Hi, I've just installed ClamAV 0.99, configured scan-on-access, as following:
OnAccessIncludePath /home OnAccessIncludePath /var/ftp OnAccessDisableDDD yes OnAccessPrevention yes OnAccessExtraScanning yes then uploaded (via scp) Eicar to test, which was found by ScanOnAccess: Thu Feb 25 12:00:55 2016 -> ScanOnAccess: /home/username/eicar.txt: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND but not blocked. Checked clamd.log, and found this: ... Thu Feb 25 12:39:05 2016 -> ScanOnAccess: /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.8.0: YARA.MD5_Constants.UNOFFICIAL(0ef17ff4124d38b50ec503513ddfff01:248816) FOUND Thu Feb 25 12:39:05 2016 -> ScanOnAccess: /usr/lib/x86_64-linux-gnu/librtmp.so.1: YARA.BLOWFISH_Constants.UNOFFICIAL(3b067506f0b185622631c6e43fff2403:122168) FOUND Thu Feb 25 12:39:05 2016 -> ScanOnAccess: /usr/lib/x86_64-linux-gnu/libgnutls-deb0.so.28.41.0: YARA.RIPEMD160_Constants.UNOFFICIAL(082e1c093f4a321564793324d8a53148:1173320) FOUND Thu Feb 25 12:39:05 2016 -> ScanOnAccess: /usr/lib/x86_64-linux-gnu/libnettle.so.4.7: YARA.BLOWFISH_Constants.UNOFFICIAL(4cce9eb53d3af2c9bcf34ef8e5990284:203520) FOUND Thu Feb 25 12:39:05 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/libgcrypt.so.20.0.3: YARA.BLOWFISH_Constants.UNOFFICIAL(59235bed62b29d88a20f55b675f097c9:924096) FOUND Thu Feb 25 12:39:05 2016 -> ScanOnAccess: /usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25: YARA.MD5_Constants.UNOFFICIAL(064ea4ea5acf2bc1dfa79cecef1efec2:113520) FOUND Thu Feb 25 12:39:06 2016 -> ScanOnAccess: /usr/bin/php5: YARA.BLOWFISH_Constants.UNOFFICIAL(595910cd8a190ed3ea92b214f1dd4509:9024168) FOUND Thu Feb 25 12:39:06 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/libcrypt-2.19.so: YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0: YARA.BLOWFISH_Constants.UNOFFICIAL(8f88442f21ad73a51c3413ce7dfc82e0:2062720) FOUND Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /usr/lib/x86_64-linux-gnu/libdb-5.3.so: YARA.RIPEMD160_Constants.UNOFFICIAL(db727251f8d41832c6dbb87d75be7e73:1840496) FOUND Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1: YARA.MD5_Constants.UNOFFICIAL(94039c03eeecb23ee62acdecab4c9306:195400) FOUND Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /usr/bin/sort: YARA.MD5_Constants.UNOFFICIAL(c530fd8e6ed446fccccd4979e1fa4193:105832) FOUND Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /usr/bin/sort: YARA.MD5_Constants.UNOFFICIAL(c530fd8e6ed446fccccd4979e1fa4193:105832) FOUND Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/security/pam_unix.so: YARA.MD5_Constants.UNOFFICIAL(23e650547c395da69a953f0b896fe0a8:60160) FOUND Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/libcrypt-2.19.so: YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND Thu Feb 25 12:40:01 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/security/pam_unix.so: YARA.MD5_Constants.UNOFFICIAL(23e650547c395da69a953f0b896fe0a8:60160) FOUND Thu Feb 25 12:40:01 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/libcrypt-2.19.so: YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND Thu Feb 25 12:40:03 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/security/pam_unix.so: YARA.MD5_Constants.UNOFFICIAL(23e650547c395da69a953f0b896fe0a8:60160) FOUND Thu Feb 25 12:40:03 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/libcrypt-2.19.so: YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND ... (it seems whole system is infected) Why Scan On Access scans files outside /home and /var/ftp? Why Eicar was not blocked? Does Scan On Access works at last in 0.99 or it is still in TO DO? _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
