Hi there, Sorry if some of this is covering ground unnecessarily, but it's a mailing list of course and others will be reading.
On Thu, 13 May 2021, Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users wrote:
I created a test file called "jeff1234" with the EICAR test string. The clamonacc seems to find the bad file.
Seems to be working. :) Next, you'll probably want to assess the system's performance with on-access scanning enabled. I know I would.
The files remains in place until I try to copy or modify it then it is moved to the quarantine directory. Is that normal behavior?
It depends on the configuration. You can choose to do something to a file when it's found to be suspicious, or you can for example simply alert the user. You seem to have the installation configured to move suspicious files to a quarantine directory. It's up to you how you want to play it, but I'd call that potentially dangerous. In the List archives you will find many mentions of false positives. If a scanner falsely identifies a vital system file as a threat and it's configured to move suspicious files, then the resulting operation might break the system. You will find warnings in the 'man' pages. I recommend that you do some digging into the documentation and maybe search for the experience of others before you do much more. Do you have some sort of assessment of the threats to the system, or is this just an extension of the old adage that "something must be done, and this is something, so we must do it"?
Is this normal output when clamonacc finds a virus? traverse_rename: Failed to rename Error:Invalid cross-device link
The function traverse_rename() is in shared/actions.c. You can see that the error 'Invalid cross-device link' itself came from the OS. It just means you tried to do something that the OS doesn't allow. A Unix-style filesystem can be assembled from a number of different storage devices which can each have more than one 'partition'. Data which is logically stored under a single sub-directory can physically be located on different partitions. It can even (for example network file systems) be on different machines. Moving a file from one place to another within a partition can be a very fast operation which only writes directory information; moving from one partition to another is a copy operation which can take much longer, and, depending on how things are set up, the OS may even forbid it. You can't use e.g. a 'rename' operation to move a file from one partition to another. That's just the way things are with Unix-type systems. Do you have your home directories on a different partition from that on which you have the /root directory? If I were going to choose where to put any quarantined files I'd probably choose somewhere like a directory under /var rather than somewhere under /root, but I'd want to look into the partioning and the geography of the scans before making any decisions. Incidentally it doesn't have to be a virus - just something that's FOUND by the scanner. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
