Mailing List Archive

[clamav-users] clamav incremental scan?
It seems that this should be a common question, but I did not find a
definite answer via Google search. I saw solutions to only scan files in
the last 60 days, but it is not difficult for a virus file to change date,
isn't it? I can think of to maintain hash table with file name and its
checksum, but looks like this should be a functionality of the clamav
itself. How do you do it? Just do a full scan every time? Thanks.
Re: [clamav-users] clamav incremental scan? [ In reply to ]
On 2021-05-04 20:19, Michael Wang wrote:
> It seems that this should be a common question, but I did not find a
> definite answer via Google search. I saw solutions to only scan files
> in the last 60 days, but it is not difficult for a virus file to
> change date, isn't it? I can think of to maintain hash table with file
> name and its checksum, but looks like this should be a functionality
> of the clamav itself. How do you do it? Just do a full scan every
> time? Thanks.

fun part is that clamdscan needs root access, stupid

virus scanning must not be done as root user, else one knows why its
unsecure on unpacking

already files stored as non root users can only be changed by same user
if its malware, this includes change time stamps

as non root, isssue a touch malwarefile.exe, new upload

hope clamav team redo this insecure in clamdscan

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav incremental scan? [ In reply to ]
On 5/4/21 1:41 PM, Benny Pedersen via clamav-users wrote:
> fun part is that clamdscan needs root access, stupid

clamdscan does *NOT* /need/ root access.

clamdscan can scan files without root access perfectly fine.

What clamdscan /does/ /need/ is the ability to /access/ files to be
scanned. This ability can be provided by running as root -- which can
override almost all permission checks -- or by running it as different
users on different files.

So you can run clamdscan on your files and I can run clamdscan on my
files. Or root can run clamdscan on both of our files. But /root/ is
/optional/ here and not /needed/.

> virus scanning must not be done as root user, else one knows why its
> unsecure on unpacking

I don't see anything that /needs/ /root/ here. I run clamd as it's own
user. Then clamdscan (or any other clamd client) can request that clamd
running as $ClamAVUser (nominally not-root) scan the file(s) that are
handed to it.

clamdscan will ask clamd (running as the $ClamAVUser) to scan the file.

By default, clamd will try to read the file directly, thus dependent on
permissions. But you can use --stream or --fdpass to have clamdscan
stream the file or pass the file descriptor to clamd for scanning
without clamd having permissions to the file itself. Thus you can cross
the standard unix user permissions barrier.

#[$USER@$HOST:~]% clamdscan myFile
/home/$USER/myFile: lstat() failed: Permission denied. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.001 sec (0 m 0 s)
#[$USER@$HOST:~]% clamdscan --stream myFile
/home/$USER/myFile: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.072 sec (0 m 0 s)
#[$USER@$HOST:~]% clamdscan --fdpass myFile
/home/$USER/myFile: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.035 sec (0 m 0 s)

> hope clamav team redo this insecure in clamdscan

Please re-evaluate your position based on the above information.



--
Grant. . . .
unix || die
Re: [clamav-users] clamav incremental scan? [ In reply to ]
On 5/4/21 12:19 PM, Michael Wang wrote:
> looks like this should be a functionality of the clamav itself.

What you are describing sounds like something independent of the ClamAV
/scanning/ engine. More specifically, it sounds like the responsibility
of a /scheduling/ engine.

My understanding is that the scheduling is outside of the scope of what
ClamAV normally does.

I see no reason why you couldn't have something -- run as a user with
sufficient privileges to read the file(s) in question -- which maintains
metadata about files; name, ctime, mtime, permissions, owner, group,
hash, last scan time, etc, and determines if a file has changed since
the last time it was scanned. /That/ /scheduling/ engine could then
easily ask the ClamAV /scanning/ engine -- likely running as a different
non-root user -- to scan the files handed to it by -- what is
effectively -- the /scheduling/ engine.

There are a lot of different ways to go about something like this. My
opinion is that most of them are outside of the scope of the ClamAV's
/scanning/ engine.



--
Grant. . . .
unix || die
Re: [clamav-users] clamav incremental scan? [ In reply to ]
Grant,

I do not disagree with you on the separate functionality of the scheduling
engine and scanning engine. The question is: does such an engine exist? I
feel it is too much for each individual user to implement such a scheduling
engine. I am new to ClamAV, does the question / solution ever pop up?
Thanks.

On Tue, May 4, 2021 at 4:29 PM Grant Taylor via clamav-users <
clamav-users@lists.clamav.net> wrote:

> On 5/4/21 12:19 PM, Michael Wang wrote:
> > looks like this should be a functionality of the clamav itself.
>
> What you are describing sounds like something independent of the ClamAV
> /scanning/ engine. More specifically, it sounds like the responsibility
> of a /scheduling/ engine.
>
> My understanding is that the scheduling is outside of the scope of what
> ClamAV normally does.
>
> I see no reason why you couldn't have something -- run as a user with
> sufficient privileges to read the file(s) in question -- which maintains
> metadata about files; name, ctime, mtime, permissions, owner, group,
> hash, last scan time, etc, and determines if a file has changed since
> the last time it was scanned. /That/ /scheduling/ engine could then
> easily ask the ClamAV /scanning/ engine -- likely running as a different
> non-root user -- to scan the files handed to it by -- what is
> effectively -- the /scheduling/ engine.
>
> There are a lot of different ways to go about something like this. My
> opinion is that most of them are outside of the scope of the ClamAV's
> /scanning/ engine.
>
>
>
> --
> Grant. . . .
> unix || die
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: [clamav-users] clamav incremental scan? [ In reply to ]
On 5/4/21 2:54 PM, Michael Wang wrote:
> I do not disagree with you on the separate functionality of the
> scheduling engine and scanning engine. The question is: does such an
> engine exist? I feel it is too much for each individual user to
> implement such a scheduling engine. I am new to ClamAV, does the
> question / solution ever pop up? Thanks.

I've done exceedingly little with -- what I'm calling -- (generic)
ClamAV /scheduling/ engine(s).

My exposure to ClamAV over the last 20 years has almost exclusively been
as an email server administrator. As such, my focus has only been from
the email server's point of view. Meaning an a mail filter (milter)
that falls into the "any other clamd client" category.

My understanding is that there is a generic /scheduling/ engine for
Windows; "ClamWin" or something like that.

I believe that clamdscan can in and of itself be a rudimentary
/scheduling/ engine. But as you point out, it has limitations.

I'm not aware of other /scheduling/ engines. But my ignorance of them
does not preclude them from existing.

I typically see brute force, scan everything every time, and / or on
demand scans. This also parities what I see with more traditional virus
scanners on Windows.



--
Grant. . . .
unix || die
Re: [clamav-users] clamav incremental scan? [ In reply to ]
On 04.05.21 14:19, Michael Wang wrote:
>It seems that this should be a common question, but I did not find a
>definite answer via Google search. I saw solutions to only scan files in
>the last 60 days,

what solution? Something related to "find ... -mtime"?

> but it is not difficult for a virus file to change date,
>isn't it?

if the above is true, "find ... -ctime" should do what you want. ctime is
actualized everytime you change something on file, including modification
time (and ctime of course)

Thus, it's not possible date ctime back without direct access to filesystem
(in which case your problem would be much bigger).


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav incremental scan? [ In reply to ]
On 5/5/21 5:02 AM, Matus UHLAR - fantomas wrote:
> Thus, it's not possible date ctime back without direct access to
> filesystem (in which case your problem would be much bigger).

I agree with you given the standard operating procedure for many
decades. Though I do wonder if -> how the newer time name space might
influence this. Though, that in and of itself takes some privilege to
utilize.



--
Grant. . . .
unix || die
Re: [clamav-users] clamav incremental scan? [ In reply to ]
On Tue, 4 May 2021, Michael Wang wrote:

> I do not disagree with you on the separate functionality of the scheduling
> engine and scanning engine. The question is: does such an engine exist?

ClamWin has a scheduler
https://clamwin.com/content/view/71/1/
but, although based on ClamAV, ClamWin is a separate project and team.

> I am new to ClamAV, does the question / solution ever pop up?

The question pops up a lot, often in disguise,
but there is not really a solution.

I believe that this is because a Linux machine is much more
likely than a Mac or Windows machine to be a multi-user system,
and thus the requirements are likely to be different.

If you did a full scheduled scan of a multi-user system,
what would you do if the scan found malware in a(nother) user's file ?
Without an answer to that, how do you design a front end (such as a scheduler)

> I feel it is too much for each individual user to implement such a scheduling
> engine.

You can write one in a one line of script that runs in a cron job:
find /home/user -type f | xargs clamdscan --fdpass
Yes it could be improved, but this does the job
and which improvements are relevant to your needs ?

As your original email says, scanning every file every time may not
be necessary, but unless you do what happens if an update includes a definition
for a virus that is aready inside a file that "doesn't need to be scanned" ?

Perhaps the answer is to do on-access scanning, rather than regularly scheduled
scans. However, that could make the machine feel sluggish, or actually perform
poorly.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml