>> This is what I see from the strace: >> >> sendto(3, "zCONTSCAN /etc/gshadow\0", 23, 0, NULL, 0) = 23 >That's interesting. Does the client machine access clamav-central via a local >proxy? Or more precisely, does the exemplary TCPAddr >"clamav-central.company.com" resolve to an IP-address that the client machine >uses on one of its interfaces?
No, it's a direct connection. In both straces I can see a connect with the correct destination address. On another host that has the same version of clamav and the same configuration file I see the zINSTREAM call. The "broken" host is on the same subnet as the central clamav server. The "working" host is on a different subnet. >>So is it safe to use --stream in this case, despite the documentation warning? >Well, somehow the central server needs to obtain the file contents for >scanning. I wasn't sure if clamdscan was doing something else that I couldn't see with strace that was causing the file to be passed. _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
