Hi
Thank you for your support
output of clamconf -n:
Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamav.log"
LogFileMaxSize = "5242880"
LogTime = "yes"
LogClean = "yes"
LogSyslog = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
LocalSocket = "/tmp/clamd.socket"
LocalSocketMode = "660"
User = "root"
OnAccessIncludePath = "/home"
OnAccessExcludeUname = "root"
OnAccessPrevention = "yes"
Config file: freshclam.conf
---------------------------
DatabaseMirror = "database.clamav.net"
HTTPProxyServer = "172.16.130.185"
HTTPProxyPort = "3128"
Config file: clamav-milter.conf
-------------------------------
ERROR: Please edit the example config file /usr/local/etc/clamav-milter.conf
Software settings
-----------------
Version: 0.104.2
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR
Database information
--------------------
Database directory: /usr/local/share/clamav
bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 07:21:51 2021
daily.cld: version 26477, sigs: 1975702, built on Thu Mar 10 01:34:39 2022
Total number of signatures: 1975794
Platform information
--------------------
uname: Linux 3.10.0-1160.59.1.el7.x86_64 #1 SMP Wed Feb 23 16:47:03 UTC 2022 x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a218e8e0800000002040805
Build information
-----------------
GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44) (4.8.5)
sizeof(void*) = 8
Engine flevel: 142, dconf: 142
My main question is whether clamav can prevent malicious files from being run by the root user?
Thankful
From: G.W. Haywood via clamav-users Sent: Sunday, March 13, 2022 3:40 PM
To: Mohsen Ghahremani via clamav-users Cc: G.W. Haywood Subject: Re: [clamav-users] Prevent root users from running infected files
Hi there,
On Sun, 13 Mar 2022, Mohsen Ghahremani via clamav-users wrote:
> I run clamd and clamonacc with root user and clamd.conf file is
> configured as follows:
>
> User root
>
> OnAccessIncludePath / home
>
> OnAccessExcludeUname root
>
> OnAccessPrevention yes
This is not sufficient information (and your configuration of the
OnAccessIncludePath option looks wrong - did you mean '/home'?).
Please instead provide the full, unedited output of
clamconf -n
and I repeat - without *any* editing on your part so that we can see
your configuration correctly.
> In this case, if I run a malicious file with other users, clamav
> prevents it from running, and if I run the same file with the root
> user, it does nothing.
>
> How can I configure calmav to prevent malicious files from being
> executed by the root user?
Please read the man page for clamd.conf where the exclusions are fully
explained. There are more of them than you have listed in your post.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml