Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] Clamd OnAccess + OnAccessPrevention performance questions (linux)...
clamav-users at lists
Oct 11, 2019, 8:44 AM
Post #1 of 2 (125 views)
Permalink
1) Does OnAccessPrevention mean that it blocks access to files when they are in the queue, while scanned, and forevermore if detected as malicious, or is it a subset of this? Conversely, if OnAccessPrevention is disabled, can I expect a performance boost since there should be no blocking at any point in the processing pipeline?

2) I’ve seen log entries like this when OnAccessPrevention is disabled, but it’s not clear if this was a file clamd would have temporarily blocked access to had it been able to get a lock on the file before it was removed?

ScanOnAccess: /tmp/MLbtUsOc (deleted): (null) FOUND

I assume linux doesn’t provide a means where clamd can easily hook into kernel file create events to do something like create additional hard links to transient files so that it can leisurely scan them while letting the originating app think it has deleted the file and move on?

3) Is OnAccessPrevention global? There are directories where I’d like to know about findings but not otherwise act on, however I would prefer to enable prevention for other areas of the system.

Related, is it possible to have different actions depending on different types/families of malicious files? For instance if I’m running a linux system, I may be more concerned with native binaries than Windows executables.

4) LeaveTemporaryFiles — is there a version of this but only when a detection is found? Or a LeaveHardlinks for found items that I can later investigate myself?

Thanks and sorry for the grouping of questions — I didn’t want to spam the list with different threads.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamd OnAccess + OnAccessPrevention performance questions (linux)... [ In reply to ]
clamav-users at lists
Oct 16, 2019, 6:53 AM
Post #2 of 2 (124 views)
Permalink
Hi Ian,

Sorry about the delayed response. It looks like no one else got back to you. I'll try to answer inline, best I can...

Micah

?On 10/11/19, 11:46 AM, "clamav-users on behalf of Ian via clamav-users" <clamav-users-bounces@lists.clamav.net on behalf of clamav-users@lists.clamav.net> wrote:

> 1) Does OnAccessPrevention mean that it blocks access to files when they are in the queue, while scanned, and forevermore if detected as malicious, or is it a subset of this? Conversely, if OnAccessPrevention is disabled, can I expect a performance boost since there should be no blocking at any point in the processing pipeline?

I believe you're correct in your initial guess. If Prevention is enabled, it would block access while in queue, while scanned, and forevermore if detected as malicious. Yes, there is a notable performance boost if monitoring very active directories if prevention is disabled - In my own testing it was particularly noticable in 0.102 with clamonacc + clamd. In less active directories, the on-access prevention blocking isn't really noticeable.

> 2) I’ve seen log entries like this when OnAccessPrevention is disabled, but it’s not clear if this was a file clamd would have temporarily blocked access to had it been able to get a lock on the file before it was removed?
>
> ScanOnAccess: /tmp/MLbtUsOc (deleted): (null) FOUND
>
> I assume linux doesn’t provide a means where clamd can easily hook into kernel file create events to do something like create additional hard links to transient files so that it can leisurely scan them while letting the originating app think it has deleted the file and move on?

I don't know if it's possible to use the same feature that Prevention uses to temporarily block access just long enough to make a hard link so the file isn't deleted before it is scanned. That seems like a clever idea. I'll see if we can look into it.

> 3) Is OnAccessPrevention global? There are directories where I’d like to know about findings but not otherwise act on, however I would prefer to enable prevention for other areas of the system.
>
> Related, is it possible to have different actions depending on different types/families of malicious files? For instance if I’m running a linux system, I may be more concerned with native binaries than Windows executables.

Prevention is global. In 0.102 you can run multiple clamonacc clients, and use the clamonacc --config-file=FILE command line option to specify different configs to get this effect. Regarding different actions, I don't think there is a way to do different actions by file type.

> 4) LeaveTemporaryFiles — is there a version of this but only when a detection is found? Or a LeaveHardlinks for found items that I can later investigate myself?

LeaveTemporaryFiles will only leave behind stuff that is extracted in the course of a scan (normalized file content, archive contents, etc). It's useful for analysts to investigate file contents, and write signatures - but probably less useful for investigating a detection. The clamonacc --copy=DIRECTORY command line should provide that functionality.

> Thanks and sorry for the grouping of questions — I didn’t want to spam the list with different threads.




_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal