Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] On access scanning causes system lockup with certain directories
clamav-users at lists
Apr 13, 2022, 4:48 AM
Post #1 of 5 (429 views)
Permalink
Hi all

I'm setting up a test environment with ClamAV and on access scanning and came across some problems.

When I add the directories /etc and /usr to the OnAccessIncludePath list, the machine totally locks up.
All connected sessions lock up too. Only a reboot of the machine is the solution.
When /etc (or /usr) is the only OnAccessIncludePath entry the same thing (lockup/hang) happens.

For /usr I found a workaround: OnAccessExcludePath /usr/lib64
This way the machine stays stable.

Putting SElinux in permissive mode gives the same negative result (lockup).

Has somebody got an idea what could be the cause of these lockups?
Excluding etc and usr wouldn't be a quite satisfying solution.

Cheers,
Roland

Here's the set up:
Red Hat Linux 8.5
SELinux turned on (antivirus_can_scan_system / clamd_use_jit are set)

The machine has a clean install. Dedicated to this POC.

This is the ClamAV scan.conf:

LogFile /var/log/clamd.scan
LogTime yes
LogSyslog yes
TemporaryDirectory /tmp
LocalSocket /run/clamd.scan/clamd.sock
LocalSocketGroup virusgroup
FixStaleSocket yes
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/dev/
User clamscan
OnAccessMaxThreads 10
OnAccessIncludePath /home
OnAccessIncludePath /boot
OnAccessIncludePath /root
OnAccessIncludePath /etc
OnAccessIncludePath /usr
OnAccessIncludePath /opt
OnAccessExcludePath ^/proc/
OnAccessExcludePath ^/sys/
OnAccessExcludePath ^/dev/
OnAccessExcludePath /usr/lib64
OnAccessPrevention yes
OnAccessDenyOnError yes
OnAccessExcludeUname clamupdate


________________________________

Informatie van de Raad voor de rechtspraak, de rechtbanken, de gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] On access scanning causes system lockup with certain directories [ In reply to ]
clamav-users at lists
Apr 13, 2022, 4:54 AM
Post #2 of 5 (429 views)
Permalink
I'm not sure if this IS the answer, but my guess would be that ClamAV needs
to access files in /usr/lib64... And it has to scan (and come back with an
OK result) before access is allowed... resulting in scans being blocked
which, in turn, results in ALL processes being blocked while waiting on the
scans to complete.

--Maarten

On Wed, Apr 13, 2022 at 7:49 AM Oorschot, R. van (IVO Rechtspraak) via
clamav-users <clamav-users@lists.clamav.net> wrote:

> Hi all
>
> I'm setting up a test environment with ClamAV and on access scanning and
> came across some problems.
>
> When I add the directories /etc and /usr to the OnAccessIncludePath list,
> the machine totally locks up.
> All connected sessions lock up too. Only a reboot of the machine is the
> solution.
> When /etc (or /usr) is the only OnAccessIncludePath entry the same thing
> (lockup/hang) happens.
>
> For /usr I found a workaround: OnAccessExcludePath /usr/lib64
> This way the machine stays stable.
>
> Putting SElinux in permissive mode gives the same negative result (lockup).
>
> Has somebody got an idea what could be the cause of these lockups?
> Excluding etc and usr wouldn't be a quite satisfying solution.
>
> Cheers,
> Roland
>
> Here's the set up:
> Red Hat Linux 8.5
> SELinux turned on (antivirus_can_scan_system / clamd_use_jit are set)
>
> The machine has a clean install. Dedicated to this POC.
>
> This is the ClamAV scan.conf:
>
> LogFile /var/log/clamd.scan
> LogTime yes
> LogSyslog yes
> TemporaryDirectory /tmp
> LocalSocket /run/clamd.scan/clamd.sock
> LocalSocketGroup virusgroup
> FixStaleSocket yes
> ExcludePath ^/proc/
> ExcludePath ^/sys/
> ExcludePath ^/dev/
> User clamscan
> OnAccessMaxThreads 10
> OnAccessIncludePath /home
> OnAccessIncludePath /boot
> OnAccessIncludePath /root
> OnAccessIncludePath /etc
> OnAccessIncludePath /usr
> OnAccessIncludePath /opt
> OnAccessExcludePath ^/proc/
> OnAccessExcludePath ^/sys/
> OnAccessExcludePath ^/dev/
> OnAccessExcludePath /usr/lib64
> OnAccessPrevention yes
> OnAccessDenyOnError yes
> OnAccessExcludeUname clamupdate
>
>
> ________________________________
>
> Informatie van de Raad voor de rechtspraak, de rechtbanken, de
> gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: [clamav-users] On access scanning causes system lockup with certain directories [ In reply to ]
clamav-users at lists
Apr 13, 2022, 5:16 AM
Post #3 of 5 (429 views)
Permalink
Hi there,

On Wed, 13 Apr 2022, Oorschot, R. van (IVO Rechtspraak) via clamav-users wrote:

> I'm setting up a test environment with ClamAV and on access scanning and came across some problems.
>
> When I add the directories /etc and /usr to the OnAccessIncludePath list, the machine totally locks up.
> ...
> Has somebody got an idea what could be the cause of these lockups?

You haven't talked about RAM. Be aware that if you're using on-access
protection, the minimum amount of memory that you will need will be at
least a gigabyte more (to run clamd) than you'd need without it.

Even if nothing is flagged as malicious, think about how many seconds
it might take to scan a typical library file against some ten million
potential threats, and, if the box is busy, how many times per second
numerous library files might need to be read during normal operation
of more or less anything which is running on it.

> This is the ClamAV scan.conf:
> ...
> OnAccessPrevention yes
> ...

If you use OnAccessPrevention, and you scan system libraries, then if
a false positive happens to flag a perfectly clean library file which
happens to be needed by the system then you can expect the machine to
lock up unless you have taken steps to prevent that. For example you
could exclude a bunch of user IDs from the access prevention, but of
course then ClamAV might not give the protection you're looking for.
And indeed it might not give it anyway.

The constructions of your regexes seem to be a litle inconsistent but
I don't imagine that it's relevant to this issue.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] On access scanning causes system lockup with certain directories [ In reply to ]
clamav-users at lists
Apr 13, 2022, 6:52 AM
Post #4 of 5 (428 views)
Permalink
Hi all

Thanks for responding and looking into this.

The original test machine has 4GB of RAM. For the sake of testing I rolled out a new machine with 8GB of RAM.
The new test machine has the exact same clamav configuration (the one I included in my original post) as the original machine.
Unfortunately the increase in memory wasn't the solution; again machine lockups when /etc or /usr are included.

I forgot to mention that I'm testing with version 0.103.5 (included with RHEL8 EPEL). I've also tested with the latest stable version 0.104.2 from the ClamAV site but I get the same results.

It seems plausible, what Maarten suggests, that there is some kind of (dead)lock going on.

Cheers,
Roland

-----Oorspronkelijk bericht-----
Van: clamav-users <clamav-users-bounces@lists.clamav.net> Namens G.W. Haywood via clamav-users
Verzonden: woensdag 13 april 2022 14:16
Aan: Oorschot, R. van (IVO Rechtspraak) via clamav-users <clamav-users@lists.clamav.net>
CC: G.W. Haywood <clamav@jubileegroup.co.uk>
Onderwerp: Re: [clamav-users] On access scanning causes system lockup with certain directories

Hi there,

On Wed, 13 Apr 2022, Oorschot, R. van (IVO Rechtspraak) via clamav-users wrote:

> I'm setting up a test environment with ClamAV and on access scanning and came across some problems.
>
> When I add the directories /etc and /usr to the OnAccessIncludePath list, the machine totally locks up.
> ...
> Has somebody got an idea what could be the cause of these lockups?

You haven't talked about RAM. Be aware that if you're using on-access protection, the minimum amount of memory that you will need will be at least a gigabyte more (to run clamd) than you'd need without it.

Even if nothing is flagged as malicious, think about how many seconds it might take to scan a typical library file against some ten million potential threats, and, if the box is busy, how many times per second numerous library files might need to be read during normal operation of more or less anything which is running on it.

> This is the ClamAV scan.conf:
> ...
> OnAccessPrevention yes
> ...

If you use OnAccessPrevention, and you scan system libraries, then if a false positive happens to flag a perfectly clean library file which happens to be needed by the system then you can expect the machine to lock up unless you have taken steps to prevent that. For example you could exclude a bunch of user IDs from the access prevention, but of course then ClamAV might not give the protection you're looking for.
And indeed it might not give it anyway.

The constructions of your regexes seem to be a litle inconsistent but I don't imagine that it's relevant to this issue.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
mailto:clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

________________________________

Informatie van de Raad voor de rechtspraak, de rechtbanken, de gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] On access scanning causes system lockup with certain directories [ In reply to ]
clamav-users at lists
Apr 13, 2022, 8:36 AM
Post #5 of 5 (426 views)
Permalink
hi Roland you might want to check out your cpu proceesses in your
system monitor to give you a clue of what proceess is causing a problem
or there is in terminal htop or top to find high cpu and memorey

and as for the smelly white elepant sitting in the room for the real truth
of how are world actually is run
try this cryptic word and seach in favioute web engine

64 or 32 B?? first part of word sencond part " if i throw this rubish down the C????
the truth has unfortunatly gone insane
kind regards

colin

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal