Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] Can't access file ERROR - clamdscan - 0.103.7-1
clamav-users at lists
Nov 7, 2022, 3:12 AM
Post #1 of 6 (459 views)
Permalink
Hi all,

we do have 2 workstations running RHEL 8 and clamav / clamd using an
identical software stack / configuration. In particular we integrate
the clamav packages via the RHEL EPEL repos. So far we have been using
0.103.6-1.el8 without any issues. We have started upgrading to
0.103.7-1.el8 on one of the both workstations. Since then, when using
clamdscan, we receive the below issue:

Can't access file ERROR

We have been investigating the issue with respect to access control
related issues. However, even when using "root" as the clamdscan user
we receive the error. From an ACL perspective, we see no systematic
cause for this issue. We therefore want to check whether this error
has been experienced by others as well and thus may relate to a bug in
version 0.103.7-1.el8 of clamdscan.

Below you can find the output of clamconf:

Checking configuration files in /etc

Config file: clamd.d/scan.conf
------------------------------
AlertExceedsMax disabled
PreludeEnable disabled
PreludeAnalyzerName disabled
LogFile = "/var/log/clamdscan-SD-XXXXX.scan"
LogFileUnlock disabled
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogClean = "yes"
LogSyslog = "yes"
LogFacility = "LOG_AUTHPRIV"
LogVerbose = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
PidFile = "/run/clamd.scan/clamd.pid"
TemporaryDirectory = "/data/tmp"
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/run/clamd.scan/clamd.sock"
LocalSocketGroup disabled
LocalSocketMode disabled
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "200"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "30"
ReadTimeout = "120"
CommandReadTimeout = "30"
SendBufTimeout = "500"
MaxQueue = "200"
IdleTimeout = "30"
ExcludePath = ".*\.nc$", ".*\.bin$", ".*\.xml$", ".*\.hdf$", ".*\.h5$"
MaxDirectoryRecursion = "200"
FollowDirectorySymlinks = "yes"
FollowFileSymlinks = "yes"
CrossFilesystems = "yes"
SelfCheck = "600"
ConcurrentDatabaseReload = "yes"
DisableCache disabled
VirusEvent disabled
ExitOnOOM disabled
AllowAllMatchScan = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamscan"
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "10000"
BytecodeUnsigned disabled
BytecodeMode = "Auto"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
ScanPE = "yes"
ScanELF = "yes"
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
HeuristicAlerts = "yes"
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
AlertBrokenExecutables disabled
AlertBrokenMedia disabled
AlertEncrypted disabled
StructuredCCOnly disabled
AlertEncryptedArchive disabled
AlertEncryptedDoc disabled
AlertOLE2Macros disabled
AlertPhishingSSLMismatch disabled
AlertPhishingCloak disabled
AlertPartitionIntersection disabled
ScanPDF = "yes"
ScanSWF = "yes"
ScanXMLDOCS = "yes"
ScanHWP3 = "yes"
ScanArchive = "yes"
ForceToDisk disabled
MaxScanTime = "1200000"
MaxScanSize = "4194304000"
MaxFileSize = "4194304000"
MaxRecursion = "200"
MaxFiles = "5000000"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
MaxZipTypeRcg = "5242880"
MaxPartitions = "50"
MaxIconsPE = "100"
MaxRecHWP3 = "16"
PCREMatchLimit = "100000"
PCRERecMatchLimit = "2000"
PCREMaxFileSize = "26214400"
OnAccessMountPath disabled
OnAccessIncludePath disabled
OnAccessExcludePath disabled
OnAccessExcludeRootUID disabled
OnAccessExcludeUID disabled
OnAccessExcludeUname disabled
OnAccessMaxFileSize = "5242880"
OnAccessDisableDDD disabled
OnAccessPrevention disabled
OnAccessExtraScanning disabled
OnAccessCurlTimeout = "5000"
OnAccessMaxThreads = "5"
OnAccessRetryAttempts disabled
OnAccessDenyOnError disabled
DevACOnly disabled
DevACDepth disabled
DevPerformance disabled
DevLiblog disabled
DisableCertCheck disabled
AlgorithmicDetection = "yes"
BlockMax disabled
PhishingAlwaysBlockSSLMismatch disabled
PhishingAlwaysBlockCloak disabled
PartitionIntersection disabled
OLE2BlockMacros disabled
ArchiveBlockEncrypted disabled

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "1048576"
LogTime disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate disabled
PidFile disabled
DatabaseDirectory = "/var/lib/clamav"
Foreground disabled
Debug disabled
UpdateLogFile disabled
DatabaseOwner = "clamupdate"
Checks = "12"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "database.clamav.net"
PrivateMirror disabled
MaxAttempts = "3"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
ExcludeDatabase disabled
DatabaseCustomURL disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamd.d/scan.conf"
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "30"
ReceiveTimeout disabled
Bytecode = "yes"

mail/clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.7
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2
PCRE2 ICONV JSON

Database information
--------------------
Database directory: /var/lib/clamav
bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 15:21:51 2021
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
daily.cld: version 26713, sigs: 2010145, built on Mon Nov 7 08:52:07 2022
Total number of signatures: 8657664

Platform information
--------------------
uname: Linux 4.18.0-372.32.1.el8_6.x86_64 #1 SMP Fri Oct 7 12:35:10
EDT 2022 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a2180800800000000080500

Build information
-----------------
GNU C: 8.5.0 20210514 (Red Hat 8.5.0-10) (8.5.0)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -g -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
-fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -g -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
-fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
LDFLAGS: -Wl,-z,relro -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed
-lprelude
Configure: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix='
'--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--localstatedir=/var' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--enable-milter' '--disable-clamav' '--disable-static'
'--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check'
'--enable-dns' '--with-dbdir=/var/lib/clamav'
'--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath'
'--disable-silent-rules' '--enable-clamdtop' '--enable-prelude'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
'LDFLAGS=-Wl,-z,relro -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed'
'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
-fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 128, dconf: 128
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Can't access file ERROR - clamdscan - 0.103.7-1 [ In reply to ]
clamav-users at lists
Nov 7, 2022, 5:15 AM
Post #2 of 6 (457 views)
Permalink
Hi there,

On Mon, 7 Nov 2022, An Schall via clamav-users wrote:

> we do have 2 workstations running RHEL 8 and clamav / clamd using an
> identical software stack / configuration. In particular we integrate
> the clamav packages via the RHEL EPEL repos. So far we have been using
> 0.103.6-1.el8 without any issues. We have started upgrading to
> 0.103.7-1.el8 on one of the both workstations. Since then, when using
> clamdscan, we receive the below issue:
>
> Can't access file ERROR

Given your problem description I've had trouble understanding how you
might have come to see exactly this error, please tell us what you did
to get it and when and where you see the error (e.g. stderr, logfile).
If this is not the exact error please cut-and-paste it from the screen
or whatever you need to do to show the error *exactly*.

With any luck there'll be a log entry telling you which file caused
the problem. Have you looked in the logs to see what (if anything) is
there? It might be helpful to know the file's name, if it is a file
which cannot be accessed, and if not it may be helpful to know that
too. It may be (see [*] below) you need to tweak your configuration
to write the logs.

> We have been investigating the issue with respect to access control
> related issues. However, even when using "root" as the clamdscan user
> we receive the error.

Have you tried running the clamd daemon itself as root?

> From an ACL perspective, we see no systematic cause for this issue.

Have you checked by downgrading to 0.103.6 that the error goes away?

> We therefore want to check whether this error has been experienced
> by others as well and thus may relate to a bug in version
> 0.103.7-1.el8 of clamdscan.

The latest version of 0.103.x was released a week ago. Early days so
anything's possible. I don't use security software packaged by distro
and I only scan mail, using clamd and my own milters, so I'm afraid I
can't help directly with that question. However, since it went live
here on 1 November 2022 I can say that I've seen no unexpected issues
with clamd from ClamAV version 0.103.7 running on armv7l 64-bit; this
probably won't help you very much. :(

> Below you can find the output of clamconf:

The output of 'clamconf -n' might be easier for us to digest.

[*] Are you sure that you've shown us the right configuration?

--

73,
Ged.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Can't access file ERROR - clamdscan - 0.103.7-1 [ In reply to ]
clamav-users at lists
Nov 7, 2022, 6:01 AM
Post #3 of 6 (457 views)
Permalink
Hi there,

the command we are using is:

sudo -H clamdscan -v -c /etc/clamd.d/scan.conf --multiscan --fdpass

We do see the errors in /var/log/clamdscan.log as defined in the
configuration file /etc/clamd.d/scan.conf (see below). The exact error
messages are as follows:

Mon Nov 7 13:50:21 2022 ->
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamconf:
Can't access file ERROR
Mon Nov 7 13:50:21 2022 ->
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdscan:
Can't access file ERROR
Mon Nov 7 13:50:21 2022 ->
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamconf:
Can't access file ERROR
Mon Nov 7 13:50:21 2022 ->
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdscan:
Can't access file ERROR
Mon Nov 7 13:50:21 2022 ->
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdtop:
Can't access file ERROR

Basically, all the files that we try to scan are triggering the above
error. For some files though the scan fives an "OK" and not above
error message. However, we fail to see any system / correlation for
which files the scans fail and for which the scans are successful. It
seems rather random.

Below you can find the output of clamconf -n:

Checking configuration files in /etc

Config file: clamd.d/scan.conf
------------------------------
LogFile = "/var/log/clamdscan-SD-XXXXX.scan"
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogClean = "yes"
LogSyslog = "yes"
LogFacility = "LOG_AUTHPRIV"
LogVerbose = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
PidFile = "/run/clamd.scan/clamd.pid"
TemporaryDirectory = "/data/tmp"
LocalSocket = "/run/clamd.scan/clamd.sock"
MaxThreads = "30"
MaxQueue = "200"
ExcludePath = ".*\.nc$", ".*\.bin$", ".*\.xml$", ".*\.hdf$", ".*\.h5$"
MaxDirectoryRecursion = "200"
FollowDirectorySymlinks = "yes"
FollowFileSymlinks = "yes"
User = "clamscan"
MaxScanTime = "1200000"
MaxScanSize = "4194304000"
MaxFileSize = "4194304000"
MaxRecursion = "200"
MaxFiles = "5000000"
MaxZipTypeRcg = "5242880"

Config file: freshclam.conf
---------------------------
DatabaseMirror = "database.clamav.net"

mail/clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.7
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2
PCRE2 ICONV JSON

Database information
--------------------
Database directory: /var/lib/clamav
bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 15:21:51 2021
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
daily.cld: version 26713, sigs: 2010145, built on Mon Nov 7 08:52:07 2022
Total number of signatures: 8657664

Platform information
--------------------
uname: Linux 4.18.0-372.32.1.el8_6.x86_64 #1 SMP Fri Oct 7 12:35:10
EDT 2022 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a2180800800000000080500

Build information
-----------------
GNU C: 8.5.0 20210514 (Red Hat 8.5.0-10) (8.5.0)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -g -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
-fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -g -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
-fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
LDFLAGS: -Wl,-z,relro -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed
-lprelude
Configure: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix='
'--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--localstatedir=/var' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--enable-milter' '--disable-clamav' '--disable-static'
'--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check'
'--enable-dns' '--with-dbdir=/var/lib/clamav'
'--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath'
'--disable-silent-rules' '--enable-clamdtop' '--enable-prelude'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
'LDFLAGS=-Wl,-z,relro -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed'
'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
-fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 128, dconf: 128

As mentioned earlier, for all the files that were failed to scan, we
tried to check access permissions, whether they exist, etc. pp. Those
are regular files with correctly configured ACLs. I also tried to run
clamdscan as root but it results in a similar problem.

Interestingly, when first escalating privileges via "sudo su" and then
running clamdscan against a folder within the home directory of the
user from which the privileges were escalated (i.e. foo), we receive
the following error:

[root@epp-3o-w1 av-scans]# clamdscan -v -c /etc/clamd.d/scan.conf
/home/foo/test/
/home/foo/test: File path check failure: Permission denied. ERROR
/home/foo/test: File path check failure: Permission denied. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 2
Time: 0.000 sec (0 m 0 s)
Start Date: 2022:11:07 13:57:07
End Date: 2022:11:07 13:57:07

# ls -dlsa /home/foo/test/
0 drwxr-xr-x 2 foo sudo 292 Nov 3 10:35 /home/foo/test/

Unfortunately, due to a very strict configuration management we cannot
downgrade to 0.103.6 anymore.

Am Mo., 7. Nov. 2022 um 14:17 Uhr schrieb G.W. Haywood via
clamav-users <clamav-users@lists.clamav.net>:
>
> Hi there,
>
> On Mon, 7 Nov 2022, An Schall via clamav-users wrote:
>
> > we do have 2 workstations running RHEL 8 and clamav / clamd using an
> > identical software stack / configuration. In particular we integrate
> > the clamav packages via the RHEL EPEL repos. So far we have been using
> > 0.103.6-1.el8 without any issues. We have started upgrading to
> > 0.103.7-1.el8 on one of the both workstations. Since then, when using
> > clamdscan, we receive the below issue:
> >
> > Can't access file ERROR
>
> Given your problem description I've had trouble understanding how you
> might have come to see exactly this error, please tell us what you did
> to get it and when and where you see the error (e.g. stderr, logfile).
> If this is not the exact error please cut-and-paste it from the screen
> or whatever you need to do to show the error *exactly*.
>
> With any luck there'll be a log entry telling you which file caused
> the problem. Have you looked in the logs to see what (if anything) is
> there? It might be helpful to know the file's name, if it is a file
> which cannot be accessed, and if not it may be helpful to know that
> too. It may be (see [*] below) you need to tweak your configuration
> to write the logs.
>
> > We have been investigating the issue with respect to access control
> > related issues. However, even when using "root" as the clamdscan user
> > we receive the error.
>
> Have you tried running the clamd daemon itself as root?
>
> > From an ACL perspective, we see no systematic cause for this issue.
>
> Have you checked by downgrading to 0.103.6 that the error goes away?
>
> > We therefore want to check whether this error has been experienced
> > by others as well and thus may relate to a bug in version
> > 0.103.7-1.el8 of clamdscan.
>
> The latest version of 0.103.x was released a week ago. Early days so
> anything's possible. I don't use security software packaged by distro
> and I only scan mail, using clamd and my own milters, so I'm afraid I
> can't help directly with that question. However, since it went live
> here on 1 November 2022 I can say that I've seen no unexpected issues
> with clamd from ClamAV version 0.103.7 running on armv7l 64-bit; this
> probably won't help you very much. :(
>
> > Below you can find the output of clamconf:
>
> The output of 'clamconf -n' might be easier for us to digest.
>
> [*] Are you sure that you've shown us the right configuration?
>
> --
>
> 73,
> Ged.
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Can't access file ERROR - clamdscan - 0.103.7-1 [ In reply to ]
clamav-users at lists
Nov 7, 2022, 8:59 AM
Post #4 of 6 (456 views)
Permalink
Hello again,

On Mon, 7 Nov 2022, An Schall via clamav-users wrote:

> the command we are using is:
>
> sudo -H clamdscan -v -c /etc/clamd.d/scan.conf --multiscan --fdpass

Try it without '--fdpass'. What do you mean the '-H' to do for you?

[.Micah, I've just noticed that '-c file' doesn't appear in the 'man'
page for clamd.conf but '--config-file=file' does. I *think* I've
mentioned it before but I don't have time to check right now. The
short version does work instead of the long one, I guess you know.]

> We do see the errors in /var/log/clamdscan.log as defined in the
> configuration file /etc/clamd.d/scan.conf (see below). The exact error
> messages are as follows:
>
> Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamconf: Can't access file ERROR
> Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdscan: Can't access file ERROR
> Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamconf: Can't access file ERROR
> Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdscan: Can't access file ERROR
> Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdtop: Can't access file ERROR

Can you confirm that the above log extract shows exactly five lines of
the log? This is to allow tracking exactly what code in the source
actually wrote those log lines. From my reading of the source code I
would not expect to see 'newline' characters between the filename and
the text of the message "Can't access ..." but you seem to have them
in your mail.

> Basically, all the files that we try to scan are triggering the above
> error. For some files though the scan fives an "OK" and not above
> error message. However, we fail to see any system / correlation for
> which files the scans fail and for which the scans are successful. It
> seems rather random.

Which do you mean:

(1) it's random whether scanning any particular file will cause the
error message or not or

(2) scanning some files does not cause the error message, and scanning
these same files never causes the error message; scanning other files
always causes the error message; but you see no common factors which
link (or differentiate) the two sets of files?

> Below you can find the output of clamconf -n:
> ...

Can you explain how you came to be using all the non-default numbers?
Some of them look very optimistic to me.

> MaxThreads = "30"

This is on the high side, I believe the default is 10.

> MaxQueue = "200"

Ditto, default 100.

> ExcludePath = ".*\.nc$", ".*\.bin$", ".*\.xml$", ".*\.hdf$", ".*\.h5$"

This might deserve closer inspection than I can give it but I don't
think it's relevant to the issue.

> MaxDirectoryRecursion = "200"

Default 15.

> FollowDirectorySymlinks = "yes"
> FollowFileSymlinks = "yes"

Both default no.

Might be an issue if you're crossing filesystems. Are you?

> MaxScanTime = "1200000"

Twenty minutes; default 12 seconds. It won't be your issue, but are
you sure you want to do that?

> MaxScanSize = "4194304000"
> MaxFileSize = "4194304000"

These numbers are wishful thinking. The defaults are 100M and 25M
respectively. ClamAV cannot yet handle files bigger than 2GB, that's
clear in the 'man' page for clamd.conf if you'd like to look at it.

> MaxRecursion = "200"

Default 17.

> MaxFiles = "5000000"

Default 10000

> MaxZipTypeRcg = "5242880"

Again see the 'man' page. This applies also to

MaxThreads*MaxRecursion + MaxQueue - MaxThreads + 6

which for your configuration I calculate to be

30 * 200 + 200 - 30 + 6 = 6176

which bodes ill if, as is likely, RLIMIT_NOFILE on your system is 1024.
Check it.

> As mentioned earlier, for all the files that were failed to scan, we
> tried to check access permissions, whether they exist, etc. pp. Those
> are regular files with correctly configured ACLs. I also tried to run
> clamdscan as root but it results in a similar problem.

You didn't answer my question about running clamd as root but I think
given the non-default lines in your config we're probably beyond that.

> Interestingly, when first escalating privileges via "sudo su" and then
> running clamdscan against a folder within the home directory of the
> user from which the privileges were escalated (i.e. foo), we receive
> the following error:
>
> [root@epp-3o-w1 av-scans]# clamdscan -v -c /etc/clamd.d/scan.conf
> /home/foo/test/
> /home/foo/test: File path check failure: Permission denied. ERROR
> /home/foo/test: File path check failure: Permission denied. ERROR
>
> ----------- SCAN SUMMARY -----------
> Infected files: 0
> Total errors: 2
> Time: 0.000 sec (0 m 0 s)
> Start Date: 2022:11:07 13:57:07
> End Date: 2022:11:07 13:57:07
>
> # ls -dlsa /home/foo/test/
> 0 drwxr-xr-x 2 foo sudo 292 Nov 3 10:35 /home/foo/test/

It seems odd to me that /home/foo/test/ is in group 'sudo'. Or indeed
that anything in any user's home directory would be. Looks to me like
you've mounted a filesystem which was created by a different system,
and the different system has a different set of numeric UIDs from the
system running clamd. That will always be a muddle, and if it is the
case you need to sort it out. It's sysadmin - not a ClamAV problem.

> Unfortunately, due to a very strict configuration management we cannot
> downgrade to 0.103.6 anymore.

If your configuration management does not permit you to troubleshoot a
problem with your security software I suggest that management is dumb.
It wouldn't be the first time.

Perhaps you can find a copy of the configuration which you were using
for 0.103.6 and compare it with what you're using now. My feeling is
that it's a serious problem that you have increased some of the limits
without any regard for potential consequences - although without more
information I can't say for sure whether or not that is the, er, root
cause of your issue.

If you can't reinstall 0.103.6 for testing I suggest you reconfigure
clamd using defaults for most configurable parameters and try again.

--

73,
Ged.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Can't access file ERROR - clamdscan - 0.103.7-1 [ In reply to ]
clamav-users at lists
Nov 8, 2022, 2:55 PM
Post #5 of 6 (454 views)
Permalink
> [.Micah, I've just noticed that '-c file' doesn't appear in the 'man'
page for clamd.conf but '--config-file=file' does. I *think* I've
mentioned it before but I don't have time to check right now. The
short version does work instead of the long one, I guess you know.]

Thanks. Perhaps we should add this issue to https://github.com/Cisco-Talos/clamav/issues/731

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of G.W. Haywood via clamav-users <clamav-users@lists.clamav.net>
Sent: Monday, November 7, 2022 8:59 AM
To: An Schall via clamav-users <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: Re: [clamav-users] Can't access file ERROR - clamdscan - 0.103.7-1

Hello again,

On Mon, 7 Nov 2022, An Schall via clamav-users wrote:

> the command we are using is:
>
> sudo -H clamdscan -v -c /etc/clamd.d/scan.conf --multiscan --fdpass

Try it without '--fdpass'. What do you mean the '-H' to do for you?

[.Micah, I've just noticed that '-c file' doesn't appear in the 'man'
page for clamd.conf but '--config-file=file' does. I *think* I've
mentioned it before but I don't have time to check right now. The
short version does work instead of the long one, I guess you know.]

> We do see the errors in /var/log/clamdscan.log as defined in the
> configuration file /etc/clamd.d/scan.conf (see below). The exact error
> messages are as follows:
>
> Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamconf: Can't access file ERROR
> Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdscan: Can't access file ERROR
> Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamconf: Can't access file ERROR
> Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdscan: Can't access file ERROR
> Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdtop: Can't access file ERROR

Can you confirm that the above log extract shows exactly five lines of
the log? This is to allow tracking exactly what code in the source
actually wrote those log lines. From my reading of the source code I
would not expect to see 'newline' characters between the filename and
the text of the message "Can't access ..." but you seem to have them
in your mail.

> Basically, all the files that we try to scan are triggering the above
> error. For some files though the scan fives an "OK" and not above
> error message. However, we fail to see any system / correlation for
> which files the scans fail and for which the scans are successful. It
> seems rather random.

Which do you mean:

(1) it's random whether scanning any particular file will cause the
error message or not or

(2) scanning some files does not cause the error message, and scanning
these same files never causes the error message; scanning other files
always causes the error message; but you see no common factors which
link (or differentiate) the two sets of files?

> Below you can find the output of clamconf -n:
> ...

Can you explain how you came to be using all the non-default numbers?
Some of them look very optimistic to me.

> MaxThreads = "30"

This is on the high side, I believe the default is 10.

> MaxQueue = "200"

Ditto, default 100.

> ExcludePath = ".*\.nc$", ".*\.bin$", ".*\.xml$", ".*\.hdf$", ".*\.h5$"

This might deserve closer inspection than I can give it but I don't
think it's relevant to the issue.

> MaxDirectoryRecursion = "200"

Default 15.

> FollowDirectorySymlinks = "yes"
> FollowFileSymlinks = "yes"

Both default no.

Might be an issue if you're crossing filesystems. Are you?

> MaxScanTime = "1200000"

Twenty minutes; default 12 seconds. It won't be your issue, but are
you sure you want to do that?

> MaxScanSize = "4194304000"
> MaxFileSize = "4194304000"

These numbers are wishful thinking. The defaults are 100M and 25M
respectively. ClamAV cannot yet handle files bigger than 2GB, that's
clear in the 'man' page for clamd.conf if you'd like to look at it.

> MaxRecursion = "200"

Default 17.

> MaxFiles = "5000000"

Default 10000

> MaxZipTypeRcg = "5242880"

Again see the 'man' page. This applies also to

MaxThreads*MaxRecursion + MaxQueue - MaxThreads + 6

which for your configuration I calculate to be

30 * 200 + 200 - 30 + 6 = 6176

which bodes ill if, as is likely, RLIMIT_NOFILE on your system is 1024.
Check it.

> As mentioned earlier, for all the files that were failed to scan, we
> tried to check access permissions, whether they exist, etc. pp. Those
> are regular files with correctly configured ACLs. I also tried to run
> clamdscan as root but it results in a similar problem.

You didn't answer my question about running clamd as root but I think
given the non-default lines in your config we're probably beyond that.

> Interestingly, when first escalating privileges via "sudo su" and then
> running clamdscan against a folder within the home directory of the
> user from which the privileges were escalated (i.e. foo), we receive
> the following error:
>
> [root@epp-3o-w1 av-scans]# clamdscan -v -c /etc/clamd.d/scan.conf
> /home/foo/test/
> /home/foo/test: File path check failure: Permission denied. ERROR
> /home/foo/test: File path check failure: Permission denied. ERROR
>
> ----------- SCAN SUMMARY -----------
> Infected files: 0
> Total errors: 2
> Time: 0.000 sec (0 m 0 s)
> Start Date: 2022:11:07 13:57:07
> End Date: 2022:11:07 13:57:07
>
> # ls -dlsa /home/foo/test/
> 0 drwxr-xr-x 2 foo sudo 292 Nov 3 10:35 /home/foo/test/

It seems odd to me that /home/foo/test/ is in group 'sudo'. Or indeed
that anything in any user's home directory would be. Looks to me like
you've mounted a filesystem which was created by a different system,
and the different system has a different set of numeric UIDs from the
system running clamd. That will always be a muddle, and if it is the
case you need to sort it out. It's sysadmin - not a ClamAV problem.

> Unfortunately, due to a very strict configuration management we cannot
> downgrade to 0.103.6 anymore.

If your configuration management does not permit you to troubleshoot a
problem with your security software I suggest that management is dumb.
It wouldn't be the first time.

Perhaps you can find a copy of the configuration which you were using
for 0.103.6 and compare it with what you're using now. My feeling is
that it's a serious problem that you have increased some of the limits
without any regard for potential consequences - although without more
information I can't say for sure whether or not that is the, er, root
cause of your issue.

If you can't reinstall 0.103.6 for testing I suggest you reconfigure
clamd using defaults for most configurable parameters and try again.

--

73,
Ged.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Can't access file ERROR - clamdscan - 0.103.7-1 [ In reply to ]
clamav-users at lists
Nov 9, 2022, 7:38 AM
Post #6 of 6 (453 views)
Permalink
Dear Ged,

thanks for the exhaustive analysis. I guess I identified the issue,
which is *not* related to clamav itself.

Instead, the temporary directory that is specified in clamd
configuration file became very large for some reason. This resulted in
any command executed against this directory (rm, ls, etc.) to take
several minutes. While clamdscan was operating it interacted with this
directory but these interactions got timed out I believe resulting in
the observed Can't access file ERROR.

I was able to get to the bottom of this by appending "--stream" to
clamdscan to receive some debugging information. Using the additional
information I was able to pin-point the issue.

Best,
André

Am Mo., 7. Nov. 2022 um 18:02 Uhr schrieb G.W. Haywood via
clamav-users <clamav-users@lists.clamav.net>:
>
> Hello again,
>
> On Mon, 7 Nov 2022, An Schall via clamav-users wrote:
>
> > the command we are using is:
> >
> > sudo -H clamdscan -v -c /etc/clamd.d/scan.conf --multiscan --fdpass
>
> Try it without '--fdpass'. What do you mean the '-H' to do for you?
>
> [.Micah, I've just noticed that '-c file' doesn't appear in the 'man'
> page for clamd.conf but '--config-file=file' does. I *think* I've
> mentioned it before but I don't have time to check right now. The
> short version does work instead of the long one, I guess you know.]
>
> > We do see the errors in /var/log/clamdscan.log as defined in the
> > configuration file /etc/clamd.d/scan.conf (see below). The exact error
> > messages are as follows:
> >
> > Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamconf: Can't access file ERROR
> > Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdscan: Can't access file ERROR
> > Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamconf: Can't access file ERROR
> > Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdscan: Can't access file ERROR
> > Mon Nov 7 13:50:21 2022 -> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdtop: Can't access file ERROR
>
> Can you confirm that the above log extract shows exactly five lines of
> the log? This is to allow tracking exactly what code in the source
> actually wrote those log lines. From my reading of the source code I
> would not expect to see 'newline' characters between the filename and
> the text of the message "Can't access ..." but you seem to have them
> in your mail.
>
> > Basically, all the files that we try to scan are triggering the above
> > error. For some files though the scan fives an "OK" and not above
> > error message. However, we fail to see any system / correlation for
> > which files the scans fail and for which the scans are successful. It
> > seems rather random.
>
> Which do you mean:
>
> (1) it's random whether scanning any particular file will cause the
> error message or not or
>
> (2) scanning some files does not cause the error message, and scanning
> these same files never causes the error message; scanning other files
> always causes the error message; but you see no common factors which
> link (or differentiate) the two sets of files?
>
> > Below you can find the output of clamconf -n:
> > ...
>
> Can you explain how you came to be using all the non-default numbers?
> Some of them look very optimistic to me.
>
> > MaxThreads = "30"
>
> This is on the high side, I believe the default is 10.
>
> > MaxQueue = "200"
>
> Ditto, default 100.
>
> > ExcludePath = ".*\.nc$", ".*\.bin$", ".*\.xml$", ".*\.hdf$", ".*\.h5$"
>
> This might deserve closer inspection than I can give it but I don't
> think it's relevant to the issue.
>
> > MaxDirectoryRecursion = "200"
>
> Default 15.
>
> > FollowDirectorySymlinks = "yes"
> > FollowFileSymlinks = "yes"
>
> Both default no.
>
> Might be an issue if you're crossing filesystems. Are you?
>
> > MaxScanTime = "1200000"
>
> Twenty minutes; default 12 seconds. It won't be your issue, but are
> you sure you want to do that?
>
> > MaxScanSize = "4194304000"
> > MaxFileSize = "4194304000"
>
> These numbers are wishful thinking. The defaults are 100M and 25M
> respectively. ClamAV cannot yet handle files bigger than 2GB, that's
> clear in the 'man' page for clamd.conf if you'd like to look at it.
>
> > MaxRecursion = "200"
>
> Default 17.
>
> > MaxFiles = "5000000"
>
> Default 10000
>
> > MaxZipTypeRcg = "5242880"
>
> Again see the 'man' page. This applies also to
>
> MaxThreads*MaxRecursion + MaxQueue - MaxThreads + 6
>
> which for your configuration I calculate to be
>
> 30 * 200 + 200 - 30 + 6 = 6176
>
> which bodes ill if, as is likely, RLIMIT_NOFILE on your system is 1024.
> Check it.
>
> > As mentioned earlier, for all the files that were failed to scan, we
> > tried to check access permissions, whether they exist, etc. pp. Those
> > are regular files with correctly configured ACLs. I also tried to run
> > clamdscan as root but it results in a similar problem.
>
> You didn't answer my question about running clamd as root but I think
> given the non-default lines in your config we're probably beyond that.
>
> > Interestingly, when first escalating privileges via "sudo su" and then
> > running clamdscan against a folder within the home directory of the
> > user from which the privileges were escalated (i.e. foo), we receive
> > the following error:
> >
> > [root@epp-3o-w1 av-scans]# clamdscan -v -c /etc/clamd.d/scan.conf
> > /home/foo/test/
> > /home/foo/test: File path check failure: Permission denied. ERROR
> > /home/foo/test: File path check failure: Permission denied. ERROR
> >
> > ----------- SCAN SUMMARY -----------
> > Infected files: 0
> > Total errors: 2
> > Time: 0.000 sec (0 m 0 s)
> > Start Date: 2022:11:07 13:57:07
> > End Date: 2022:11:07 13:57:07
> >
> > # ls -dlsa /home/foo/test/
> > 0 drwxr-xr-x 2 foo sudo 292 Nov 3 10:35 /home/foo/test/
>
> It seems odd to me that /home/foo/test/ is in group 'sudo'. Or indeed
> that anything in any user's home directory would be. Looks to me like
> you've mounted a filesystem which was created by a different system,
> and the different system has a different set of numeric UIDs from the
> system running clamd. That will always be a muddle, and if it is the
> case you need to sort it out. It's sysadmin - not a ClamAV problem.
>
> > Unfortunately, due to a very strict configuration management we cannot
> > downgrade to 0.103.6 anymore.
>
> If your configuration management does not permit you to troubleshoot a
> problem with your security software I suggest that management is dumb.
> It wouldn't be the first time.
>
> Perhaps you can find a copy of the configuration which you were using
> for 0.103.6 and compare it with what you're using now. My feeling is
> that it's a serious problem that you have increased some of the limits
> without any regard for potential consequences - although without more
> information I can't say for sure whether or not that is the, er, root
> cause of your issue.
>
> If you can't reinstall 0.103.6 for testing I suggest you reconfigure
> clamd using defaults for most configurable parameters and try again.
>
> --
>
> 73,
> Ged.
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal