Mailing List Archive

Hi there,

On Thu, 17 Oct 2019, Ian via clamav-users wrote:

> Ubuntu 18.04.3 LTS
> Clam 0.100.3+dfsg-0ubuntu0.18.04.1
>
> When I run this:
>
> /usr/bin/clamdscan -m -i --no-summary /

Don't do that.

1. Read the 'man' page for the valid options.

2. Read the list archives for more about what *not* to scan on Linux.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> On Oct 18, 2019, at 12:02 AM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi there,
>
> On Thu, 17 Oct 2019, Ian via clamav-users wrote:
>
>> Ubuntu 18.04.3 LTS
>> Clam 0.100.3+dfsg-0ubuntu0.18.04.1
>>
>> When I run this:
>>
>> /usr/bin/clamdscan -m -i --no-summary /
(Reinserted from original message for context)
I get this error:
clamd: /tmp/clamav-ebbb3a980b0a96075cdf8b18191ad4a3.tmp/tar302: Access denied. ERROR

>
> Don't do that.
>
> 1. Read the 'man' page for the valid options.
>
> 2. Read the list archives for more about what *not* to scan on Linux.
>

Government regulations require that I scan the entire filesystem daily -- I've already excluded the folders that contain pseudo files. Also, it seems like bad advice to omit scanning the folder most likely to find a payload from a malicious actor (because file permissions tend to be lax in /tmp), but I could be misinterpreting what "Don't do that" means.

This doesn't seem like a difficult problem for clamav to solve -- clamd is asked to scan the file system and it creates temp files to accomplish this -- how can it be ignorant of what those files are? Even if it didn't know the files, it could, after receiving an "ACCESS DENIED" error, do something akin to an lsof of the file, see that it is the one with the handle to the file, and silently move on?

I'm fairly certain I didn't run into this when I used clamscan instead, but I'll double check.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Fri, 18 Oct 2019, Ian via clamav-users wrote:
>> On Oct 18, 2019, at 12:02 AM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>> On Thu, 17 Oct 2019, Ian via clamav-users wrote:
>>
>>> /usr/bin/clamdscan -m -i --no-summary /
>>
>> Don't do that.
>
> Government regulations require that I scan the entire filesystem
> daily --

Which government is this, and which regulations? Do the regulations
specify the minimum acceptable probability (*) of finding something
malicious (given such a thing is in fact there) with your choice of
scanning tool? And acceptable characteristics of the infrastructure
supporting the chosen scanning engine, the frequency of updates, the
methods to be used by said engine, and the security systems in place
which prevent compromise of all that? If not, the bald imprecation
(for that's all it is) "scan daily" seems to be completely pointless.

(*) I'd estimate for ClamAV you're looking at about 30% on a good day,
and if it's a zero-day exploit, obviously, zero percent, for anything,
not just ClamAV. If you don't like these numbers, read my occasional
posts about it in the archives of this list, going back several years.

> I've already excluded the folders that contain pseudo files.

That's good - although if you'd mentioned it earlier it would be much
easier to believe. The main trouble is that things like your command
to scan '/' get written into internet folklore like the 'mx' mechanism
in your SPF record and then everybody does it, because that's what it
says on the Internet. It's really much better if you actually think
about it a bit first.

> Also, it seems like bad advice to omit scanning the folder most
> likely to find a payload from a malicious actor (because file
> permissions tend to be lax in /tmp), but I could be misinterpreting
> what "Don't do that" means.

You are indeed misinterpreting. I didn't advise "don't scan /tmp",
and it seems to me to be a little churlish to accuse me of giving bad
advice when (a) I didn't give that advice and (b) I'm actually trying
to help. And if you're worried about file permissions in /tmp you are
presumably capable of doing something about it (although there might
be good reason to be cautious when you start along that kind of path).

> This doesn't seem like a difficult problem...

I think I'd be disappointed if I told clamd to scan everything in a
directory tree, and it didn't try to do that. On the other hand it's
not the sort of thing I'd generally do, unless the tree was a client's
Windows filesystem that I'd mounted temporarily to take a peek at it.

Read the man page for clamd, especially the bit that talks about where
it should store its temporary files.

Do these log messages actually matter? As I mentioned to someone else
recently, there's always syslog-ng.

Is there a reason you think something nasty might be able to get into
this filesystem that you're, er, religiously scanning daily? And, if
there is, would it not make more sense to deal with that, instead of
waiting for it to get in, and then playing hide'n'seek with it? For
once it's in, all bets are off and you'd best buy some new drives (of
course you can't even really trust brand new drives any more). FWIW
the last time I saw a compromised Linux box was almost twenty years
ago, but I know it does still happen because people will insist on a
pretty-looking blog, or forum, or whatever, and then they don't seem
to bother patching things, even when the exploit's been in the news
for a week. Even when they're a computer security company.

Do these government regulations say anything about patching software?
Judging by the number of ransomware outbreaks in US government bodies
I guess maybe not. (You seem to be on PDT, so I guessed again. :)

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> On Oct 18, 2019, at 10:10 AM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi there,
>
> On Fri, 18 Oct 2019, Ian via clamav-users wrote:
>>> On Oct 18, 2019, at 12:02 AM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>>> On Thu, 17 Oct 2019, Ian via clamav-users wrote:
>>>
>>>> /usr/bin/clamdscan -m -i --no-summary /
>>>
>>> Don't do that.
>>
>> Government regulations require that I scan the entire filesystem
>> daily --
>
> Which government is this, and which regulations?

https://nvd.nist.gov/800-53/Rev4/control/RA-5 <https://nvd.nist.gov/800-53/Rev4/control/RA-5>

This is one of the controls I have to work with— it’s not the only one since there are overlapping controls from other regulations. It was determined that we needed to do daily scans by auditors familiar with these regulations. Please don’t blame the victim.

>
>> I've already excluded the folders that contain pseudo files.
>
> That's good - although if you'd mentioned it earlier it would be much
> easier to believe. The main trouble is that things like your command
> to scan '/' get written into internet folklore like the 'mx' mechanism
> in your SPF record and then everybody does it, because that's what it
> says on the Internet. It's really much better if you actually think
> about it a bit first.

I think this is unfair — I specifically asked about a specific temp file that clamav was creating and then choking on. The title of this thread wasn’t asking why I’m getting ACCESS DENIED errors all over the place — it specially called out one particular problem I do not see when I’ve used other antivirus products in linux, or even when I do a “sudo clamscan —temper /tmp /tmp” on the same system.

>> Also, it seems like bad advice to omit scanning the folder most
>> likely to find a payload from a malicious actor (because file
>> permissions tend to be lax in /tmp), but I could be misinterpreting
>> what "Don't do that" means.
>
> You are indeed misinterpreting. I didn't advise "don't scan /tmp",
> and it seems to me to be a little churlish to accuse me of giving bad
> advice when (a) I didn't give that advice and (b) I'm actually trying
> to help. And if you're worried about file permissions in /tmp you are
> presumably capable of doing something about it (although there might
> be good reason to be cautious when you start along that kind of path).

Again, I feel this is unfair — I called out the one temp file that clamav was having issues with — you edited that out from your response, while tersely responding with what amounts to “Don’t do that, RTFM.” How else could that be reasonable interpreted?

>
>> This doesn't seem like a difficult problem...
>
> I think I'd be disappointed if I told clamd to scan everything in a
> directory tree, and it didn't try to do that. On the other hand it's
> not the sort of thing I'd generally do, unless the tree was a client's
> Windows filesystem that I'd mounted temporarily to take a peek at it.
>
> Read the man page for clamd, especially the bit that talks about where
> it should store its temporary files.

This dances around the problem I’m trying to solve. Why does it matter where the temporary files are created? When does it make sense to scan its own temp files? Why does this only happen with clamdscan and not clamscan?

>
> Do these log messages actually matter? As I mentioned to someone else
> recently, there's always syslog-ng.
>
They do, and as I mentioned in the original post, it’s a difficult problem to filter out because malicious actors could create similarly named files to take advantage of these filters. This is an attack vector that was recently used against Cylance:
https://kb.cert.org/vuls/id/489481/ <https://kb.cert.org/vuls/id/489481/>

It seemed like a poor solution, which was the impetus for creating this thread.

"of course you can't even really trust brand new drives any more"

Do you mean unreliability, or active insecurity? If the latter, any
examples? (Of drives per se, not hardware systems or subsystems.)

And what can any AV do about it?



On Fri, 18 Oct 2019 18:10:17 +0100 (BST)
"G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Fri, 18 Oct 2019, Ian via clamav-users wrote:
> >> On Oct 18, 2019, at 12:02 AM, G.W. Haywood via clamav-users
> >> <clamav-users@lists.clamav.net> wrote: On Thu, 17 Oct 2019, Ian
> >> via clamav-users wrote:
> >>
> >>> /usr/bin/clamdscan -m -i --no-summary /
> >>
> >> Don't do that.
> >
> > Government regulations require that I scan the entire filesystem
> > daily --
>
> Which government is this, and which regulations? Do the regulations
> specify the minimum acceptable probability (*) of finding something
> malicious (given such a thing is in fact there) with your choice of
> scanning tool? And acceptable characteristics of the infrastructure
> supporting the chosen scanning engine, the frequency of updates, the
> methods to be used by said engine, and the security systems in place
> which prevent compromise of all that? If not, the bald imprecation
> (for that's all it is) "scan daily" seems to be completely pointless.
>
> (*) I'd estimate for ClamAV you're looking at about 30% on a good day,
> and if it's a zero-day exploit, obviously, zero percent, for anything,
> not just ClamAV. If you don't like these numbers, read my occasional
> posts about it in the archives of this list, going back several years.
>
> > I've already excluded the folders that contain pseudo files.
>
> That's good - although if you'd mentioned it earlier it would be much
> easier to believe. The main trouble is that things like your command
> to scan '/' get written into internet folklore like the 'mx' mechanism
> in your SPF record and then everybody does it, because that's what it
> says on the Internet. It's really much better if you actually think
> about it a bit first.
>
> > Also, it seems like bad advice to omit scanning the folder most
> > likely to find a payload from a malicious actor (because file
> > permissions tend to be lax in /tmp), but I could be misinterpreting
> > what "Don't do that" means.
>
> You are indeed misinterpreting. I didn't advise "don't scan /tmp",
> and it seems to me to be a little churlish to accuse me of giving bad
> advice when (a) I didn't give that advice and (b) I'm actually trying
> to help. And if you're worried about file permissions in /tmp you are
> presumably capable of doing something about it (although there might
> be good reason to be cautious when you start along that kind of path).
>
> > This doesn't seem like a difficult problem...
>
> I think I'd be disappointed if I told clamd to scan everything in a
> directory tree, and it didn't try to do that. On the other hand it's
> not the sort of thing I'd generally do, unless the tree was a client's
> Windows filesystem that I'd mounted temporarily to take a peek at it.
>
> Read the man page for clamd, especially the bit that talks about where
> it should store its temporary files.
>
> Do these log messages actually matter? As I mentioned to someone else
> recently, there's always syslog-ng.
>
> Is there a reason you think something nasty might be able to get into
> this filesystem that you're, er, religiously scanning daily? And, if
> there is, would it not make more sense to deal with that, instead of
> waiting for it to get in, and then playing hide'n'seek with it? For
> once it's in, all bets are off and you'd best buy some new drives (of
> course you can't even really trust brand new drives any more). FWIW
> the last time I saw a compromised Linux box was almost twenty years
> ago, but I know it does still happen because people will insist on a
> pretty-looking blog, or forum, or whatever, and then they don't seem
> to bother patching things, even when the exploit's been in the news
> for a week. Even when they're a computer security company.
>
> Do these government regulations say anything about patching software?
> Judging by the number of ransomware outbreaks in US government bodies
> I guess maybe not. (You seem to be on PDT, so I guessed again. :)
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 18 October 2019 16:19:23 Ian via clamav-users
<clamav-users@lists.clamav.net> wrote:



> This doesn't seem like a difficult problem for clamav to solve -- clamd is
> asked to scan the file system and it creates temp files to accomplish this
I know I'm mainly a win user... So sorry in advance... but if you created a
Linux ram drive... Pointed clamav temp files to the ram drive... Would that
get around the issue...

https://www.linuxbabe.com/command-line/create-ramdisk-linux/amp

Clamd.conf...

# Optional path to the global temporary directory.

77 # Default: system specific (usually /tmp or /var/tmp).
78 #TemporaryDirectory /var/tmp


So when clamav scans ... its temporary files are in the ram disc.


Steve
Twitter: @sanesecurity

Hi there,

On Fri, 18 Oct 2019, Ian via clamav-users wrote:
>> On Oct 18, 2019, at 10:10 AM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>> On Fri, 18 Oct 2019, Ian via clamav-users wrote:
>>
>>> Government regulations require that I scan the entire filesystem daily --
>>
>> Which government is this, and which regulations?
>
> https://nvd.nist.gov/800-53/Rev4/control/RA-5

I don't see where that document requires what you say it requires.

> It was determined that we needed to do daily scans by auditors
> familiar with these regulations. Please don’t blame the victim.

Did these auditors recommend anti-virus scanning, or perhaps ClamAV?
If so, maybe we could see the qualifications that they have to do the
job that they seem to be doing. On the other hand if they simply did
what I think they probably did, and handed you some guidance notes, I
think you might want to look at them again, and then read the document
in your link again, and then read the ClamAV documentation again.

The document in your link talks about "vulnerability scanning", in the
context of risk assessments. If your auditors' interpretation of the
term "vulnerability scan" is in documentation that they've provided to
you, I should be very interested to see it.

ClamAV does not scan (and never has scanned) for vulnerabilities, it
scans for a variety of malicious data. The idea of a vulnerability
scan is that you look for possible problems before they're exploited
by something malicious. If you used ClamAV, and thus found that your
system had been compromised, it would already be too late to look for
the vulnerability which was exploited to compromise the system. You'd
have been looking for the wrong things. You'd have been looking for
weapons, and not for chinks in the armour.

Looks to me like most of the discussion so far is moot since you seem
to be working on the basis of a quite erroneous interpretation of the
perfectly clear NIST document.

I hope this isn't representative of the general state of understanding
of NIST guidance.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Fri, 18 Oct 2019, Paul Kosinski via clamav-users wrote:

> "of course you can't even really trust brand new drives any more"
>
> Do you mean unreliability, or active insecurity? If the latter, any
> examples? (Of drives per se, not hardware systems or subsystems.)

Reliability, in purely mechanical terms, seems to be improving all the
time. There was a time not so long ago when I was wondering if I'd be
replacing our drives every six months or so. It really was that bad.
But I looked into the problems methodically, changed suppliers where
it seemed advisable, and now I don't seem to need to worry about that.

Security on the other hand seems to be getting worse. I guess we're
going to have to live with a similar kind of learning curve. The term
you're looking for is "supply chain". See for example

https://www.theregister.co.uk/2019/09/19/it_supply_chain_attack/

which doesn't specifically single out drives, but talks about some of
the issues. I keep a library of links from publications like this and
it just keeps getting scarier. I particularly liked the creativity in
the compromise of the well-known AV product 'Ccleaner', especially as
it's one I've used quite a bit in the past. It was really little more
than good luck that this one didn't catch me (or rather, and extremely
embarrassing it would have been, a bunch of clients).

To answer your specific question, I don't have any evidence of drives
being compromised. But given the amounts of money that are sloshing
around in criminal circles, and the number of openings that they must
have into hardware suppliers, if it isn't alreasdy going on under our
noses it has to be just a matter of time before somebody gets hurt.

> And what can any AV do about it?

Good question. Probably you'd need to do deeper inspection of things
like drive firmware using specialist tools, but it is feasible. The
fact that drives all have serial numbers is slightly comforting.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Steve,

On Fri, 18 Oct 2019, Steve Basford wrote:
> On 18 October 2019 16:19:23 Ian via clamav-users wrote:
>
>> This doesn't seem like a difficult problem for clamav to solve -- clamd is
>> asked to scan the file system and it creates temp files to accomplish this
>
> I know I'm mainly a win user... So sorry in advance... but if you created a
> Linux ram drive... Pointed clamav temp files to the ram drive... Would that
> get around the issue...

As I said in another reply on this subject I think this is probably
moot, but in a Linux box absolutely everything is under '/', which is
the root of the entire tree of, well, everything you can see in the
filesystem. Devices, kernel data, files, pipes, sockets, everything.
And depending on the distribution, the administrator, and the stuff
installed on the system, the 'special files' can pop up in all sorts
of places. Generally you do not want to scan them, things can break.

If you want to use some storage using the normal operating system
tools you have to 'mount' it. You might for example 'mount' a disc
partition which is accessed in raw form as '/dev/sda1' onto a point in
the tree called '/mnt/scsi_disc_A_partiton_1'. This point is a place
in the filesystem (it has to be created, and will normally be empty)
and after /dev/sda1 is mounted on it, all the files and directories in
the sda1 partition become visible as a kind of extension to the tree
which wasn't there before it was mounted. If there did happen to be
any files in the directory _before_ the partition was mounted on it,
they will be inaccessible until the over-mounted device is unmounted.

So if you scan '/' recursively without some limits there's basically
no way to avoid scanning whatever temporary directory you've made, be
it a RAMdisk, SSD, USB stick, removeable hard drive, or whateveritis,
because you had to mount it somewhere in order to be able to use it.

On the other hand if you _don't_ scan '/' recursively, and start your
scan somewhere else in the tree, you can mount your temporary directory
in a part of the tree which won't be scanned. This is the sort of thing
I meant when I said "don't do that" and "think about it first". :)

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> On Oct 19, 2019, at 4:40 AM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> On Fri, 18 Oct 2019, Ian via clamav-users wrote:
>>> On Oct 18, 2019, at 10:10 AM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>>> On Fri, 18 Oct 2019, Ian via clamav-users wrote:
>>>
>>>> Government regulations require that I scan the entire filesystem daily --
>>>
>>> Which government is this, and which regulations?
>>
>> https://nvd.nist.gov/800-53/Rev4/control/RA-5
>
> I don't see where that document requires what you say it requires.
>

These controls relate to each other -- this one is more on point:

Malicious Code Protection

https://nvd.nist.gov/800-53/Rev4/control/SI-3 <https://nvd.nist.gov/800-53/Rev4/control/SI-3>

but it ties in with others like the one I cited before, and these:

Continuous Monitoring

https://nvd.nist.gov/800-53/Rev4/control/CA-7 <https://nvd.nist.gov/800-53/Rev4/control/CA-7>

Security Assessment and Authorization

https://nvd.nist.gov/800-53/Rev4/control/CA-2 <https://nvd.nist.gov/800-53/Rev4/control/CA-2>

All of these are /part/ of Fedramp. Fedramp is not the only government regulation I have to deal with.


>> It was determined that we needed to do daily scans by auditors
>> familiar with these regulations. Please don’t blame the victim.
>
> Did these auditors recommend anti-virus scanning, or perhaps ClamAV?


This line of questioning is completely off-topic and unhelpful. Even if it was the case that somehow I don't need to scan the /tmp folder due to government regulations, scanning temp folders is not an unreasonable request. These are actual files on a file system that could very much contain malware.

Are you going to address why 'clamscan --tempdir /tmp /tmp' doesn't produce the same behavior, that 'clamdscan /tmp' does?

Hi there,

On Sat, 19 Oct 2019, Ian via clamav-users wrote:

> This line of questioning is completely off-topic and unhelpful.

If you say so.

> Are you going to address why 'clamscan --tempdir /tmp /tmp' doesn't
> produce the same behavior, that 'clamdscan /tmp' does?

The clamd daemon has a man page which you should read. It is, er, a
daemon, which, when you start it, loads some databases and then sits
and waits for something to send it things to scan against the loaded
databases. It can do a few other things too, like reload databases
and report statistics, but basically it sits and waits for commands
and data.

The clamd daemon has its own configuration file. It is usually called
'clamd.conf'. This has its own man page, which you should also read.

The clamdscan tool has a man page which you should read. Its use is
generally to send stuff to the clamd daemon for scanning.

The clamscan tool has a man page which you should read - it is about
three times as long as the man page for clamdscan. This is a stand-
alone command-line tool and it does *not* use the clamd daemon to do
the scanning (and the configuration file for the clamd daemon has no
effect whatsoever on clamscan; you don't even need to have the clamd
daemon installed to be able to use clamscan).

Note carefully the differences between clamscan and clamdscan, which,
although they have names differing only by one letter, behave in very
different ways.

Of course if you'd read the documentation as I've asked you to, you'd
know all that already and you wouldn't be asking the question.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> On Oct 19, 2019, at 10:58 AM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi there,
>
> On Sat, 19 Oct 2019, Ian via clamav-users wrote:
>
>> Are you going to address why 'clamscan --tempdir /tmp /tmp' doesn't
>> produce the same behavior, that 'clamdscan /tmp' does?
>
> The clamd daemon has a man page which you should read. It is, er, a
> daemon, which, when you start it, loads some databases and then sits
> and waits for something to send it things to scan against the loaded
> databases. It can do a few other things too, like reload databases
> and report statistics, but basically it sits and waits for commands
> and data.
>
> The clamd daemon has its own configuration file. It is usually called
> 'clamd.conf'. This has its own man page, which you should also read.
>
> The clamdscan tool has a man page which you should read. Its use is
> generally to send stuff to the clamd daemon for scanning.
>
> The clamscan tool has a man page which you should read - it is about
> three times as long as the man page for clamdscan. This is a stand-
> alone command-line tool and it does *not* use the clamd daemon to do
> the scanning (and the configuration file for the clamd daemon has no
> effect whatsoever on clamscan; you don't even need to have the clamd
> daemon installed to be able to use clamscan).
>
> Note carefully the differences between clamscan and clamdscan, which,
> although they have names differing only by one letter, behave in very
> different ways.
>
> Of course if you'd read the documentation as I've asked you to, you'd
> know all that already and you wouldn't be asking the question.
>


If the man pages answered all the questions, this mailing list wouldn't exist. Hell, even the rules for this malling list don't ask people to refer to the man pages.

I don't understand why you'd go into great detail about sockets, pipes and so forth with Steve in this thread (who didn't even ask for it), but, apparently, be so hostile towards answering my question. Considering the length of time you've spent on this thread -- quoting from the man pages you cite seems like the lest painful path.

For the record, I've already read through the man pages before I started this thread, and have just re-combed the man pages you've cited and could not find any advice/warnings about why I would run into problems with clamdscan having trouble scanning its own files in the temp directory while clamscan did not (This is for 0.100.3, so it could contain stale information or lack new additions). I've seen switches where I can change the temp folder, but there are reasons why someone would do this outside of avoiding what I've ran into here such as file space limitations or for performance. There is nothing inherit in the process being a daemon vs manually ran that explains this difference in behavior. My understanding of why the daemon exists is mainly for caching purposes, but that, I assume, is all in-memory and shouldn't require a change to file creating in the /tmp folder.

I don't know if my original question came across as smarmy, you're just having some bad days, or I'm the current target for misdirected pent-up anger from lurking here for as long as you have, but, man, please cut me some slack.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Ged, Ian, all:

Do try to be nice to each other. It's very difficult to interpret tone over email or chat. The clamav-users mailing list is generally a positive and uplifting community and I very much want folks to feel comfortable asking questions here. Ged, you are kind of coming off as having a really bad day.

If anyone coming off as irritable or hostile, please assume the best. Please also make a strong attempt to be friendly and avoid sarcasm or criticism that might easily be misinterpreted as hostile.

Ian, you've asked some very intelligent questions and I don’t think you deserved a reminder to RTFM. Please don't hesitate to continue asking for advice or discussing your experiences with the tools. Regarding your question about the behavior difference between scanning /tmp with clamdscan+clamd vs scanning /tmp with clamscan: I may have missed something but I don't think I know enough context to answer your question. Meaning I don't know what the differences are that you observed.

Warmly,
Micah

?On 10/19/19, 1:59 PM, "clamav-users on behalf of G.W. Haywood via clamav-users" <clamav-users-bounces@lists.clamav.net on behalf of clamav-users@lists.clamav.net> wrote:

Hi there,

On Sat, 19 Oct 2019, Ian via clamav-users wrote:

> This line of questioning is completely off-topic and unhelpful.

If you say so.

> Are you going to address why 'clamscan --tempdir /tmp /tmp' doesn't
> produce the same behavior, that 'clamdscan /tmp' does?

The clamd daemon has a man page which you should read. It is, er, a
daemon, which, when you start it, loads some databases and then sits
and waits for something to send it things to scan against the loaded
databases. It can do a few other things too, like reload databases
and report statistics, but basically it sits and waits for commands
and data.

The clamd daemon has its own configuration file. It is usually called
'clamd.conf'. This has its own man page, which you should also read.

The clamdscan tool has a man page which you should read. Its use is
generally to send stuff to the clamd daemon for scanning.

The clamscan tool has a man page which you should read - it is about
three times as long as the man page for clamdscan. This is a stand-
alone command-line tool and it does *not* use the clamd daemon to do
the scanning (and the configuration file for the clamd daemon has no
effect whatsoever on clamscan; you don't even need to have the clamd
daemon installed to be able to use clamscan).

Note carefully the differences between clamscan and clamdscan, which,
although they have names differing only by one letter, behave in very
different ways.

Of course if you'd read the documentation as I've asked you to, you'd
know all that already and you wouldn't be asking the question.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Micah, all,

On Mon, 21 Oct 2019, Micah Snyder (micasnyd) wrote:

> Ged, you are kind of coming off as having a really bad day.

Just criticism accepted. Apologies to all.

I think I'd better bow out of this thread.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi,

One point that seems to have been missed is that it is that 'clamdscan'
is not necessarily creating the files in '/tmp'. It is most likely
'clamd' which is a separate independent program. Given this, 'clamdscan'
will not know what files to exclude form '/tmp' unless the
clamd/clamdscan communications protocol is enhanced to address this. I
do not think that such an enhancement is justified or desirable given
the usage cases for 'clamd'.

Put simply, do not scan the directory where 'clamd' has been told to put
its temporary files as this will is likely to cause issues.

I hope that this helps clarify some of the issues.

Regards
Mark.

On 19/10/19 20:20, Ian via clamav-users wrote:
>
>
>> On Oct 19, 2019, at 10:58 AM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>>
>> Hi there,
>>
>> On Sat, 19 Oct 2019, Ian via clamav-users wrote:
>>
>>> Are you going to address why 'clamscan --tempdir /tmp /tmp' doesn't
>>> produce the same behavior, that 'clamdscan /tmp' does?
>>
>> The clamd daemon has a man page which you should read. It is, er, a
>> daemon, which, when you start it, loads some databases and then sits
>> and waits for something to send it things to scan against the loaded
>> databases. It can do a few other things too, like reload databases
>> and report statistics, but basically it sits and waits for commands
>> and data.
>>
>> The clamd daemon has its own configuration file. It is usually called
>> 'clamd.conf'. This has its own man page, which you should also read.
>>
>> The clamdscan tool has a man page which you should read. Its use is
>> generally to send stuff to the clamd daemon for scanning.
>>
>> The clamscan tool has a man page which you should read - it is about
>> three times as long as the man page for clamdscan. This is a stand-
>> alone command-line tool and it does *not* use the clamd daemon to do
>> the scanning (and the configuration file for the clamd daemon has no
>> effect whatsoever on clamscan; you don't even need to have the clamd
>> daemon installed to be able to use clamscan).
>>
>> Note carefully the differences between clamscan and clamdscan, which,
>> although they have names differing only by one letter, behave in very
>> different ways.
>>
>> Of course if you'd read the documentation as I've asked you to, you'd
>> know all that already and you wouldn't be asking the question.
>>
>
>
> If the man pages answered all the questions, this mailing list wouldn't exist. Hell, even the rules for this malling list don't ask people to refer to the man pages.
>
> I don't understand why you'd go into great detail about sockets, pipes and so forth with Steve in this thread (who didn't even ask for it), but, apparently, be so hostile towards answering my question. Considering the length of time you've spent on this thread -- quoting from the man pages you cite seems like the lest painful path.
>
> For the record, I've already read through the man pages before I started this thread, and have just re-combed the man pages you've cited and could not find any advice/warnings about why I would run into problems with clamdscan having trouble scanning its own files in the temp directory while clamscan did not (This is for 0.100.3, so it could contain stale information or lack new additions). I've seen switches where I can change the temp folder, but there are reasons why someone would do this outside of avoiding what I've ran into here such as file space limitations or for performance. There is nothing inherit in the process being a daemon vs manually ran that explains this difference in behavior. My understanding of why the daemon exists is mainly for caching purposes, but that, I assume, is all in-memory and shouldn't require a change to file creating in the /tmp folder.
>
> I don't know if my original question came across as smarmy, you're just having some bad days, or I'm the current target for misdirected pent-up anger from lurking here for as long as you have, but, man, please cut me some slack.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml