Hi!

No worries about sounding complainy.  I'm glad you're reaching out for help.

I recommend always running clamonacc using the --fdpass command line argument, 
provided it is available on your system Some older systems (RHEL 7, etc) may 
not be able to use it.  With fd-passing enabled, ClamOnAcc will pass its open 
file descriptor to ClamD so it can scan files that it wouldn't otherwise have 
read access to.  I think this should resolve the concern about scanning files 
like /home/user/eicar-test.txt.

I'm unsure why you're getting:
    133863 ERROR: ClamInotif: could not watch path '/var/www', No such file or 
directory

Perhaps it is a mount point or something? Anyone else have any insights?


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of dee 
heffemm via clamav-users <clamav-users@lists.clamav.net>
Sent: Thursday, September 9, 2021 7:53 AM
To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
Cc: dee heffemm <dhef...@gmail.com>
Subject: [clamav-users] Why does clamonacc says /var/www does not exist (among 
other things)?

I'm trying to configure (ClamAV 0.103.2/26289 on Ubuntu 18.04)  `clamonacc` 
using the instructions here[1]. I got through the steps and tried starting with 
`User clamav` but got a lot of permission errors in the logs when a file was 
chmod'd 0600:

   "/home/user/eicar-test.txt: Can't open file or directory ERROR"

Ok, this makes sense because `clamav` is not UID 0. How is clamonacc supposed 
to scan files with restricted permissions? Many users can set a umask in their 
~/.bashrc to create files with 0600. In multi-user environments, it's typical 
to have /home/$USER set 0700 as well.

I changed to `User root` to see what happened, but then when using #vi on a 
file in /tmp/, it would take a good minute to open and I would get errors like: 
ERROR: ClamCom: TIMEOUT while waiting on socket (recv).  The clamav docs[2] 
seem to state running as 'root' is uneccesary:

   "a system admin need only ensure clamd has the read and access permissions 
necessary to deal with any file descriptors clamonacc may pass along. "

So, I changed back to `User clamav`.

I'd still like to monitor /tmp as it's a favorite place when any kind of 
process needs to write a file so changed `TemporaryDirectory /var/lib/clamav/` 
since it's not monitored by clamaonacc and maybe won't create a race condition 
with it's own temp files.

These are the other edits I've made to /etc/clamav/clamd.conf. I'd like to 
monitor /var/www since it's a writable place for the apache server (yeah, I 
know, but web apps and webmasters write files and use plugins and this is where 
they manage them, usually from a web console).

ExcludePath ^/proc
ExcludePath ^/sys
ExcludePath ^/run
ExcludePath ^/dev
ExcludePath ^/var/lib/lxcfs/cgroup
OnAccessPrevention yes
OnAccessExcludeUname clamav
OnAccessIncludePath /var/www
OnAccessIncludePath /home
OnAccessIncludePath /tmp

When I reboot however and clamd/clamonacc/freshclam come up, They can't seem to 
find "/var/www" (permissions 0755). Why is this?

 133857 ClamScanQueue: waiting to consume events ...
 133858 ClamInotif: watching '/var/www' (and all sub-directories)
 133859 ClamInotif: watching '/home' (and all sub-directories)
 133860 ClamInotif: watching '/tmp' (and all sub-directories)
 133861 Excluding temp directory: /var/lib/clamav/
 133862 ClamInotif: NVM, didn't actually need to exclude '/var/lib/clamav/'
 133863 ERROR: ClamInotif: could not watch path '/var/www', No such file or 
directory
 133864 ClamFanotif: attempting to feed consumer queue

Thanks for all your work on clamav! I'm trying not to sound complainy.

[1] https://docs.clamav.net/manual/OnAccess.html
[2] https://blog.clamav.net/2019/09/understanding-and-transitioning-to.html
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to