Hmmmm, when running clamd manually could you also try enabling debug and opening an eicar sample file in addition to the other tests you've been running?
-Mickey On Tue, Aug 30, 2016 at 10:25 AM, Hugo Bernier <hbern...@gmail.com> wrote: > Hi Mickey, > > I've set OnAccessMaxFileSize 1000M. > > Instead of "Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Max file size limited > to -1 bytes" > I get: "Tue Aug 30 12:44:08 2016 -> ScanOnAccess: Max file size limited to > 1048576000 bytes" > > I still don't see any entries when I open up files. > > I should note that I also set this selinux boolean a couple of reboots ago. > antivirus_can_scan_system --> on > in selinux as well. > > I also tried simplifying the configuration to this, and running clamd > manually. > > """ > LogClean yes > LogSyslog yes > LogVerbose yes > LocalSocket /var/run/clamd.sock > Foreground yes > > ScanOnAccess yes > OnAccessMountPath / > OnAccessExcludeUID 0 > """ > > When I execute the following command: > clamdscan minuscule.pdf > > In the logs I see > Aug 30 13:20:17 localhost.localdomain clamd[13472]: > /home/<snip>/Documents/minuscule.pdf: OK > > When I open the same file with evince, I get nothing from clamd. Note that > I've been sticking to small files to avoid hitting the default file max > (5m). > > Best, > Hugo > > On Tue, 30 Aug 2016 at 11:54 Mickey Sola <ms...@sourcefire.com> wrote: > > > Hi Hugo, > > > > Could you try setting the max filesize option to a non-zero value and let > > me know if that changes anything? > > > > -Mickey > > > > On Aug 30, 2016 7:51 AM, "Hugo Bernier" <hbern...@gmail.com> wrote: > > > > > We have a new requirement at work that we have virus scanners installed > > on > > > our workstations. > > > > > > What I'm trying to do is demonstrate that onAccess scanning works. What > > I'm > > > expecting, which could be wrong, is that there would be output either > in > > > the logs or clamdtop when a file is opened other otherwise manipulated > > when > > > verbose logging and "LogClean" is enabled. My assumption is that my > setup > > > is wrong. I've used > > > http://blog.clamav.net/2016/03/configuring-on-access- > > > scanning-in-clamav.html as > > > a base for the settings described below. > > > > > > I'm using clamav 0.99.2 from fedora 24 and the up to date stock fedora > 24 > > > kernel. CONFIG_FANOTIFY=y and CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y are > > > present in /boot/config-4.6.7-300.fc24.x86_64. > > > > > > Here's my configuration in /etc/clam.d/scan.conf: > > > > > > LogFile /var/log/clamd.scan > > > LogFileUnlock yes > > > LogFileMaxSize 2M > > > LogTime yes > > > LogClean yes > > > LogVerbose yes > > > LogRotate yes > > > ExtendedDetectionInfo yes > > > PidFile /var/run/clamd.scan/clamd.pid > > > LocalSocket /var/run/clamd.scan/clamd.sock > > > > > > ScanOnAccess yes > > > OnAccessMountPath / > > > OnAccessMaxFileSize 0 > > > OnAccessExcludeUID 0 > > > > > > When clamav starts, the logs show the following: > > > > > > Tue Aug 30 10:38:53 2016 -> +++ Started at Tue Aug 30 10:38:53 2016 > > > Tue Aug 30 10:38:53 2016 -> Received 0 file descriptor(s) from systemd. > > > Tue Aug 30 10:38:53 2016 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH: > > > x86_64, CPU: x86_64) > > > Tue Aug 30 10:38:53 2016 -> Log file size limited to 2097152 bytes. > > > Tue Aug 30 10:38:53 2016 -> Reading databases from /var/lib/clamav > > > Tue Aug 30 10:38:53 2016 -> Not loading PUA signatures. > > > Tue Aug 30 10:38:53 2016 -> Bytecode: Security mode set to > "TrustSigned". > > > Tue Aug 30 10:38:58 2016 -> Loaded 4772631 signatures. > > > Tue Aug 30 10:38:59 2016 -> LOCAL: Unix socket file > > > /var/run/clamd.scan/clamd.sock > > > Tue Aug 30 10:38:59 2016 -> LOCAL: Setting connection queue length to > 200 > > > Tue Aug 30 10:38:59 2016 -> Limits: Global size limit set to 104857600 > > > bytes. > > > Tue Aug 30 10:38:59 2016 -> Limits: File size limit set to 26214400 > > bytes. > > > Tue Aug 30 10:38:59 2016 -> Limits: Recursion level limit set to 16. > > > Tue Aug 30 10:38:59 2016 -> Limits: Files limit set to 10000. > > > Tue Aug 30 10:38:59 2016 -> Limits: Core-dump limit is 0. > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxEmbeddedPE limit set to 10485760 > > > bytes. > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxHTMLNormalize limit set to > > 10485760 > > > bytes. > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxHTMLNoTags limit set to 2097152 > > > bytes. > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxScriptNormalize limit set to > > 5242880 > > > bytes. > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxZipTypeRcg limit set to 1048576 > > > bytes. > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxPartitions limit set to 50. > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxIconsPE limit set to 100. > > > Tue Aug 30 10:38:59 2016 -> Limits: MaxRecHWP3 limit set to 16. > > > Tue Aug 30 10:38:59 2016 -> Limits: PCREMatchLimit limit set to 10000. > > > Tue Aug 30 10:38:59 2016 -> Limits: PCRERecMatchLimit limit set to > 5000. > > > Tue Aug 30 10:38:59 2016 -> Limits: PCREMaxFileSize limit set to > > 26214400. > > > Tue Aug 30 10:38:59 2016 -> Archive support enabled. > > > Tue Aug 30 10:38:59 2016 -> Algorithmic detection enabled. > > > Tue Aug 30 10:38:59 2016 -> Portable Executable support enabled. > > > Tue Aug 30 10:38:59 2016 -> ELF support enabled. > > > Tue Aug 30 10:38:59 2016 -> Mail files support enabled. > > > Tue Aug 30 10:38:59 2016 -> OLE2 support enabled. > > > Tue Aug 30 10:38:59 2016 -> PDF support enabled. > > > Tue Aug 30 10:38:59 2016 -> SWF support enabled. > > > Tue Aug 30 10:38:59 2016 -> HTML support enabled. > > > Tue Aug 30 10:38:59 2016 -> XMLDOCS support enabled. > > > Tue Aug 30 10:38:59 2016 -> HWP3 support enabled. > > > Tue Aug 30 10:38:59 2016 -> Self checking every 600 seconds. > > > Tue Aug 30 10:38:59 2016 -> Listening daemon: PID: 3818 > > > Tue Aug 30 10:38:59 2016 -> MaxQueue set to: 100 > > > Tue Aug 30 10:38:59 2016 -> ScanOnAccess: notifying only for access > > > attempts. > > > Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Protecting '/' and rest of > > mount. > > > Tue Aug 30 10:38:59 2016 -> ScanOnAccess: Max file size limited to -1 > > bytes > > > > > > And then nothing. No matter what programs I start, files I open, I > simply > > > don't get output in the logs or clamdtop related to onAccess scanning. > > > > > > What am I doing wrong? > > > > > > Best, > > > Hugo > > > _______________________________________________ > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
