
> You can also use `clamdscan` to manually scan other files outside of /home/usertest
>
> What will happen if clamav detect virus or malware already present in
> /home/usertest ?
> Will it quarantine the infected files ?
>
> It will write the scan result to your clamd.log file.
> If you set: OnAccessPrevention yes, it will prevent you from accessing the file.
>
> With the new `clamonacc` tool in the next version (v0.102), you will be able to remove, move, or copy the file as well - much like you can today with `clamdscan`. In addition, the VirusEvent feature, used to execute a script and notify the user that something was detected, will work again. As I understand it, VirusEvent feature only works with clamdscan in versions 0.101 and 0.100 and does not presently work for on-access scanning.
>
> What will happen if the user try to copy an infected files in his
> /home/usertest (via samba) ?
> Will it be impossible for him to copy the infected files ?
>
> In 0.101.2 the ExtraScanning feature which detects file-move and file-copy events is disabled, due to instability issues. If you enable OnAccessPrevention, the users will be able to copy the infected file from the share to the watched location (/home/usertest), but it should be impossible to read, write, or execute the infected file.
>
> For the next version (v0.102), if ExtraScanning and OnAccessPrevention are enabled, the users won't be able to copy the infected file to the watched location.
>
> I would like to reassure before start the clamav service, and avoid any
> users complaints against me.
>
> As Mark Fortescue suggested, please try it out on a test system to see if you are satisfied with how it works.
>
> Do also bear in mind that you will have to update how you configure and run on-access scanning when you upgrade to the next version.
>
> Respectfully,
> Micah
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
> ?On 7/26/19, 11:30 AM, "clamav-users on behalf of Edouard Guigné" <clamav-users-bounces@lists.clamav.net on behalf of eguigne@pasteur-cayenne.fr> wrote:
>
> Hello again,
>
> I read the docs from the links, but may you please help me to understand
> what 'on access' scanning will do / can do ?
>
> I installed clamav on my centos 7 box, but not yet start the clamav service.
>
> I have set in /etc/clamd.d/scan.conf
> ScanOnAccess yes
> OnAccessIncludePath /home/usertest
>
> When I will start the clamav servce :
>
> Does clamav will scan only /home/usertest ?
>
> What will happen if clamav detect virus or malware already present in
> /home/usertest ?
> Will it quarantine the infected files ?
>
> What will happen if the user try to copy an infected files in his
> /home/usertest (via samba) ?
> Will it be impossible for him to copy the infected files ?
>
> I would like to reassure before start the clamav service, and avoid any
> users complaints against me.
>
> Best Regards,
>
> EdG
>
>
> Le 26/07/2019 à 10:30, J.R. via clamav-users a écrit :
> >> What do you mean by "You could enable 'on access' scanning
> >> on the CentOS box" ?
> >> Is there a special to start clamav with mode 'on access' ?
> >>
> >> What is this 'on acess' mode ?
> > https://www.clamav.net/documents/on-access-scanning
> >
> > https://www.clamav.net/documents/scanning#on-access-scanning
> >
> > https://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html
> >
> > Hope that helps...
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml