On Tue, Jun 15, 2021 at 7:19 PM G.W. Haywood via clamav-users < clamav-users@lists.clamav.net> wrote:
> Hi there, > > On Tue, 15 Jun 2021, Lee, Raymond via clamav-users wrote: > > > ... I don't want this thread to become a debate about whether or not to > > scan the entire system. I was just looking for insight into my question > > about clamd and SELinux. > > Sure, with you. FWIW I don't scan Linux systems. Primarily I use > ClamAV to scan mail, and I'm not especially interested in malware. > > As far as SELinux is concerned it seems to me that it's most likely > doing what it's supposed to do. My personal take on is that there's > no reason on Earth to scan a shadow_t type file with ClamAV, and if > you do let it do that you risk a vulnerability in ClamAV ruining your > whole holiday. I don't know why you aren't seeing the log messages > which you're expecting to see, perhaps it's a permissions issue too. > > I figured it out! Apparently, there were dontaudit rules that were preventing the SELinux denials from being logged to audit.log. I temporarily disabled the dontaudit rules with 'semodule -DB' and then re-ran clamdscan with SELinux in Permissive mode. Then I saw the AVC denial messages in audit.log and was able to use audit2allow to generate a local policy to allow clamd to read the files that it was previously unable to. > In case it's interesting, here's the detection performance of some > scanners for the last 40 malicious emails processed by my systems: > > 30 fortinet.com > 28 drweb.com > 26 gdatasoftware.com > 26 escanav.com > 26 bitdefender.com > 25 avast.com > 20 sophos.com > 20 ikarus.at > 19 eset.com > 7 f-secure.com > 5 f-prot.com > 3 clamav.net > 0 trendmicro.com > > The detection numbers were obtained by manually inspecting attempts to > send suspicious mail to our servers, and after confirming that the mail > was malicious, submitting samples to Jotti's malware scan: > > https://virusscan.jotti.org/ > > This was by no means a scientific experiment. The sample size was > very samll; the malware chose to be in the study, not the other way > around; some of the 40 samples were almost identical; there may be > issues with the way in which samples were presented to the scanners > which skews the comparitive results. But as you can see, even the > best performer only found three out of four. > > LOL, I guess you get what you pay for. Maybe I'll install the clamav-unofficial-sigs package to hopefully get a better detection rate. Thanks for your insight! -- Kind Regards, Ray > It's food for thought. > > -- > > 73, > Ged. > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Notice: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy the message and attachments without retaining a copy.
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
