Hi there, On Wed, 12 Aug 2020, Silver Surfer via clamav-users wrote:
I have installed current version of ClamAV from repos to Fedora 32.
Please always specify the exact version, because "current" might mean the current version in the repo, or it might mean a different version currently released by ClamAV upstream, and this thread might be being read by somebody two years from now trying to solve a similar problem. For anything like ClamAV, my preference would usually be to install from upstream rather than use a version which has been packaged and quite likely patched for religious reasons by some distribution's maintainer. It's usually easier to know what's going on, for example, if you know where everything is located in the filesystem, the names of the configuration files, and exactly which libraries are in use.
I have a problem with permission while using clamdscan/clamscan. For example, in Documents I have eicar test file. ... If I run clamscan, it has a problem with open file. WARNING: Can't open file /home/asus/Documents/eicar3.txt: Operation not permitted I think it is because I also use on acess scanning.
If you have on-access scanning enabled this would appear to me to be the expected behaviour, but you did not give us enough information to know exactly what to expect. Please post the relevant configuration, and tell us which user ran the clamscan process in your example. If you think on-access scanning is causing a problem, why not just try disabling it? Does scanning other files behave as you expect?
In config file I have this line: OnAccessExcludeUname clamscan
Is 'clamscan' a user name on your system? You are making us guess.
However it doesn’t work.
Please explain exactly what "doesn't work" means. We don't know what it is you did that you think didn't work, and we don't know why, when you did it, you think it didn't behave as you expected it to behave.
But if I replace clamscan by root, clamscan works
Please read the clamd.conf man page, particularly the sections about the 'OnAccessExcludeRootUID' and 'OnAccessExcludeUID' directives. Please also describe what you mean by "clamscan works". That's a bit like saying "it does what I expect" without saying what you expect. What you expect might be not what someone else would expect. It's usually best to copy and paste commands and output directly from the screen to your mail, then we can see what's going on too, instead of having to guess.
but I can also open malicious files as root, which I would like to have blocked.
You are getting into deep water here. Unless you are very careful with the configuration, if you block root access to files which ClamAV flags as suspicious then a false positive on a perfectly innocuous system file may cause problems which are difficult for you to fix. False positives are an unfortunate fact of life (and, as a consequence of Murphy's Law, they appear at the most inconvenient times).
If I run clamdscan I get this error /home/asus/Documents: lstat() failed: Permission denied. ERROR
You aren't giving enough information. We need to know the UIDs and permissions of the relevant users, files and directories. Do you understand the differences between clamscan and clamdscan?
I have found several articles or topics in forums, but all of this are very old, and there are settings, which doesn’t exist in current version.
There is some rubbish in articles and forums. You are right that a lot of it is ridiculously out of date and unmaintained. I have seen articles which claim to explain how ClamAV works which were written by people who evidently don't know the first thing about it. Always look to the upstream documentation at http://www.clamav.net first. It may not be the easiest read, but at least it's (usually) correct. There's a lot to get under your belt. We can't do it for you, and you need a fairly good understanding of both clamav and your system to get the best out of them and to avoid some potentially challenging pitfalls.
I have also tried this commands, without any results L setsebool -P antivirus_can_scan_system 1 setsebool -P clamd_use_jit 1
I can't help you with SELinux other than to suggest that you disable it globally to see if it removes some of the issues which confuse you. But before doing anything like that please give us more information.
I don’t know why it doesn’t work. I have same settings in Ubuntu, and there is everything works without problem. Is there any way how to fix this problem?
We need more information. For any access we need to know the UID of the process which is attempting the access and the permissions of the entire path to the files and/or directories being accessed. We need to know the UID which is running clamd. Things like SELinux can get in the way of fault-finding so you need to be clear on how you can tell if that's causing problems e.g. by looking at the logs and/or be clear on how to prevent it from causing the problems without causing other (and possibly more serious) problems. What are the threats to which you think your system may be exposed? Please take a step back and tell us in general terms what you are trying to achieve and why you think it's necessary. I suspect that as things stand you might pose a greater danger to your system than the threats from which think you are trying to protect it. What will you do if ClamAV finds something? It's usually much easier to avoid the exposure in the first place than it is to find all the problems after a compromise. You don't just need to think about the system itself, you also need to consider what problems it might cause both for yourself and for everyone else on the Internet. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
