Hey Micky
Thank you so much for your clear reply. However, I do feel you have missed the
mark.
I have configured ClamAV to execute a script upon virus detection with the
VirusEvent parameter in the config file.
This script will move the suspected virus into quarantine, chmod it to 400 and
create a ticket in our ticketing system.
The problem I'm facing is that when clamd is running as a (root) service (its
'normal' state) it does not seem to be using the on access scan, as I can
freely manipulate the eicar test file without detection.
However, when I execute clamd as root it does detect eicar, issue a virusevent
and execute my script.
In my original mail you'll notice I added 2 logtrails.
The first one is when Clamd is running as a service. Imaging while this log was
generated, I was creating a lot of eicar files and moving them to various
places on the system. Sadly There's no output of this since Clamd did not
detect these actions.
The second one is when clamd has been executed as a root command, exactly the same
command that's invoked by the service, which also runs as root: "/usr/sbin/clamd -c
/etc/clamd.d/scan.conf --foreground=yes". But here there's a significant difference.
The moment I cat, copy or perform any other action on an eicar test file, it's found and
handled:
Thu Mar 30 10:25:49 2017 -> ScanOnAccess: /root/test:
Eicar-Test-Signature(1fa550df41e046eb56eae11d31259de9:73) FOUND
Thu Mar 30 10:35:31 2017 -> ScanOnAccess: /root/cfdf52:
Eicar-Test-Signature(1fa550df41e046eb56eae11d31259de9:73) FOUND
This behavior is the expected result of clamd as a service.
The behavior is not consistent between the 2 modes of execution, while I think
it should be.
Notably, When I remove the OnAccessMountPath parameter from the config file,
enable DDD and set the OnAccessIncludePath to /root, the clamd service _does_
work as expected and the on-access system _does_ notice when I'm playing with
eicar. However, according to policy, we require to scan the complete filesystem.
Best Regards,
Remi
-----Original Message-----
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of
Mickey Sola
Sent: Thursday, March 30, 2017 6:52 PM
To: ClamAV users ML
Subject: Re: [clamav-users] ClamAV ScanOnAccess not scanning RHEL7
Hi Remi,
Your configuration looks fine, and it seems like you're getting expected
behavior given what the log shows.
I'll explain a bit more what's happening, and why you can freely move
around the eicar testfile.
The important line is here:
Thu Mar 30 09:58:54 2017 -> ScanOnAccess: notifying only for access
attempts.
As you know, using OnAccessMountPath disables DDD. It also puts the
OnAccess scanner into what's best described as "notify-only mode".
Under the DDD system, with "protection mode" enabled, the OnAccess thread
will essentially place a lock on any file under it's hierarchy if that file
is accessed in any way. With the lock in place, the file will be scanned
for malicious content to determine whether the access attempt should be
allowed.
As you can imagine, inadvertently locking important system files (which
would happen if you were watching the entire filesystem in protection mode)
oftentimes leads to entire system freezes. These freezes are why DDD
prevents users from watching / .
And while OnAccessMountPath does allow you to watch the entirety of / this
comes with the tradeoff of being in notify-only mode (which scans, but does
not lock files or block access attempts) in order to prevent users from
freezing up their system.
The hope with this design was to guide users away from shooting themselves
in the foot with these tools, while still giving them the flexibility to
meet their use case (or still shoot themselves in the foot, if that was the
goal all along).
Longwinded explanation aside, to fix your problem, not knowing your exact
use case, I would suggest pointing DDD towards the parts of the system you
most expect could be an initial attack surface for malware.
Alternatively, you could continue scanning the entire system in notify-only
mode and write an external handler which deals with any threats discovered
and logged by clamd in whatever way best meets your needs.
I hoped that helped clarify things a bit. Let me know if you have any
further questions or if you think I've missed the mark in some way.
Cheers,
Mickey
On Thu, Mar 30, 2017 at 5:40 AM, Remi Bruggeman <
remi.bruggeman....@bayer.com> wrote:
Hello,
I'm trying to configure the ClamAV OnAccessScan, but I'm running into some
trouble. I'm hoping anybody here has run into the same trouble and knows a
solution. As I have read the configuration options on the ClamAV Blog page,
I assume my configuration is correct, but I could of course have overlooked
something. http://blog.clamav.net/2016/03/configuring-on-access-
scanning-in-clamav.html
Should I have forgotten any information required to understand what's
going wrong, feel free to ask for it.
System: RHEL7 3.10.0-514.6.1.el7.x86_64. (Red Hat)
Filesystem: ext4
yum info clamav
Installed Packages
Name : clamav
Arch : x86_64
Version : 0.99.2
Release : 1.el7
Size : 2.4 M
Goal: ClamAV's OnAccessScan should recursively scan / and issue a
VirusEvent upon virus detection.
Configuration:
ScanOnAccess true
OnAccessMaxFileSize 5M
OnAccessMountPath /
I realize this disables DDD. However, using DDD it's impossible to scan
the root dir.
Problem: When the clamd service is running the onaccess scan seems to be
doing nothing. I can freely move the eicar test file around, open it and
cat it. No intervention what-so-ever.
Workaround: When I run the command that is executed by the service as
root: "/usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes" the
eicar test virus is detected and the VirusEvent is executed.
ScanOnAccess: /root/cfdf52: Eicar-Test-Signature(
1fa550df41e046eb56eae11d31259de9:73) FOUND
Expected result: The onaccess should work when the clamd service is
running and detect malicious code on access.
Additional info:
Clamd.log when the service starts:
Thu Mar 30 09:58:43 2017 -> +++ Started at Thu Mar 30 09:58:43 2017
Thu Mar 30 09:58:43 2017 -> Received 0 file descriptor(s) from systemd.
Thu Mar 30 09:58:43 2017 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH:
x86_64, CPU: x86_64)
Thu Mar 30 09:58:43 2017 -> Running as user root (UID 0, GID 0)
Thu Mar 30 09:58:43 2017 -> Log file size limited to 1048576 bytes.
Thu Mar 30 09:58:43 2017 -> Reading databases from /var/lib/clamav
Thu Mar 30 09:58:43 2017 -> Not loading PUA signatures.
Thu Mar 30 09:58:43 2017 -> Not loading phishing signatures.
Thu Mar 30 09:58:43 2017 -> Bytecode: Security mode set to "TrustSigned".
Thu Mar 30 09:58:43 2017 -> Disabling URL based phishing detection.
Thu Mar 30 09:58:53 2017 -> Loaded 6125132 signatures.
Thu Mar 30 09:58:54 2017 -> LOCAL: Unix socket file
/var/run/clamd.scan/clamd.sock
Thu Mar 30 09:58:54 2017 -> LOCAL: Setting connection queue length to 1
Thu Mar 30 09:58:54 2017 -> Limits: Global size limit set to 104857600
bytes.
Thu Mar 30 09:58:54 2017 -> Limits: File size limit set to 26214400 bytes.
Thu Mar 30 09:58:54 2017 -> Limits: Recursion level limit set to 16.
Thu Mar 30 09:58:54 2017 -> Limits: Files limit set to 10000.
Thu Mar 30 09:58:54 2017 -> Limits: MaxEmbeddedPE limit set to 10485760
bytes.
Thu Mar 30 09:58:54 2017 -> Limits: MaxHTMLNormalize limit set to 10485760
bytes.
Thu Mar 30 09:58:54 2017 -> Limits: MaxHTMLNoTags limit set to 2097152
bytes.
Thu Mar 30 09:58:54 2017 -> Limits: MaxScriptNormalize limit set to
5242880 bytes.
Thu Mar 30 09:58:54 2017 -> Limits: MaxZipTypeRcg limit set to 1048576
bytes.
Thu Mar 30 09:58:54 2017 -> Limits: MaxPartitions limit set to 50.
Thu Mar 30 09:58:54 2017 -> Limits: MaxIconsPE limit set to 100.
Thu Mar 30 09:58:54 2017 -> Limits: MaxRecHWP3 limit set to 16.
Thu Mar 30 09:58:54 2017 -> Limits: PCREMatchLimit limit set to 10000.
Thu Mar 30 09:58:54 2017 -> Limits: PCRERecMatchLimit limit set to 5000.
Thu Mar 30 09:58:54 2017 -> Limits: PCREMaxFileSize limit set to 26214400.
Thu Mar 30 09:58:54 2017 -> Archive support enabled.
Thu Mar 30 09:58:54 2017 -> Algorithmic detection enabled.
Thu Mar 30 09:58:54 2017 -> Portable Executable support enabled.
Thu Mar 30 09:58:54 2017 -> ELF support enabled.
Thu Mar 30 09:58:54 2017 -> Mail files support disabled.
Thu Mar 30 09:58:54 2017 -> OLE2 support enabled.
Thu Mar 30 09:58:54 2017 -> PDF support enabled.
Thu Mar 30 09:58:54 2017 -> SWF support enabled.
Thu Mar 30 09:58:54 2017 -> HTML support enabled.
Thu Mar 30 09:58:54 2017 -> XMLDOCS support enabled.
Thu Mar 30 09:58:54 2017 -> HWP3 support enabled.
Thu Mar 30 09:58:54 2017 -> Heuristic: precedence enabled
Thu Mar 30 09:58:54 2017 -> Self checking every 43200 seconds.
Thu Mar 30 09:58:54 2017 -> ScanOnAccess: notifying only for access
attempts.
Thu Mar 30 09:58:54 2017 -> ScanOnAccess: Protecting '/' and rest of mount.
Thu Mar 30 09:58:54 2017 -> ScanOnAccess: Max file size limited to 5242880
bytes
Clamd.log when the command is executed:
Thu Mar 30 10:25:28 2017 -> +++ Started at Thu Mar 30 10:25:28 2017
Thu Mar 30 10:25:28 2017 -> Received 0 file descriptor(s) from systemd.
Thu Mar 30 10:25:28 2017 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH:
x86_64, CPU: x86_64)
Thu Mar 30 10:25:28 2017 -> Running as user root (UID 0, GID 0)
Thu Mar 30 10:25:28 2017 -> Log file size limited to 1048576 bytes.
Thu Mar 30 10:25:28 2017 -> Reading databases from /var/lib/clamav
Thu Mar 30 10:25:28 2017 -> Not loading PUA signatures.
Thu Mar 30 10:25:28 2017 -> Not loading phishing signatures.
Thu Mar 30 10:25:28 2017 -> Bytecode: Security mode set to "TrustSigned".
Thu Mar 30 10:25:28 2017 -> Disabling URL based phishing detection.
Thu Mar 30 10:25:38 2017 -> Loaded 6125132 signatures.
Thu Mar 30 10:25:39 2017 -> LOCAL: Unix socket file
/var/run/clamd.scan/clamd.sock
Thu Mar 30 10:25:39 2017 -> LOCAL: Setting connection queue length to 1
Thu Mar 30 10:25:39 2017 -> Limits: Global size limit set to 104857600
bytes.
Thu Mar 30 10:25:39 2017 -> Limits: File size limit set to 26214400 bytes.
Thu Mar 30 10:25:39 2017 -> Limits: Recursion level limit set to 16.
Thu Mar 30 10:25:39 2017 -> Limits: Files limit set to 10000.
Thu Mar 30 10:25:39 2017 -> Limits: MaxEmbeddedPE limit set to 10485760
bytes.
Thu Mar 30 10:25:39 2017 -> Limits: MaxHTMLNormalize limit set to 10485760
bytes.
Thu Mar 30 10:25:39 2017 -> Limits: MaxHTMLNoTags limit set to 2097152
bytes.
Thu Mar 30 10:25:39 2017 -> Limits: MaxScriptNormalize limit set to
5242880 bytes.
Thu Mar 30 10:25:39 2017 -> Limits: MaxZipTypeRcg limit set to 1048576
bytes.
Thu Mar 30 10:25:39 2017 -> Limits: MaxPartitions limit set to 50.
Thu Mar 30 10:25:39 2017 -> Limits: MaxIconsPE limit set to 100.
Thu Mar 30 10:25:39 2017 -> Limits: MaxRecHWP3 limit set to 16.
Thu Mar 30 10:25:39 2017 -> Limits: PCREMatchLimit limit set to 10000.
Thu Mar 30 10:25:39 2017 -> Limits: PCRERecMatchLimit limit set to 5000.
Thu Mar 30 10:25:39 2017 -> Limits: PCREMaxFileSize limit set to 26214400.
Thu Mar 30 10:25:39 2017 -> Archive support enabled.
Thu Mar 30 10:25:39 2017 -> Algorithmic detection enabled.
Thu Mar 30 10:25:39 2017 -> Portable Executable support enabled.
Thu Mar 30 10:25:39 2017 -> ELF support enabled.
Thu Mar 30 10:25:39 2017 -> Mail files support disabled.
Thu Mar 30 10:25:39 2017 -> OLE2 support enabled.
Thu Mar 30 10:25:39 2017 -> PDF support enabled.
Thu Mar 30 10:25:39 2017 -> SWF support enabled.
Thu Mar 30 10:25:39 2017 -> HTML support enabled.
Thu Mar 30 10:25:39 2017 -> XMLDOCS support enabled.
Thu Mar 30 10:25:39 2017 -> HWP3 support enabled.
Thu Mar 30 10:25:39 2017 -> Heuristic: precedence enabled
Thu Mar 30 10:25:39 2017 -> Self checking every 43200 seconds.
Thu Mar 30 10:25:39 2017 -> ScanOnAccess: notifying only for access
attempts.
Thu Mar 30 10:25:39 2017 -> ScanOnAccess: Protecting '/' and rest of mount.
Thu Mar 30 10:25:39 2017 -> ScanOnAccess: Max file size limited to 5242880
bytes
Thu Mar 30 10:25:49 2017 -> ScanOnAccess: /root/test: Eicar-Test-Signature(
1fa550df41e046eb56eae11d31259de9:73) FOUND
Thu Mar 30 10:35:31 2017 -> ScanOnAccess: /root/cfdf52:
Eicar-Test-Signature(1fa550df41e046eb56eae11d31259de9:73) FOUND
Packages:
yum info clam*
Installed Packages
Name : clamav
Arch : x86_64
Version : 0.99.2
Release : 1.el7
Size : 2.4 M
Repo : installed
From repo : clamav_x86_64
Summary : End-user tools for the Clam Antivirus scanner
URL : http://www.clamav.net
License : GPLv2
Description : Clam AntiVirus is an anti-virus toolkit for UNIX. The main
purpose of this
: software is the integration with mail servers (attachment
scanning). The
: package provides a flexible and scalable multi-threaded
daemon, a command
: line scanner, and a tool for automatic updating via
Internet. The programs
: are based on a shared library distributed with the Clam
AntiVirus package,
: which you can use with your own software. The virus database
is based on
: the virus database from OpenAntiVirus, but contains
additional signatures
: (including signatures for popular polymorphic viruses, too)
and is KEPT UP
: TO DATE.
Name : clamav-data
Arch : noarch
Version : 0.99.2
Release : 1.el7
Size : 110 M
Repo : installed
From repo : clamav_noarch
Summary : Virus signature data for the Clam Antivirus scanner
URL : http://www.clamav.net
License : GPLv2
Description : This package contains the virus-database needed by clamav.
This
: database should be updated regularly; the 'clamav-update'
package
: ships a corresponding cron-job. This package and the
: 'clamav-data-empty' package are mutually exclusive.
:
: Use -data when you want a working (but perhaps outdated)
virus scanner
: immediately after package installation.
:
: Use -data-empty when you are updating the virus database
regulary and
: do not want to download a >5MB sized rpm-package with
outdated virus
: definitions.
Name : clamav-filesystem
Arch : noarch
Version : 0.99.2
Release : 1.el7
Size : 0.0
Repo : installed
From repo : clamav_noarch
Summary : Filesystem structure for clamav
URL : http://www.clamav.net
License : GPLv2
Description : This package provides the filesystem structure and contains
the
: user-creation scripts required by clamav.
Name : clamav-lib
Arch : x86_64
Version : 0.99.2
Release : 1.el7
Size : 11 M
Repo : installed
From repo : clamav_x86_64
Summary : Dynamic libraries for the Clam Antivirus scanner
URL : http://www.clamav.net
License : GPLv2
Description : This package contains dynamic libraries shared between
applications
: using the Clam Antivirus scanner.
Name : clamav-scanner
Arch : noarch
Version : 0.99.2
Release : 1.el7
Size : 22 k
Repo : installed
From repo : clamav_noarch
Summary : Clamav scanner daemon
URL : http://www.clamav.net
License : GPLv2
Description : This package contains a generic system wide clamd service
which is
: e.g. used by the clamav-milter package.
Name : clamav-scanner-systemd
Arch : noarch
Version : 0.99.2
Release : 1.el7
Size : 136
Repo : installed
From repo : clamav_noarch
Summary : Systemd initscripts for clamav scanner daemon
URL : http://www.clamav.net
License : GPLv2
Description : The systemd initscripts for clamav-scanner.
Name : clamav-server
Arch : x86_64
Version : 0.99.2
Release : 1.el7
Size : 244 k
Repo : installed
From repo : clamav_x86_64
Summary : Clam Antivirus scanner server
URL : http://www.clamav.net
License : GPLv2
Description : ATTENTION: most users do not need this package; the main
package has
: everything (or depends on it) which is needed to scan for
virii on
: workstations.
:
: This package contains files which are needed to execute the
clamd-daemon.
: This daemon does not provide a system-wide service. Instead
of, an instance
: of this daemon should be started for each service requiring
it.
:
: See the README file how this can be done with a minimum of
effort.
Name : clamav-server-systemd
Arch : noarch
Version : 0.99.2
Release : 1.el7
Size : 235
Repo : installed
From repo : clamav_noarch
Summary : Systemd initscripts for clamav server
URL : http://www.clamav.net
License : GPLv2
Description : Systemd template for the clamav server
Name : clamav-update
Arch : x86_64
Version : 0.99.2
Release : 1.el7
Size : 213 k
Repo : installed
From repo : clamav_x86_64
Summary : Auto-updater for the Clam Antivirus scanner data-files
URL : http://www.clamav.net
License : GPLv2
Description : This package contains programs which can be used to update
the clamav
: anti-virus database automatically. It uses the freshclam(1)
utility for
: this task. To activate it, uncomment the entry in
/etc/cron.d/clamav-update.
Available Packages
Name : clamav-devel
Arch : x86_64
Version : 0.99.2
Release : 1.el7
Size : 39 k
Repo : clamav_x86_64
Summary : Header files and libraries for the Clam Antivirus scanner
URL : http://www.clamav.net
License : GPLv2
Description : This package contains headerfiles and libraries which are
needed to
: build applications using clamav.
Name : clamav-scanner-sysvinit
Arch : noarch
Version : 0.99.2
Release : 1.el7
Size : 20 k
Repo : clamav_noarch
Summary : SysV initscripts for clamav scanner daemon
URL : http://www.clamav.net
License : GPLv2
Description : The SysV initscripts for clamav-scanner.
Name : clamav-server-sysvinit
Arch : noarch
Version : 0.99.2
Release : 1.el7
Size : 21 k
Repo : clamav_noarch
Summary : SysV initscripts for clamav server
URL : http://www.clamav.net
License : GPLv2
Description : SysV initscripts template for the clamav server
Name : clamav-unofficial-sigs
Arch : noarch
Version : 3.7.2
Release : 1.el7
Size : 41 k
Repo : clamav_noarch
Summary : Scripts to download unoffical clamav signatures
URL : http://sourceforge.net/projects/unofficial-sigs/
License : BSD
Description : This package contains scripts and configuration files
: that provide the capability to download, test, and
: update the 3rd-party signature databases provide by
: Sanesecurity, SecuriteInfo, MalwarePatrol, OITC,
: INetMsg and ScamNailer.
Best regards,
Remi
________________________________________________________________________
The information contained in this e-mail is for the exclusive use of the
intended recipient(s) and may be confidential, proprietary, and/or
legally privileged. Inadvertent disclosure of this message does not
constitute a waiver of any privilege. If you receive this message in
error, please do not directly or indirectly use, print, copy, forward,
or disclose any part of this message. Please also delete this e-mail
and all copies and notify the sender. Thank you.
________________________________________________________________________
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
________________________________________________________________________
The information contained in this e-mail is for the exclusive use of the
intended recipient(s) and may be confidential, proprietary, and/or
legally privileged. Inadvertent disclosure of this message does not
constitute a waiver of any privilege. If you receive this message in
error, please do not directly or indirectly use, print, copy, forward,
or disclose any part of this message. Please also delete this e-mail
and all copies and notify the sender. Thank you.
________________________________________________________________________
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
