Mailing List Archive

[clamav-users] RHEL8 clamonacc behavior
Hello,

Running clamd and clamonacc on RHEL8 server.


I created a test file called "jeff1234" with the EICAR test string.

The clamonacc seems to find the bad file. The files remains in place until I try to copy or modify it then it is moved to the quarantine directory. Is that normal behavior?


Is this normal output when clamonacc finds a virus?

traverse_rename: Failed to rename
Error:Invalid cross-device link


The clamaccon log file w/ verbose options.

ClamFanotif: attempting to feed consumer queue
ClamWorker: performing scanning on file '/home/212@col-dev.ge.com/jeff1234'
/home/212@col-dev.ge.com/jeff1234: Eicar-Signature FOUND
traverse_to: Handle opened for 'home' directory.
traverse_to: Handle opened for '212@col-dev.ge.com' directory.
traverse_rename: Failed to rename: /home/212@col-dev.ge.com/jeff1234
to: /root/clamav-quarantine/jeff1234
Error:Invalid cross-device link
traverse_to: Handle opened for 'home' directory.
traverse_to: Handle opened for '212@col-dev.ge.com' directory.
/home/212@col-dev.ge.com/jeff1234: moved to '/root/clamav-quarantine/jeff1234'


/var/log/messages output:

May 13 09:53:08 rhel8avtest clamonacc[2947]: ClamFanotif: attempting to feed consumer queue
May 13 09:53:08 rhel8avtest clamonacc[2947]: ClamWorker: performing scanning on file '/home/212@col-dev.ge.com/jeff1234'
May 13 09:53:08 rhel8avtest clamonacc[2947]: /home/212@col-dev.ge.com/jeff1234: Eicar-Signature FOUND
May 13 09:53:08 rhel8avtest clamonacc[2947]: traverse_to: Handle opened for 'home' directory.
May 13 09:53:08 rhel8avtest clamonacc[2947]: traverse_to: Handle opened for '212@col-dev.ge.com' directory.
May 13 09:53:08 rhel8avtest clamonacc[2947]: traverse_rename: Failed to rename: /home/212@col-dev.ge.com/jeff1234
May 13 09:53:08 rhel8avtest clamonacc[2947]: #011to: /root/clamav-quarantine/jeff1234
May 13 09:53:08 rhel8avtest clamonacc[2947]: Error:Invalid cross-device link
May 13 09:53:08 rhel8avtest clamonacc[2947]: traverse_to: Handle opened for 'home' directory.
May 13 09:53:08 rhel8avtest clamonacc[2947]: traverse_to: Handle opened for '212@col-dev.ge.com' directory.
May 13 09:53:08 rhel8avtest clamonacc[2947]: /home/212@col-dev.ge.com/jeff1234: moved to '/root/clamav-quarantine/jeff1234'
May 13 09:53:08 rhel8avtest clamd[1534]: /home/212@col-dev.ge.com/jeff1234: Eicar-Signature FOUND


Thanks,
Jeff Hoevenaar
Re: [clamav-users] RHEL8 clamonacc behavior [ In reply to ]
Hi there,

Sorry if some of this is covering ground unnecessarily, but it's a
mailing list of course and others will be reading.

On Thu, 13 May 2021, Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users wrote:

> I created a test file called "jeff1234" with the EICAR test string.
>
> The clamonacc seems to find the bad file.

Seems to be working. :)

Next, you'll probably want to assess the system's performance with
on-access scanning enabled. I know I would.

> The files remains in place until I try to copy or modify it then it
> is moved to the quarantine directory. Is that normal behavior?

It depends on the configuration. You can choose to do something to a
file when it's found to be suspicious, or you can for example simply
alert the user. You seem to have the installation configured to move
suspicious files to a quarantine directory. It's up to you how you
want to play it, but I'd call that potentially dangerous. In the List
archives you will find many mentions of false positives. If a scanner
falsely identifies a vital system file as a threat and it's configured
to move suspicious files, then the resulting operation might break the
system. You will find warnings in the 'man' pages.

I recommend that you do some digging into the documentation and maybe
search for the experience of others before you do much more.

Do you have some sort of assessment of the threats to the system, or
is this just an extension of the old adage that "something must be
done, and this is something, so we must do it"?

> Is this normal output when clamonacc finds a virus?
>
> traverse_rename: Failed to rename
> Error:Invalid cross-device link

The function traverse_rename() is in shared/actions.c. You can see
that the error 'Invalid cross-device link' itself came from the OS.
It just means you tried to do something that the OS doesn't allow.

A Unix-style filesystem can be assembled from a number of different
storage devices which can each have more than one 'partition'. Data
which is logically stored under a single sub-directory can physically
be located on different partitions. It can even (for example network
file systems) be on different machines. Moving a file from one place
to another within a partition can be a very fast operation which only
writes directory information; moving from one partition to another is
a copy operation which can take much longer, and, depending on how
things are set up, the OS may even forbid it. You can't use e.g. a
'rename' operation to move a file from one partition to another.
That's just the way things are with Unix-type systems. Do you have
your home directories on a different partition from that on which you
have the /root directory? If I were going to choose where to put any
quarantined files I'd probably choose somewhere like a directory under
/var rather than somewhere under /root, but I'd want to look into the
partioning and the geography of the scans before making any decisions.

Incidentally it doesn't have to be a virus - just something that's
FOUND by the scanner.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml