EdG,
I will try to respond to your questions inline, below...
On 7/26/19, 11:30 AM, "clamav-users on behalf of Edouard Guigné"
<clamav-users-boun...@lists.clamav.net on behalf of egui...@pasteur-cayenne.fr>
wrote:
Hello again,
I read the docs from the links, but may you please help me to understand
what 'on access' scanning will do / can do ?
On-access scanning enables clamd to detect when a file has been accessed and
automatically scan it. Depending on your settings, it may simply log the alert
in your clamd.log file, or it may block access to the file if the scan verdict
is not clean (i.e. a signature matched on the file).
In 0.101 and prior versions, `clamd` must be run with root privileges in order
for on-access scanning to work.
As a heads up, in the next version (v0.102) a separate utility named
`clamonacc` will be provided that you run as root which can either pass the
file descriptor to clamd, in which case clamd must be able to read the file --
or it can stream the file to clamd, in which clamd need not have access to the
original file. The streaming method is of course slower, so it may not work
for every use case.
I installed clamav on my centos 7 box, but not yet start the clamav service.
I have set in /etc/clamd.d/scan.conf
ScanOnAccess yes
OnAccessIncludePath /home/usertest
When I will start the clamav servce :
Does clamav will scan only /home/usertest ?
When a file in /home/usertest is accessed, clamd will scan the file.
You can also use `clamdscan` to manually scan other files outside of
/home/usertest
What will happen if clamav detect virus or malware already present in
/home/usertest ?
Will it quarantine the infected files ?
It will write the scan result to your clamd.log file.
If you set: OnAccessPrevention yes, it will prevent you from accessing the file.
With the new `clamonacc` tool in the next version (v0.102), you will be able to
remove, move, or copy the file as well - much like you can today with
`clamdscan`. In addition, the VirusEvent feature, used to execute a script and
notify the user that something was detected, will work again. As I understand
it, VirusEvent feature only works with clamdscan in versions 0.101 and 0.100
and does not presently work for on-access scanning.
What will happen if the user try to copy an infected files in his
/home/usertest (via samba) ?
Will it be impossible for him to copy the infected files ?
In 0.101.2 the ExtraScanning feature which detects file-move and file-copy
events is disabled, due to instability issues. If you enable
OnAccessPrevention, the users will be able to copy the infected file from the
share to the watched location (/home/usertest), but it should be impossible to
read, write, or execute the infected file.
For the next version (v0.102), if ExtraScanning and OnAccessPrevention are
enabled, the users won't be able to copy the infected file to the watched
location.
I would like to reassure before start the clamav service, and avoid any
users complaints against me.
As Mark Fortescue suggested, please try it out on a test system to see if you
are satisfied with how it works.
Do also bear in mind that you will have to update how you configure and run
on-access scanning when you upgrade to the next version.
Respectfully,
Micah
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
On 7/26/19, 11:30 AM, "clamav-users on behalf of Edouard Guigné"
<clamav-users-boun...@lists.clamav.net on behalf of egui...@pasteur-cayenne.fr>
wrote:
Hello again,
I read the docs from the links, but may you please help me to understand
what 'on access' scanning will do / can do ?
I installed clamav on my centos 7 box, but not yet start the clamav service.
I have set in /etc/clamd.d/scan.conf
ScanOnAccess yes
OnAccessIncludePath /home/usertest
When I will start the clamav servce :
Does clamav will scan only /home/usertest ?
What will happen if clamav detect virus or malware already present in
/home/usertest ?
Will it quarantine the infected files ?
What will happen if the user try to copy an infected files in his
/home/usertest (via samba) ?
Will it be impossible for him to copy the infected files ?
I would like to reassure before start the clamav service, and avoid any
users complaints against me.
Best Regards,
EdG
Le 26/07/2019 à 10:30, J.R. via clamav-users a écrit :
>> What do you mean by "You could enable 'on access' scanning
>> on the CentOS box" ?
>> Is there a special to start clamav with mode 'on access' ?
>>
>> What is this 'on acess' mode ?
> https://www.clamav.net/documents/on-access-scanning
>
> https://www.clamav.net/documents/scanning#on-access-scanning
>
>
https://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html
>
> Hope that helps...
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
