Mailing List Archive

[clamav-users] clamonacc RHEL8
Hello,

Trying to configure clamav/clamonacc on RHEL8. I am new to clamav.

Do the status of these services look correct???

clamdservice@service.service<mailto:clamdservice@service.service> stays in “activating start” state.

Any feedback would be helpful.


]# systemctl list-units|grep clam
clamav-clamonacc.service loaded active running ClamAV On-Access Scanner
clamd@multi-user.service loaded active running clamd scanner daemon
clamd@service.service loaded activating start start clamd scanner daemon
system-clamd.slice loaded active active system-clamd.slice



# systemctl status clamav-clamonacc.service
● clamav-clamonacc.service - ClamAV On-Access Scanner
Loaded: loaded (/usr/lib/systemd/system/clamav-clamonacc.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2021-05-12 14:58:04 EDT; 2min 10s ago
Docs: man:clamonacc(8)
man:clamd.conf(5)
https://www.clamav.net/documents
Main PID: 2363 (clamonacc)
Tasks: 8 (limit: 49376)
Memory: 6.6M
CGroup: /system.slice/clamav-clamonacc.service
└瘢雹─2363 /usr/sbin/clamonacc -v --fdpass --log=/var/log/clamonacc -F --config-file=/etc/clamd.d/scan.conf

May 12 14:58:46 rhel8avtest clamonacc[2363]: ClamFanotif: attempting to feed consumer queue
May 12 14:58:46 rhel8avtest clamonacc[2363]: ClamWorker: performing scanning on file '/home/212770132@col-dev.ge.com/.config/pulse/f633fb1e6607484eb0e>
May 12 14:58:46 rhel8avtest clamonacc[2363]: ClamFanotif: attempting to feed consumer queue
May 12 14:58:46 rhel8avtest clamonacc[2363]: ClamWorker: performing scanning on file '/home/212770132@col-dev.ge.com/.config/pulse/f633fb1e6607484eb0e>
May 12 14:58:46 rhel8avtest clamonacc[2363]: ClamFanotif: attempting to feed consumer queue




# systemctl status clamd@multi-user.service
● clamd@multi-user.service - clamd scanner daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2021-05-12 14:58:04 EDT; 3min 3s ago
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents/
Process: 1447 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf (code=exited, status=0/SUCCESS)
Main PID: 1521 (clamd)
Tasks: 2 (limit: 49376)
Memory: 1.1G
CGroup: /system.slice/system-clamd.slice/clamd@multi-user.service
└瘢雹─1521 /usr/sbin/clamd -c /etc/clamd.d/scan.conf

May 12 14:58:46 rhel8avtest clamd[1521]: Client disconnected (FD 11)
May 12 14:58:46 rhel8avtest clamd[1521]: Client disconnected (FD 11)





Thanks,
Jeff Hoevenaar
Re: [clamav-users] clamonacc RHEL8 [ In reply to ]
Hi there,

On Wed, 12 May 2021, Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users wrote:

> Trying to configure clamav/clamonacc on RHEL8. I am new to clamav.

Welcome to the list. :)

> Do the status of these services look correct???
> ...
> Any feedback would be helpful.

I hung back a bit after seeing your mail hoping that someone else will
step in who's using what you're using, but as nobody has I'll chip in.

I don't use the tools that you are using to manage services, so I can't
tell you if they're making sense, but I can suggest ways to investigate
which will apply to any Linux/Unix system. I also don't use on-access
scanning - I only use ClamAV for scanning mail, and with some of the
third-party databases - so our use cases are very different.

The first thing I'd check is that there's a process running (and only
one process) called clamd, that it's using around a gigabyte of RAM,
which seems to be the case, and that it responds to a PING.

You can check that it's running with the 'top' utility. Sort top's
output on the screen by memory usage. The clamd daemon will probably
be at the top of the list. Unless you have lots of file access to
areas protected by the on-access scanning, most of the time it
probably won't be using much CPU. Give it something to scan and it
will use a core. Be aware that it can take a while for the daemon to
start, because it has a lot of work to do to populate the signature
database in RAM; anywhere between a few seconds and a few minutes,
depending on the system spec. While it's starting, clamd will use a
lot of CPU. You can watch that with top.

The 'PING' command isn't the 'ping' that you'd use to check that some
network interface is alive. It's sent to the daemon over the socket
to which it's configured to listen. You can use something like netcat
or telnet to communicate with the daemon. See the clamd 'man' page.
I run a separate clamd server on our network and so I use TCP sockets.
Here's a cut'n'paste of me sending a PING command to the daemon from
my laptop:

laptop3:~$ >>> telnet 192.168.4.7 3313
Trying 192.168.4.7...
Connected to 192.168.4.7.
Escape character is '^]'.
PING
PONG [1620857300]
Connection closed by foreign host.
laptop3:~$ >>>

I typed the 'telnet' command line and the word 'PING' (plus 'enter').
I routinely run a patched clamd. You won't see the number in square
brackets in your output (it's just the seconds since the epoch of the
last DB reload). Also the port in the clamd.conf example is usually
3310, not 3313. See that, and the clamd.conf 'man' page, for more info.
Also very possibly your distro doesn't have a file called clamd.conf, I
wish they wouldn't do things like that but it happens. You may need to
poke around a bit to find all the bits of configuration, I don't know.

The second thing I'd check (if I were to use on-access scanning, which
I don't) would be that the configuration is actually causing scans to
take place on access. Drop the EICAR test file in a protected place,
and try to list it with a pager or something. That should give you an
access denied error.

Can you tell us a bit more about how you want to use ClamAV?

My list address only accepts mail from this list.

HTH

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml