Hi Kamil, A few things: what OS and kernel version are you using? what are the results of opening the eicar file with vi (or your editor of choice)? are /home/ and or /var/ftp/ mount points? if so, are there symlinks within those directory hierarchies? is your kernel configured with CONFIG_FANOTIFY_ACCESS_PERMISSIONS?
Also, extra scanning won't work without DDD since it's piggyback's off of the inotify events caught by that system (events which otherwise aren't caught by fanotify). - Mickey On Thu, Feb 25, 2016 at 7:59 AM, kamil kapturkiewicz <hor...@wp.pl> wrote: > Hi, > I've just installed ClamAV 0.99, configured scan-on-access, as following: > > OnAccessIncludePath /home > OnAccessIncludePath /var/ftp > OnAccessDisableDDD yes > OnAccessPrevention yes > OnAccessExtraScanning yes > > then uploaded (via scp) Eicar to test, which was found by ScanOnAccess: > > Thu Feb 25 12:00:55 2016 -> ScanOnAccess: /home/username/eicar.txt: > Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND > > but not blocked. Checked clamd.log, and found this: > ... > Thu Feb 25 12:39:05 2016 -> ScanOnAccess: > /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.8.0: > YARA.MD5_Constants.UNOFFICIAL(0ef17ff4124d38b50ec503513ddfff01:248816) FOUND > Thu Feb 25 12:39:05 2016 -> ScanOnAccess: > /usr/lib/x86_64-linux-gnu/librtmp.so.1: > YARA.BLOWFISH_Constants.UNOFFICIAL(3b067506f0b185622631c6e43fff2403:122168) > FOUND > Thu Feb 25 12:39:05 2016 -> ScanOnAccess: > /usr/lib/x86_64-linux-gnu/libgnutls-deb0.so.28.41.0: > YARA.RIPEMD160_Constants.UNOFFICIAL(082e1c093f4a321564793324d8a53148:1173320) > FOUND > Thu Feb 25 12:39:05 2016 -> ScanOnAccess: > /usr/lib/x86_64-linux-gnu/libnettle.so.4.7: > YARA.BLOWFISH_Constants.UNOFFICIAL(4cce9eb53d3af2c9bcf34ef8e5990284:203520) > FOUND > Thu Feb 25 12:39:05 2016 -> ScanOnAccess: > /lib/x86_64-linux-gnu/libgcrypt.so.20.0.3: > YARA.BLOWFISH_Constants.UNOFFICIAL(59235bed62b29d88a20f55b675f097c9:924096) > FOUND > Thu Feb 25 12:39:05 2016 -> ScanOnAccess: > /usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25: > YARA.MD5_Constants.UNOFFICIAL(064ea4ea5acf2bc1dfa79cecef1efec2:113520) FOUND > Thu Feb 25 12:39:06 2016 -> ScanOnAccess: /usr/bin/php5: > YARA.BLOWFISH_Constants.UNOFFICIAL(595910cd8a190ed3ea92b214f1dd4509:9024168) > FOUND > Thu Feb 25 12:39:06 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/ > libcrypt-2.19.so: > YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND > Thu Feb 25 12:39:07 2016 -> ScanOnAccess: > /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0: > YARA.BLOWFISH_Constants.UNOFFICIAL(8f88442f21ad73a51c3413ce7dfc82e0:2062720) > FOUND > Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /usr/lib/x86_64-linux-gnu/ > libdb-5.3.so: > YARA.RIPEMD160_Constants.UNOFFICIAL(db727251f8d41832c6dbb87d75be7e73:1840496) > FOUND > Thu Feb 25 12:39:07 2016 -> ScanOnAccess: > /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1: > YARA.MD5_Constants.UNOFFICIAL(94039c03eeecb23ee62acdecab4c9306:195400) FOUND > Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /usr/bin/sort: > YARA.MD5_Constants.UNOFFICIAL(c530fd8e6ed446fccccd4979e1fa4193:105832) FOUND > Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /usr/bin/sort: > YARA.MD5_Constants.UNOFFICIAL(c530fd8e6ed446fccccd4979e1fa4193:105832) FOUND > Thu Feb 25 12:39:07 2016 -> ScanOnAccess: > /lib/x86_64-linux-gnu/security/pam_unix.so: > YARA.MD5_Constants.UNOFFICIAL(23e650547c395da69a953f0b896fe0a8:60160) FOUND > Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/ > libcrypt-2.19.so: > YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND > Thu Feb 25 12:40:01 2016 -> ScanOnAccess: > /lib/x86_64-linux-gnu/security/pam_unix.so: > YARA.MD5_Constants.UNOFFICIAL(23e650547c395da69a953f0b896fe0a8:60160) FOUND > Thu Feb 25 12:40:01 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/ > libcrypt-2.19.so: > YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND > Thu Feb 25 12:40:03 2016 -> ScanOnAccess: > /lib/x86_64-linux-gnu/security/pam_unix.so: > YARA.MD5_Constants.UNOFFICIAL(23e650547c395da69a953f0b896fe0a8:60160) FOUND > Thu Feb 25 12:40:03 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/ > libcrypt-2.19.so: > YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND > ... > > (it seems whole system is infected) > > Why Scan On Access scans files outside /home and /var/ftp? > Why Eicar was not blocked? > > Does Scan On Access works at last in 0.99 or it is still in TO DO? > > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
