We have been doing some testing with ClamAV for use in our Linux environment. Compliance requirements are driving our need for On-Access Scanning, and we'd prefer to use ClamAV due to it's level maturity and community support. Everything seems to be working except for clamonacc. It appears to be having issues talking with clamd using an out-of-the-box configuration, though clamdscan works fine. Others seem to be having similar issues recently: https://forum.openmediavault.org/index.php?thread/31574-clamav-connection-timeout-error/
Any insight as to whether this is actually a bug or user error is greatly appreciated, let me know if you need any additional information or if I should try adjusting environment/settings?
Below is an excerpt from a currently security locked (by default) bug report I submitted in Bugzilla:
Steps to Reproduce
--------------------------
With AppArmor:
sudo -i
apt-get install clamav-daemon
systemctl enable clamav-daemon
printf "ScanArchive true\nDetectPUA true\nOnAccessPrevention true\nOnAccessExcludeUname clamav\nOnAccessIncludePath /opt" >> /etc/clamav/clamd.conf
sed -i 's/LogVerbose false/LogVerbose true/g'
sysemctl start clamav-daemon
clamonacc --verbose --log=/var/log/clamav/clamonacc.log --fdpass
mkdir /opt/testfolder
chown ubuntu /opt/testfolder
su ubuntu
cd /opt/testfolder
wget http://www.eicar.org/download/eicar.com
echo "test" > testfile.com
clamdscan --fdpass --verbose .
Without AppArmor:
sudo -i
systemctl stop apparmor
systemctl disable apparmor
sed -i 's/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX="apparmor=0 security=\\"\\""/' /etc/default/grub
update-grub
apt-get remove apparmor
reboot
(rerun commands from the "With AppArmor" from above)
Actual Results
-------------------
The wget and echo commands above result in a multi-second pause/delay and eventually complete successfully.
Logs show the following:
/var/log/clamav/clamav.log:
...
Thu May 21 18:12:50 2020 -> Client disconnected (FD 9)
Thu May 21 18:13:50 2020 -> Client disconnected (FD 9)
/var/log/clamav/clamonacc.log:
...
ClamFanotif: attempting to feed consumer queue
ClamWorker: performing scanning on file '/opt/testfolder/eicar.com'
ERROR: ClamCom: TIMEOUT while waiting on socket (recv)
ClamClient: connection could not be established ... return code 12
ClamFanotif: attempting to feed consumer queue
ClamWorker: performing scanning on file '/opt/testfolder/testfile.com'
ERROR: ClamCom: TIMEOUT while waiting on socket (recv)
ClamClient: connection could not be established ... return code 12
$ clamdscan --fdpass --verbose .
/opt/testfolder/./eicar.com: Win.Test.EICAR_HDB-1 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 10.013 sec (0 m 10 s)
Start Date: 2020:05:21 19:33:13
End Date: 2020:05:21 19:33:23
Expected Results
-----------------------
Minimal I/O latency writing the file testfile.com and blocking access to writing eicar.com.
Build Date & Hardware
-------------------------------
Hardware:
AWS EC2
Instance Type: t3.medium
AMI: ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-20200408 (ami-085925f297f89fce1)
OS/Kernel:
Ubuntu 18.04.4 LTS / 4.15.0-1065-aws
ClamAV Versions Tested:
0.102.3+dfsg-0ubuntu0.18.04.1
0.102.2+dfsg-0ubuntu0.18.04.1
ClamAV 0.103.0-devel-20200521/25819/Thu May 21 12:20:55 2020
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Any insight as to whether this is actually a bug or user error is greatly appreciated, let me know if you need any additional information or if I should try adjusting environment/settings?
Below is an excerpt from a currently security locked (by default) bug report I submitted in Bugzilla:
Steps to Reproduce
--------------------------
With AppArmor:
sudo -i
apt-get install clamav-daemon
systemctl enable clamav-daemon
printf "ScanArchive true\nDetectPUA true\nOnAccessPrevention true\nOnAccessExcludeUname clamav\nOnAccessIncludePath /opt" >> /etc/clamav/clamd.conf
sed -i 's/LogVerbose false/LogVerbose true/g'
sysemctl start clamav-daemon
clamonacc --verbose --log=/var/log/clamav/clamonacc.log --fdpass
mkdir /opt/testfolder
chown ubuntu /opt/testfolder
su ubuntu
cd /opt/testfolder
wget http://www.eicar.org/download/eicar.com
echo "test" > testfile.com
clamdscan --fdpass --verbose .
Without AppArmor:
sudo -i
systemctl stop apparmor
systemctl disable apparmor
sed -i 's/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX="apparmor=0 security=\\"\\""/' /etc/default/grub
update-grub
apt-get remove apparmor
reboot
(rerun commands from the "With AppArmor" from above)
Actual Results
-------------------
The wget and echo commands above result in a multi-second pause/delay and eventually complete successfully.
Logs show the following:
/var/log/clamav/clamav.log:
...
Thu May 21 18:12:50 2020 -> Client disconnected (FD 9)
Thu May 21 18:13:50 2020 -> Client disconnected (FD 9)
/var/log/clamav/clamonacc.log:
...
ClamFanotif: attempting to feed consumer queue
ClamWorker: performing scanning on file '/opt/testfolder/eicar.com'
ERROR: ClamCom: TIMEOUT while waiting on socket (recv)
ClamClient: connection could not be established ... return code 12
ClamFanotif: attempting to feed consumer queue
ClamWorker: performing scanning on file '/opt/testfolder/testfile.com'
ERROR: ClamCom: TIMEOUT while waiting on socket (recv)
ClamClient: connection could not be established ... return code 12
$ clamdscan --fdpass --verbose .
/opt/testfolder/./eicar.com: Win.Test.EICAR_HDB-1 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 10.013 sec (0 m 10 s)
Start Date: 2020:05:21 19:33:13
End Date: 2020:05:21 19:33:23
Expected Results
-----------------------
Minimal I/O latency writing the file testfile.com and blocking access to writing eicar.com.
Build Date & Hardware
-------------------------------
Hardware:
AWS EC2
Instance Type: t3.medium
AMI: ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-20200408 (ami-085925f297f89fce1)
OS/Kernel:
Ubuntu 18.04.4 LTS / 4.15.0-1065-aws
ClamAV Versions Tested:
0.102.3+dfsg-0ubuntu0.18.04.1
0.102.2+dfsg-0ubuntu0.18.04.1
ClamAV 0.103.0-devel-20200521/25819/Thu May 21 12:20:55 2020
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml