Mailing List Archive

[clamav-users] OnAccessExtraScanning not working?
Hello,

New to clamav so please forgive me if I've missed something obvious.

I have a pretty vanilla clamav setup (0.102.4) on Ubuntu 20.04. I can successfully get clamonacc to detect a test eicar signature when I cat the file after downloading it to a monitored directory.

I would however like the file to be scanned as soon as it is downloaded. So I enabled OnAccessExtraScanning as man clamd.conf says this "Toggles extra scanning and notifications when a file or directory is created or moved." Unfortunately when the eicar file is created (by using wget to download it) I don't see anything happen. I did read this feature was taken out due to a memory leak. Is it still removed or am I missing something else?

Best,
Nick
Re: [clamav-users] OnAccessExtraScanning not working? [ In reply to ]
Hi there,

On Tue, 2 Feb 2021, Nick via clamav-users wrote:

> New to clamav so please forgive me if I've missed something obvious.

There's lots to find if you dig deep enough for long enough. :)

> ... I enabled OnAccessExtraScanning as man clamd.conf says this
> "Toggles extra scanning and notifications when a file or directory
> is created or moved." Unfortunately when the eicar file is created
> (by using wget to download it) I don't see anything happen. I did
> read this feature was taken out due to a memory leak. Is it still
> removed or am I missing something else?

https://bugzilla.clamav.net/show_bug.cgi?id=12048

After three years of no movement on this, I think there's a case for
updating the 'man' page to reflect the status quo.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] OnAccessExtraScanning not working? [ In reply to ]
Thanks for the quick response Ged. Ok good to know the answer. I'll try and hack something with inotifywait for now.

Nick




??????? Original Message ???????
On Tuesday, 2 February 2021 12:11, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Tue, 2 Feb 2021, Nick via clamav-users wrote:
>
> > New to clamav so please forgive me if I've missed something obvious.
>
> There's lots to find if you dig deep enough for long enough. :)
>
> > ... I enabled OnAccessExtraScanning as man clamd.conf says this
> > "Toggles extra scanning and notifications when a file or directory
> > is created or moved." Unfortunately when the eicar file is created
> > (by using wget to download it) I don't see anything happen. I did
> > read this feature was taken out due to a memory leak. Is it still
> > removed or am I missing something else?
>
> https://bugzilla.clamav.net/show_bug.cgi?id=12048
>
> After three years of no movement on this, I think there's a case for
> updating the 'man' page to reflect the status quo.
>
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> 73,
> Ged.
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] OnAccessExtraScanning not working? [ In reply to ]
Hey Nick, Ged,

Looks like we forgot to update the ticket here.

OnAccessExtraScanning *should* be working now. On-access scanning received a major overhaul in 0.102. It used to be that it was a ClamD feature. The threading model in ClamD is already complex. When ClamD had on-access and extra-scanning enabled it leaked thread data and was disabled for that reason. In 0.102 the on-access feature was completely removed from ClamD and re-written in a new tool called ClamOnAcc which is a daemon and client to the ClamD scanning server daemon. As far as I know, there are no memory leak issues now with extra-scanning in ClamOnAcc.

We have another user, Hanspeter, who is also concerned about EICAR file creations when using ClamOnAcc with OnAccessExtraScanning enabled. He created this ticket for help with testing to validate that ClamOnAcc reliably detects EICAR file creates: https://bugzilla.clamav.net/show_bug.cgi?id=12667

Can you confirm if the file is detected after download when you `touch` it?

-Micah

> -----Original Message-----
> From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
> Nick via clamav-users
> Sent: Wednesday, February 3, 2021 6:30 AM
> To: ClamAV users ML <clamav-users@lists.clamav.net>
> Cc: Nick <mr.nick.hall@protonmail.com>; G.W. Haywood
> <clamav@jubileegroup.co.uk>
> Subject: Re: [clamav-users] OnAccessExtraScanning not working?
>
> Thanks for the quick response Ged. Ok good to know the answer. I'll try and
> hack something with inotifywait for now.
>
> Nick
>
>
>
>
> ??????? Original Message ???????
> On Tuesday, 2 February 2021 12:11, G.W. Haywood via clamav-users <clamav-
> users@lists.clamav.net> wrote:
>
> > Hi there,
> >
> > On Tue, 2 Feb 2021, Nick via clamav-users wrote:
> >
> > > New to clamav so please forgive me if I've missed something obvious.
> >
> > There's lots to find if you dig deep enough for long enough. :)
> >
> > > ... I enabled OnAccessExtraScanning as man clamd.conf says this
> > > "Toggles extra scanning and notifications when a file or directory
> > > is created or moved." Unfortunately when the eicar file is created
> > > (by using wget to download it) I don't see anything happen. I did
> > > read this feature was taken out due to a memory leak. Is it still
> > > removed or am I missing something else?
> >
> > https://bugzilla.clamav.net/show_bug.cgi?id=12048
> >
> > After three years of no movement on this, I think there's a case for
> > updating the 'man' page to reflect the status quo.
> >
> > ----------------------------------------------------------------------
> > ----------------------------------------------------------------------
> > ---------------------------------
> >
> > 73,
> > Ged.
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] OnAccessExtraScanning not working? [ In reply to ]
Hi Micah,

On Wed, 3 Feb 2021, Micah Snyder (micasnyd) via clamav-users wrote:

> Looks like we forgot to update the ticket here.

:/

> ... In 0.102 the on-access feature was completely removed from ClamD
> and re-written in a new tool called ClamOnAcc which is a daemon ...

Quoting 'man clamonacc':

8<----------------------------------------------------------------------
NAME
clamonacc - an anti-virus on-access scanning daemon and clamd client

SYNOPSIS
clamd [options]
...
...
8<----------------------------------------------------------------------

Now I'm confused.

It would be really good to have a proper Changelog with the releases.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] OnAccessExtraScanning not working? [ In reply to ]
Helo Micah,

Thanks for looking at this. I can confirm clamonacc will detect the test eicar file when it is touched after download.

My issue lies in that I wanted the file to be detected on creation rather than needing to be be touched/read. The man page for an clamd.conf says this re the ExtraScanning option:

"Toggles extra scanning and notifications when a file or directory
is created or moved."

Which lead me to believe that would work, but it doesn't seem to.


Additionally man clamonacc gives 'No manual entry for clamonacc'. clamonacc --help reports version 0.102.4

Best
Nick


??????? Original Message ???????
On Wednesday, 3 February 2021 23:59, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:

> Hi Micah,
>
> On Wed, 3 Feb 2021, Micah Snyder (micasnyd) via clamav-users wrote:
>
> > Looks like we forgot to update the ticket here.
>
> :/
>
> > ... In 0.102 the on-access feature was completely removed from ClamD
> > and re-written in a new tool called ClamOnAcc which is a daemon ...
>
> Quoting 'man clamonacc':
>
> 8<----------------------------------------------------------------------
> NAME
> clamonacc - an anti-virus on-access scanning daemon and clamd client
>
> SYNOPSIS
> clamd [options]
> ...
> ...
> 8<----------------------------------------------------------------------
>
> Now I'm confused.
>
> It would be really good to have a proper Changelog with the releases.
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> 73,
> Ged.
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] OnAccessExtraScanning not working? [ In reply to ]
Ged,

I don't understand what's confusing about it. The NEWS file described this change when 0.102 was released: https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.104/NEWS.md#01020

In my opinion, ChangeLog files are vestigial from the days before public centralized git servers. If you want per-change (per-commit) details you can see the commit history: https://github.com/Cisco-Talos/clamav-devel/commits
You can also search commit messages for any given repository. Eg: https://github.com/Cisco-Talos/clamav-devel/search?q=clamonacc&type=commits

Respectfully,

Micah

> -----Original Message-----
> From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
> G.W. Haywood via clamav-users
> Sent: Wednesday, February 3, 2021 3:00 PM
> To: Micah Snyder (micasnyd) via clamav-users <clamav-
> users@lists.clamav.net>
> Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
> Subject: Re: [clamav-users] OnAccessExtraScanning not working?
>
> Hi Micah,
>
> On Wed, 3 Feb 2021, Micah Snyder (micasnyd) via clamav-users wrote:
>
> > Looks like we forgot to update the ticket here.
>
> :/
>
> > ... In 0.102 the on-access feature was completely removed from ClamD
> > and re-written in a new tool called ClamOnAcc which is a daemon ...
>
> Quoting 'man clamonacc':
>
> 8<----------------------------------------------------------------------
> NAME
> clamonacc - an anti-virus on-access scanning daemon and clamd client
>
> SYNOPSIS
> clamd [options]
> ...
> ...
> 8<----------------------------------------------------------------------
>
> Now I'm confused.
>
> It would be really good to have a proper Changelog with the releases.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] OnAccessExtraScanning not working? [ In reply to ]
Hi Micah,

On Thu, 4 Feb 2021, Micah Snyder (micasnyd) via clamav-users wrote:

>> G.W. Haywood via clamav-users wrote:
>>
>> Quoting 'man clamonacc':
>>
>> 8<----------------------------------------------------------------------
>> NAME
>> clamonacc - an anti-virus on-access scanning daemon and clamd client
>>
>> SYNOPSIS
>> clamd [options]
>> ...
>> ...
>> 8<----------------------------------------------------------------------
>>
>> Now I'm confused.

> I don't understand what's confusing about it. ...

The SYNOPSIS in the man page for clamonacc says

>> SYNOPSIS
>> clamd [options]

and that's not confusing?

> In my opinion, ChangeLog files are vestigial ...

Fair enough.

> If you want per-change (per-commit) details ...

No, not that. The NEWS file will do.

> You can also search commit messages ...

I know what's possible in principle, I just have great difficulty with
the way that it's implemented. After many abortive forays I've now
arrived at a place where if it's on Github I won't even look at it.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] OnAccessExtraScanning not working? [ In reply to ]
Hi Ged,

> >> SYNOPSIS
> >> clamd [options]
>
> and that's not confusing?

That's definitely a copy-paste error. Whoops! We'll get that changed to "clamonacc".

-Micah

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml