Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] Clamdtop not showing activity for ScanOnAccess activity?
clamav-users at lists
Oct 9, 2019, 5:36 PM
Post #1 of 2 (147 views)
Permalink
I’m sure I’ve done something wrong, so hopefully I can give enough detail to discover what that is...

Ubuntu 18.04.3 LTS (4.15.0-1040-aws)

Installed packages:
ii clamav 0.100.3+dfsg-0ubuntu0.18.04.1 amd64 anti-virus utility for Unix - command-line interface
ii clamav-base 0.100.3+dfsg-0ubuntu0.18.04.1 all anti-virus utility for Unix - base package
ii clamav-daemon 0.100.3+dfsg-0ubuntu0.18.04.1 amd64 anti-virus utility for Unix - scanner daemon
ii clamav-freshclam 0.100.3+dfsg-0ubuntu0.18.04.1 amd64 anti-virus utility for Unix - virus database update utility
ii libclamav7:amd64 0.100.3+dfsg-0ubuntu0.18.04.1 amd64 anti-virus utility for Unix - library

I’ve enabled on access scanning (detect only), changed the user to root and (hopefully) adjusted the socket information to work with these adjustments:

LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup root
LocalSocketMode 666
ScanOnAccess true

ls -la /var/run/clamav/clamd.ctl
srw-rw-rw- 1 root root 0 Oct 9 21:14 /var/run/clamav/clamd.ctl

Running clamdtop (sudo or otherwise) shows one entry for the daemon running on local. It correctly displays the version of the engine, db version, and dbtime.

If I use clamdscan, I see plenty of activity and an appropriate cpu utilization in both clamdtop and regular top.

However, if I attempt to access files outside of calling clamdscan, clamdtop remains silent. Running top in a different window shows clamd using plenty of CPU resources, and I see /tmp/clamav*.tmp folders getting created so I know it’s doing work.

What have I missed? Apparmor doesn’t seem to be getting in the middle of anything (dmesg and journalctl are silent about clamd) and selinux is disabled.

Here’s my clamd.conf contents:

LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup root
LocalSocketMode 666
#User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted true
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
DetectBrokenExecutables false
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA true
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
ScanOnAccess true
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OnAccessMountPath /
OnAccessMountPath /home
OnAccessMountPath /var/log
OnAccessMountPath /var/tmp
OnAccessPrevention false
OnAccessMountPath /tmp

And the custom rules I added for apparmor in local/usr.sbin.clamd:

capability sys_admin,
capability dac_read_search,
/ r,
/** r,

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamdtop not showing activity for ScanOnAccess activity? [ In reply to ]
clamav-users at lists
Oct 9, 2019, 7:19 PM
Post #2 of 2 (147 views)
Permalink
Hi Ian,

It's my understanding that on-access scanning features in ClamAV 0.100 and 0.101 run in newly created threads for each scan outside of the normal clamd scanning thread pool. It's no surprise to me that clamdtop doesn't observe on-access scan activity in 0.100 or 0.101.

Resource management of these on-access scanning threads were a bit of a problem, which is why "VirusEvent" and "ExtraScanning" features had been disabled. This, and the security concerns regarding scanning malware while clamd is running with root privileges (kinda the opposite of a sandboxed environment) led us to overhaul the on-access scanning features.

In ClamAV 0.102 (just released), the on-access scanning feature is now a separate client program called clamonacc that submits scans to clamd similar to how clamdscan and clamav-milter submit scans. Scans triggered by clamonacc should now show up in clamdtop.

-Micah

?On 10/9/19, 8:37 PM, "clamav-users on behalf of Ian via clamav-users" <clamav-users-bounces@lists.clamav.net on behalf of clamav-users@lists.clamav.net> wrote:

I’m sure I’ve done something wrong, so hopefully I can give enough detail to discover what that is...

Ubuntu 18.04.3 LTS (4.15.0-1040-aws)

Installed packages:
ii clamav 0.100.3+dfsg-0ubuntu0.18.04.1 amd64 anti-virus utility for Unix - command-line interface
ii clamav-base 0.100.3+dfsg-0ubuntu0.18.04.1 all anti-virus utility for Unix - base package
ii clamav-daemon 0.100.3+dfsg-0ubuntu0.18.04.1 amd64 anti-virus utility for Unix - scanner daemon
ii clamav-freshclam 0.100.3+dfsg-0ubuntu0.18.04.1 amd64 anti-virus utility for Unix - virus database update utility
ii libclamav7:amd64 0.100.3+dfsg-0ubuntu0.18.04.1 amd64 anti-virus utility for Unix - library

I’ve enabled on access scanning (detect only), changed the user to root and (hopefully) adjusted the socket information to work with these adjustments:

LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup root
LocalSocketMode 666
ScanOnAccess true

ls -la /var/run/clamav/clamd.ctl
srw-rw-rw- 1 root root 0 Oct 9 21:14 /var/run/clamav/clamd.ctl

Running clamdtop (sudo or otherwise) shows one entry for the daemon running on local. It correctly displays the version of the engine, db version, and dbtime.

If I use clamdscan, I see plenty of activity and an appropriate cpu utilization in both clamdtop and regular top.

However, if I attempt to access files outside of calling clamdscan, clamdtop remains silent. Running top in a different window shows clamd using plenty of CPU resources, and I see /tmp/clamav*.tmp folders getting created so I know it’s doing work.

What have I missed? Apparmor doesn’t seem to be getting in the middle of anything (dmesg and journalctl are silent about clamd) and selinux is disabled.

Here’s my clamd.conf contents:

LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup root
LocalSocketMode 666
#User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted true
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
DetectBrokenExecutables false
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA true
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
ScanOnAccess true
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OnAccessMountPath /
OnAccessMountPath /home
OnAccessMountPath /var/log
OnAccessMountPath /var/tmp
OnAccessPrevention false
OnAccessMountPath /tmp

And the custom rules I added for apparmor in local/usr.sbin.clamd:

capability sys_admin,
capability dac_read_search,
/ r,
/** r,

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal