We have a new requirement at work that we have virus scanners installed on our workstations.
What I'm trying to do is demonstrate that onAccess scanning works. What I'm expecting, which could be wrong, is that there would be output either in the logs or clamdtop when a file is opened other otherwise manipulated when verbose logging and "LogClean" is enabled. My assumption is that my setup is wrong. I've used http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html as a base for the settings described below. I'm using clamav 0.99.2 from fedora 24 and the up to date stock fedora 24 kernel. CONFIG_FANOTIFY=y and CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y are present in /boot/config-4.6.7-300.fc24.x86_64. Here's my configuration in /etc/clam.d/scan.conf: LogFile /var/log/clamd.scan LogFileUnlock yes LogFileMaxSize 2M LogTime yes LogClean yes LogVerbose yes LogRotate yes ExtendedDetectionInfo yes PidFile /var/run/clamd.scan/clamd.pid LocalSocket /var/run/clamd.scan/clamd.sock ScanOnAccess yes OnAccessMountPath / OnAccessMaxFileSize 0 OnAccessExcludeUID 0 When clamav starts, the logs show the following: Tue Aug 30 10:38:53 2016 -> +++ Started at Tue Aug 30 10:38:53 2016 Tue Aug 30 10:38:53 2016 -> Received 0 file descriptor(s) from systemd. Tue Aug 30 10:38:53 2016 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Tue Aug 30 10:38:53 2016 -> Log file size limited to 2097152 bytes. Tue Aug 30 10:38:53 2016 -> Reading databases from /var/lib/clamav Tue Aug 30 10:38:53 2016 -> Not loading PUA signatures. Tue Aug 30 10:38:53 2016 -> Bytecode: Security mode set to "TrustSigned". Tue Aug 30 10:38:58 2016 -> Loaded 4772631 signatures. Tue Aug 30 10:38:59 2016 -> LOCAL: Unix socket file /var/run/clamd.scan/clamd.sock Tue Aug 30 10:38:59 2016 -> LOCAL: Setting connection queue length to 200 Tue Aug 30 10:38:59 2016 -> Limits: Global size limit set to 104857600 bytes. Tue Aug 30 10:38:59 2016 -> Limits: File size limit set to 26214400 bytes. Tue Aug 30 10:38:59 2016 -> Limits: Recursion level limit set to 16. Tue Aug 30 10:38:59 2016 -> Limits: Files limit set to 10000. Tue Aug 30 10:38:59 2016 -> Limits: Core-dump limit is 0. Tue Aug 30 10:38:59 2016 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes. Tue Aug 30 10:38:59 2016 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes. Tue Aug 30 10:38:59 2016 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes. Tue Aug 30 10:38:59 2016 -> Limits: MaxScriptNormalize limit set to 5242880 bytes. Tue Aug 30 10:38:59 2016 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes. Tue Aug 30 10:38:59 2016 -> Limits: MaxPartitions limit set to 50. Tue Aug 30 10:38:59 2016 -> Limits: MaxIconsPE limit set to 100. Tue Aug 30 10:38:59 2016 -> Limits: MaxRecHWP3 limit set to 16. Tue Aug 30 10:38:59 2016 -> Limits: PCREMatchLimit limit set to 10000. Tue Aug 30 10:38:59 2016 -> Limits: PCRERecMatchLimit limit set to 5000. Tue Aug 30 10:38:59 2016 -> Limits: PCREMaxFileSize limit set to 26214400. Tue Aug 30 10:38:59 2016 -> Archive support enabled. Tue Aug 30 10:38:59 2016 -> Algorithmic detection enabled. Tue Aug 30 10:38:59 2016 -> Portable Executable support enabled. Tue Aug 30 10:38:59 2016 -> ELF support enabled. Tue Aug 30 10:38:59 2016 -> Mail files support enabled. Tue Aug 30 10:38:59 2016 -> OLE2 support enabled. Tue Aug 30 10:38:59 2016 -> PDF support enabled. Tue Aug 30 10:38:59 2016 -> SWF support enabled. Tue Aug 30 10:38:59 2016 -> HTML support enabled. Tue Aug 30 10:38:59 2016 -> XMLDOCS support enabled. Tue Aug 30 10:38:59 2016 -> HWP3 support enabled. Tue Aug 30 10:38:59 2016 -> Self checking every 600 seconds. Tue Aug 30 10:38:59 2016 -> Listening daemon: PID: 3818 Tue Aug 30 10:38:59 2016 -> MaxQueue set to: 100 Tue Aug 30 10:38:59 2016 -> ScanOnAccess: notifying only for access attempts. Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Protecting '/' and rest of mount. Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Max file size limited to -1 bytes And then nothing. No matter what programs I start, files I open, I simply don't get output in the logs or clamdtop related to onAccess scanning. What am I doing wrong? Best, Hugo _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
