Mailing List Archive

[clamav-users] clamav on access
Hi

Trying to achieve the on access feature on manjaro (arch)

preliminaries

# clamd -V
ClamAV 0.103.2/26209/Tue Jun 22 12:07:55 2021

# zgrep FANOTIFY /proc/config.gz
CONFIG_FANOTIFY=y
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y

My issue is:

My understanding (after seeing it happen consistently on multiple ubuntu
boxes) is that one should not be able to even cat the eicar siganature
file. That is not what happens on my laptop.

The following is how it behaves for me:

---
$ curl https://secure.eicar.org/eicar.com.txt > eicar.txt
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
100 68 100 68 0 0 198 0 --:--:-- --:--:-- --:--:--
198

$ cat eicar.txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*%

$ cat eicar.txt
cat: eicar.txt: No such file or directory

---

So the curl *sometimes* gets picked up by clamav-clamonacc.service
Always the first time after a restart, but not afterwards

I can cat the file (which I shold not be able to do)
After that clamav-clamonacc.service picks up the file and moves it to
quarantine.

So the idea would be I should not be able to open infected files.

/etc/clamav/clamd.conf

LogFile /var/log/clamav/clamd.log
LogFileUnlock yes
LogTime yes
LogClean yes
LogVerbose no
LogRotate yes
ExtendedDetectionInfo yes
PidFile /run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /run/clamav/clamd.ctl
LocalSocketGroup root
FixStaleSocket yes
MaxConnectionQueueLength 300
StreamMaxLength 10M
MaxThreads 20
SendBufTimeout 200
MaxQueue 200
CrossFilesystems yes
User root
ScanPDF yes
ScanXMLDOCS yes
ScanHWP3 yes
ScanMail yes
ScanPartialMessages yes
ScanHTML yes
ScanArchive yes
OnAccessMaxFileSize 10M
OnAccessMaxThreads 10
OnAccessCurlTimeout 10000
OnAccessIncludePath /
OnAccessPrevention yes
OnAccessDenyOnError yes
OnAccessExtraScanning no
#OnAccessMountPath /
#OnAccessExcludeRootUID yes
OnAccessExcludeUname root

*ANY* guidance appreciated

Thanks






_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml