Unsubscribe
From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of Matthew Campbell via clamav-users
Sent: 06 October 2020 01:32
To: ClamAV User Support Mailing List <clamav-users@lists.clamav.net>
Cc: Matthew Campbell <trenix25@pm.me>
Subject: Re: [clamav-users] Freshclam can't get started
Ged wrote:
Well I'd hardly call ClamAV databases "private data", since they are
available to anyone at the cost of an HTTP request. The authors of
ClamAV do things one way. Debian maintainers do it a different way.
You've done it yet another way. If you began your journey into Linux
with an attempt at a non-standard Debian installation then you likely bit off more than you could chew and you're making things a lot more difficult than necessary.
Do you have SELinux or AppArmor installed? You haven't mounted the
partition read-only have you? We'd better see your freshclam.conf.
Matthew writes:
The files in /user/ are private data and /user/ uses a separate file system to keep user data away from the root file system.
I believe SELinux and AppArmor are both installed.
/var/local is not mounted as read-only.
Ged added:
>> What do you plan to use ClamAV for?
> I use ClamAV for general malware scanning.
Given that you say you've had the problems you're describing since you started using Linux I wonder if it's never found anything. But if it did, how do you think it got there and what did you do about it? What security precautions are you taking to prevent compromises?
Matthew writes:
I use aide every day. I use clamscan on /user and /tmp every day. I use clamscan on other areas when deemed necessary.
Ged added:
>> You could remove all the clamav packages (there's more than one)
>> and purge them, then reinstall.
Try it. But don't try anything clever, just let the package manager
do what it wants to do and let it install things where it wants to.
That way at least we'll have a reasonable idea of what you've done.
When you become more familiar with the system you can adjust things
to your needs if it's really necessary. But only if it's necessary.
Matthew writes:
I used:
# apt install clamav-base clamav-daemon clamav-docs clamav-freshclam clamav-milter clamav-testfiles clamav clamdscan
to install ClamAV, at least according to the list of installed packages.
Ged added:
>> Please could you paste the output of
>> ls -l /var/local/
>
> These are the permission in /var/local/
> ...
> drwsrws--- 3 clamav clamav 4096 Oct 3 12:53 clamav
> ...
Why the setuid/setgid bits? Quoting the 'info coreutils':
"These mechanisms let users share files more easily, by lessening the need to use ‘chmod’ or ‘chown’ to share new files."
which seems to be the exact opposite of what you're trying to do...
Do the ClamAV daemons run as user clamav? Can we be clear that the
system which is showing us the user and group names is the same one
that's telling you which user and group run the ClamAV daemons? The
reason for asking is that different systems can have a different
mapping of user and group numerical IDs to user and group names, and
there seems to be a lot that you haven't told us yet.
Matthew writes:
I used the setuid/gid bits to force any newly created files to be owned by the user:group clamav:clamav. The package manager created the clamav user and group.
Ged added:
> Unfortunately my email app insists on quoting previous
> replies. Sorry about that.
You might want to try a different mail client for correspondence on
mailing lists, where patience is often at a premium.
--
73,
Ged.
Matthew writes:
I can only use what is available to me.
Contents of /etc/clamav/freshclam.conf:
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package
DatabaseOwner clamav
UpdateLogFile /var/local/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
SafeBrowsing true
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
Contents of /etc/clamav/clamd.conf:
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks true
ReadTimeout 0
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 30
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 10240M
LogFile /var/local/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity Paranoid
BytecodeTimeout 60000
OnAccessMaxFileSize 5M
Contents of /etc/clamav/clamav-milter.conf:
#Automatically Generated by clamav-milter postinst
#To reconfigure clamav-milter run #dpkg-reconfigure clamav-milter
#Please read /usr/share/doc/clamav-base/README.Debian.gz for details
MilterSocket /var/run/clamav/clamav-milter.ctl
FixStaleSocket true
User clamav
ReadTimeout 120
Foreground false
PidFile /var/run/clamav/clamav-milter.pid
ClamdSocket unix:/var/run/clamav/clamd.ctl
OnClean Accept
OnInfected Quarantine
OnFail Defer
AddHeader Replace
LogSyslog false
LogFacility LOG_LOCAL6
LogVerbose false
LogInfected Off
LogClean Off
LogRotate true
MaxFileSize 25M
SupportMultipleRecipients false
TemporaryDirectory /tmp
LogFile /var/log/clamav/clamav-milter.log
LogTime true
LogFileUnlock false
LogFileMaxSize 1M
MilterSocketGroup clamav
MilterSocketMode 666
name=Matthew%20Campbell&email=trenix25%40pm.me
This email has been scanned by BullGuard antivirus protection.
For more info visit www.bullguard.com<http://www.bullguard.com/tracking.aspx?affiliate=bullguard&buyaffiliate=smtp&url=/>
From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of Matthew Campbell via clamav-users
Sent: 06 October 2020 01:32
To: ClamAV User Support Mailing List <clamav-users@lists.clamav.net>
Cc: Matthew Campbell <trenix25@pm.me>
Subject: Re: [clamav-users] Freshclam can't get started
Ged wrote:
Well I'd hardly call ClamAV databases "private data", since they are
available to anyone at the cost of an HTTP request. The authors of
ClamAV do things one way. Debian maintainers do it a different way.
You've done it yet another way. If you began your journey into Linux
with an attempt at a non-standard Debian installation then you likely bit off more than you could chew and you're making things a lot more difficult than necessary.
Do you have SELinux or AppArmor installed? You haven't mounted the
partition read-only have you? We'd better see your freshclam.conf.
Matthew writes:
The files in /user/ are private data and /user/ uses a separate file system to keep user data away from the root file system.
I believe SELinux and AppArmor are both installed.
/var/local is not mounted as read-only.
Ged added:
>> What do you plan to use ClamAV for?
> I use ClamAV for general malware scanning.
Given that you say you've had the problems you're describing since you started using Linux I wonder if it's never found anything. But if it did, how do you think it got there and what did you do about it? What security precautions are you taking to prevent compromises?
Matthew writes:
I use aide every day. I use clamscan on /user and /tmp every day. I use clamscan on other areas when deemed necessary.
Ged added:
>> You could remove all the clamav packages (there's more than one)
>> and purge them, then reinstall.
Try it. But don't try anything clever, just let the package manager
do what it wants to do and let it install things where it wants to.
That way at least we'll have a reasonable idea of what you've done.
When you become more familiar with the system you can adjust things
to your needs if it's really necessary. But only if it's necessary.
Matthew writes:
I used:
# apt install clamav-base clamav-daemon clamav-docs clamav-freshclam clamav-milter clamav-testfiles clamav clamdscan
to install ClamAV, at least according to the list of installed packages.
Ged added:
>> Please could you paste the output of
>> ls -l /var/local/
>
> These are the permission in /var/local/
> ...
> drwsrws--- 3 clamav clamav 4096 Oct 3 12:53 clamav
> ...
Why the setuid/setgid bits? Quoting the 'info coreutils':
"These mechanisms let users share files more easily, by lessening the need to use ‘chmod’ or ‘chown’ to share new files."
which seems to be the exact opposite of what you're trying to do...
Do the ClamAV daemons run as user clamav? Can we be clear that the
system which is showing us the user and group names is the same one
that's telling you which user and group run the ClamAV daemons? The
reason for asking is that different systems can have a different
mapping of user and group numerical IDs to user and group names, and
there seems to be a lot that you haven't told us yet.
Matthew writes:
I used the setuid/gid bits to force any newly created files to be owned by the user:group clamav:clamav. The package manager created the clamav user and group.
Ged added:
> Unfortunately my email app insists on quoting previous
> replies. Sorry about that.
You might want to try a different mail client for correspondence on
mailing lists, where patience is often at a premium.
--
73,
Ged.
Matthew writes:
I can only use what is available to me.
Contents of /etc/clamav/freshclam.conf:
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package
DatabaseOwner clamav
UpdateLogFile /var/local/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
SafeBrowsing true
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
Contents of /etc/clamav/clamd.conf:
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks true
ReadTimeout 0
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 30
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 10240M
LogFile /var/local/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity Paranoid
BytecodeTimeout 60000
OnAccessMaxFileSize 5M
Contents of /etc/clamav/clamav-milter.conf:
#Automatically Generated by clamav-milter postinst
#To reconfigure clamav-milter run #dpkg-reconfigure clamav-milter
#Please read /usr/share/doc/clamav-base/README.Debian.gz for details
MilterSocket /var/run/clamav/clamav-milter.ctl
FixStaleSocket true
User clamav
ReadTimeout 120
Foreground false
PidFile /var/run/clamav/clamav-milter.pid
ClamdSocket unix:/var/run/clamav/clamd.ctl
OnClean Accept
OnInfected Quarantine
OnFail Defer
AddHeader Replace
LogSyslog false
LogFacility LOG_LOCAL6
LogVerbose false
LogInfected Off
LogClean Off
LogRotate true
MaxFileSize 25M
SupportMultipleRecipients false
TemporaryDirectory /tmp
LogFile /var/log/clamav/clamav-milter.log
LogTime true
LogFileUnlock false
LogFileMaxSize 1M
MilterSocketGroup clamav
MilterSocketMode 666
name=Matthew%20Campbell&email=trenix25%40pm.me
This email has been scanned by BullGuard antivirus protection.
For more info visit www.bullguard.com<http://www.bullguard.com/tracking.aspx?affiliate=bullguard&buyaffiliate=smtp&url=/>