I currently have these options enabled:
ScanOnAccess yes
OnAccessMountPath /
OnAccessExcludeUID 0
OnAccessPrevention yes
the user is root.
I guess there's a bug then?
________________________________________
From: clamav-users [clamav-users-boun...@lists.clamav.net] on behalf of Virgo
Pärna [virgo.pa...@mail.ee]
Sent: 05 May 2016 11:07
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] ScanOnAccess issue when clamd launched from systemd
On Thu, 5 May 2016 09:50:03 +0000, Mikko Caldara <mikko.cald...@fca.org.uk>
wrote:
> Not sure if it's related, but when I launch clamd *without* systemd and then
> try to access an "infected" file, 2 problems occur:
>
> - clamd does not prevent access, despite having the option enabled
> - clamd goes into an infinite loop and hogs the CPU:
>
> Thu May 5 09:42:20 2016 -> ScanOnAccess:
> /etc/suricata/rules/emerging-activex.rules:
> Win.Trojan.cve_2011_2657-1(30e2f8e333f1624bb5ab66bed16eb110:274398) FOUND
> Thu May 5 09:42:20 2016 -> ScanOnAccess:
> /tmp/clamav-326fdcae0616839f918d7b703a8e513b.tmp/nocomment.html (deleted):
> Win.Trojan.cve_2011_2657-1(d361373a52eb4e0cfcb1fd4783700152:273785) FOUND
Looks like it is also scanning temporary files created turing
the scanning. Could you set OnAccessExlcudeUID to clamd user id?
--
Virgo Pärna
virgo.pa...@mail.ee
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
This communication and any attachments contain information which is
confidential and may be subject to legal privilege. It is for intended
recipients only. If you are not the intended recipient you must not copy,
distribute, publish, rely on or otherwise use it without our consent. Some of
our communications may contain confidential information which it could be a
criminal offence for you to disclose or use without authority. If you have
received this email in error please notify postmas...@fca.org.uk immediately
and delete the email from your computer. Further information on the
classification and handling of FCA information can be found on the FCA website
(http://www.fca.org.uk/site-info/legal/fca-classified-information).
The FCA (or, if this email originates from the PSR, the FCA on behalf of the
PSR/the PSR) reserves the right to monitor all email communications for
compliance with legal, regulatory and professional standards.
This email is not intended to nor should it be taken to create any legal
relations or contractual relationships. This email has originated from the
Financial Conduct Authority (FCA), or the Payment Systems Regulator (PSR).
The Financial Conduct Authority (FCA) is registered as a limited company in
England and Wales No. 1920623. Registered office: 25 The North Colonnade,
Canary Wharf, London E14 5HS, United Kingdom
The Payment Systems Regulator (PSR) is registered as a limited company in
England and Wales No. 8970864. Registered office: 25 The North Colonnade,
Canary Wharf, London E14 5HS, United Kingdom
Switchboard 020 7066 1000
Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (PSR)
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
