Mailing List Archive: [clamav-users] Prevent root users from running infected files

[clamav-users] Prevent root users from running infected files

Mar 13, 2022, 3:24 AM

Post #1 of 5 (454 views)

Hello good time

I run clamd and clamonacc with root user and clamd.conf file is configured as follows:

User root

OnAccessIncludePath / home

OnAccessExcludeUname root

OnAccessPrevention yes

In this case, if I run a malicious file with other users, clamav prevents it from running, and if I run the same file with the root user, it does nothing.

How can I configure calmav to prevent malicious files from being executed by the root user?

Thanks

Re: [clamav-users] Prevent root users from running infected files [ In reply to ]

clamav-users at lists

Mar 13, 2022, 5:09 AM

Post #2 of 5 (454 views)

Permalink

Hi there,

On Sun, 13 Mar 2022, Mohsen Ghahremani via clamav-users wrote:

> I run clamd and clamonacc with root user and clamd.conf file is
> configured as follows:
>
> User root
>
> OnAccessIncludePath / home
>
> OnAccessExcludeUname root
>
> OnAccessPrevention yes

This is not sufficient information (and your configuration of the
OnAccessIncludePath option looks wrong - did you mean '/home'?).

Please instead provide the full, unedited output of

clamconf -n

and I repeat - without *any* editing on your part so that we can see
your configuration correctly.

> In this case, if I run a malicious file with other users, clamav
> prevents it from running, and if I run the same file with the root
> user, it does nothing.
>
> How can I configure calmav to prevent malicious files from being
> executed by the root user?

Please read the man page for clamd.conf where the exclusions are fully
explained. There are more of them than you have listed in your post.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Prevent root users from running infected files [ In reply to ]

clamav-users at lists

Mar 13, 2022, 6:10 AM

Post #3 of 5 (454 views)

Permalink

Hi

Thank you for your support

output of clamconf -n:

Config file: clamd.conf

-----------------------

LogFile = "/var/log/clamav/clamav.log"

LogFileMaxSize = "5242880"

LogTime = "yes"

LogClean = "yes"

LogSyslog = "yes"

LogRotate = "yes"

ExtendedDetectionInfo = "yes"

LocalSocket = "/tmp/clamd.socket"

LocalSocketMode = "660"

User = "root"

OnAccessIncludePath = "/home"

OnAccessExcludeUname = "root"

OnAccessPrevention = "yes"

Config file: freshclam.conf

---------------------------

DatabaseMirror = "database.clamav.net"

HTTPProxyServer = "172.16.130.185"

HTTPProxyPort = "3128"

Config file: clamav-milter.conf

-------------------------------

ERROR: Please edit the example config file /usr/local/etc/clamav-milter.conf

Software settings

-----------------

Version: 0.104.2

Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR

Database information

--------------------

Database directory: /usr/local/share/clamav

bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 07:21:51 2021

daily.cld: version 26477, sigs: 1975702, built on Thu Mar 10 01:34:39 2022

Total number of signatures: 1975794

Platform information

--------------------

uname: Linux 3.10.0-1160.59.1.el7.x86_64 #1 SMP Wed Feb 23 16:47:03 UTC 2022 x86_64

OS: Linux, ARCH: x86_64, CPU: x86_64

zlib version: 1.2.11 (1.2.11), compile flags: a9

platform id: 0x0a218e8e0800000002040805

Build information

-----------------

GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44) (4.8.5)

sizeof(void*) = 8

Engine flevel: 142, dconf: 142

My main question is whether clamav can prevent malicious files from being run by the root user?

Thankful

From: G.W. Haywood via clamav-users
Sent: Sunday, March 13, 2022 3:40 PM
To: Mohsen Ghahremani via clamav-users
Cc: G.W. Haywood
Subject: Re: [clamav-users] Prevent root users from running infected files

Hi there,

On Sun, 13 Mar 2022, Mohsen Ghahremani via clamav-users wrote:

> I run clamd and clamonacc with root user and clamd.conf file is

> configured as follows:

>

> User root

>

> OnAccessIncludePath / home

>

> OnAccessExcludeUname root

>

> OnAccessPrevention yes

This is not sufficient information (and your configuration of the

OnAccessIncludePath option looks wrong - did you mean '/home'?).

Please instead provide the full, unedited output of

clamconf -n

and I repeat - without *any* editing on your part so that we can see

your configuration correctly.

> In this case, if I run a malicious file with other users, clamav

> prevents it from running, and if I run the same file with the root

> user, it does nothing.

>

> How can I configure calmav to prevent malicious files from being

> executed by the root user?

Please read the man page for clamd.conf where the exclusions are fully

explained. There are more of them than you have listed in your post.

--

73,

Ged.

_______________________________________________

clamav-users mailing list

clamav-users@lists.clamav.net

https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:

https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Prevent root users from running infected files [ In reply to ]

clamav-users at lists

Mar 13, 2022, 6:13 AM

Post #4 of 5 (454 views)

Permalink

Re: [clamav-users] Prevent root users from running infected files [ In reply to ]

clamav-users at lists

Mar 13, 2022, 6:37 AM

Post #5 of 5 (453 views)

Permalink

1. You’re excluding root in the config so you won’t be able to prevent from accessing malicious files.
1A. You shouldn’t run clamd as root. run it as another user (like “clamav” or “clamd”)

2. You are limiting it to only scan files in /home on-access
2A. You would likely want it to scan the entire system but exclude /dev and /sys and /proc

You can see example configurations in the docs: https://docs.clamav.net/manual/OnAccess.html#configuration-and-recipes

Sent from a tiny keyboard

> On Mar 13, 2022, at 09:14, Mohsen Ghahremani via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?
> Hi
> Thank you for your support
> output of clamconf -n:
>
> Config file: clamd.conf
> -----------------------
> LogFile = "/var/log/clamav/clamav.log"
> LogFileMaxSize = "5242880"
> LogTime = "yes"
> LogClean = "yes"
> LogSyslog = "yes"
> LogRotate = "yes"
> ExtendedDetectionInfo = "yes"
> LocalSocket = "/tmp/clamd.socket"
> LocalSocketMode = "660"
> User = "root"
> OnAccessIncludePath = "/home"
> OnAccessExcludeUname = "root"
> OnAccessPrevention = "yes"
>
> Config file: freshclam.conf
> ---------------------------
> DatabaseMirror = "database.clamav.net"
> HTTPProxyServer = "172.16.130.185"
> HTTPProxyPort = "3128"
>
> Config file: clamav-milter.conf
> -------------------------------
> ERROR: Please edit the example config file /usr/local/etc/clamav-milter.conf
>
> Software settings
> -----------------
> Version: 0.104.2
> Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR
>
> Database information
> --------------------
> Database directory: /usr/local/share/clamav
> bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 07:21:51 2021
> daily.cld: version 26477, sigs: 1975702, built on Thu Mar 10 01:34:39 2022
> Total number of signatures: 1975794
>
> Platform information
> --------------------
> uname: Linux 3.10.0-1160.59.1.el7.x86_64 #1 SMP Wed Feb 23 16:47:03 UTC 2022 x86_64
> OS: Linux, ARCH: x86_64, CPU: x86_64
> zlib version: 1.2.11 (1.2.11), compile flags: a9
> platform id: 0x0a218e8e0800000002040805
>
> Build information
> -----------------
> GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44) (4.8.5)
> sizeof(void*) = 8
> Engine flevel: 142, dconf: 142
>
> My main question is whether clamav can prevent malicious files from being run by the root user?
>
> Thankful
>
> From: G.W. Haywood via clamav-users
> Sent: Sunday, March 13, 2022 3:40 PM
> To: Mohsen Ghahremani via clamav-users
> Cc: G.W. Haywood
> Subject: Re: [clamav-users] Prevent root users from running infected files
>
> Hi there,
>
> On Sun, 13 Mar 2022, Mohsen Ghahremani via clamav-users wrote:
>
> > I run clamd and clamonacc with root user and clamd.conf file is
> > configured as follows:
> >
> > User root
> >
> > OnAccessIncludePath / home
> >
> > OnAccessExcludeUname root
> >
> > OnAccessPrevention yes
>
> This is not sufficient information (and your configuration of the
> OnAccessIncludePath option looks wrong - did you mean '/home'?).
>
> Please instead provide the full, unedited output of
>
> clamconf -n
>
> and I repeat - without *any* editing on your part so that we can see
> your configuration correctly.
>
> > In this case, if I run a malicious file with other users, clamav
> > prevents it from running, and if I run the same file with the root
> > user, it does nothing.
> >
> > How can I configure calmav to prevent malicious files from being
> > executed by the root user?
>
> Please read the man page for clamd.conf where the exclusions are fully
> explained. There are more of them than you have listed in your post.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml