LinUser166 via clamav-users wrote:
ClamOnAcc not starting VirusEvent script, though virus is FOUND.
I want Clamav to give me a notification on my desktop, if I download a
file with a virus.
For that purpose I have set up ClamOnAcc to monitor the Download folder
and on
VirusEvent to start a small script VDetected. For now VDetected just
creates a file (TempTest).
Later, the idea is, that it will notify my desktop.
My problem is, that VDetected never get started even though clamonacc
detects a new file in Download, sends the file to clamd for virus-test,
and clamd finds the virus.
I can see that in both the clamav.log and syslog file, after I have
copied the EICAR-virus-test-file to Download.
See the section "New lines in /var/log/clamav/clamav.log" far below.
I have searched on a lot of Ubuntu and Clam forums, but now I am stuck
and out of ideas.
I'm no great expert on ClamAV, but a few ideas of things to check
regarding file/directory permissions:
- Are execute permissions set on the
`/home/meuser/Documents/ClamTest/VDetected.sh` script?
- Does the user that clamd runs as ("clamav"?) have read/execute access
to that script?
- ...and execute permissions to each parent directory? (I'd guess it
probably at least has that, otherwise it probably wouldn't have the
right permissions to see files in `/home/meuser/Downloads/` either)
- ...and write access to the `/home/meuser/Documents/ClamTest/`
directory? It probably doesn't have that access by default, even if it
has read access to users' home directories.
- For a temporary test, it might be worth having the script write the
output file to `/tmp/TempTest.txt`; any user should be able to create a
file under `/tmp/`.
...
New lines with clam in /var/log/syslog
(grep "clam" /var/log/syslog)
Two lines in the last half shows that the EICAR-test-file has been FOUND
as I copied it to /home/meuser/Downloads
----------------------------------------------
2025-03-18T23:08:07.235879+01:00 TestVM clamd[863]: Tue Mar 18 23:08:07
2025 -> SelfCheck: Database status OK.
2025-03-18T23:45:14.719125+01:00 TestVM systemd[1]: Configuration file
/etc/systemd/system/clamav-daemon.service.d/extend.conf is marked
executable. Please remove executable permission bits. Proceeding anyway.
2025-03-18T23:45:14.722057+01:00 TestVM systemd[1]: Configuration file
/etc/systemd/system/clamav-daemon.service.d/extend.conf is marked
world-inaccessible. This has no effect as configuration data is
accessible via APIs without restrictions. Proceeding anyway.
2025-03-18T23:59:48.478784+01:00 TestVM freshclam[1185]: Received
signal: wake up
2025-03-18T23:59:48.479344+01:00 TestVM freshclam[1185]: ClamAV update
process started at Tue Mar 18 23:59:48 2025
2025-03-18T23:59:48.514566+01:00 TestVM freshclam[1185]: Tue Mar 18
23:59:48 2025 -> daily.cld database is up-to-date (version: 27581, sigs:
2073928, f-level: 90, builder: raynman)
2025-03-18T23:59:48.514653+01:00 TestVM freshclam[1185]: Tue Mar 18
23:59:48 2025 -> main.cvd database is up-to-date (version: 62, sigs:
6647427, f-level: 90, builder: sigmgr)
2025-03-18T23:59:48.514681+01:00 TestVM freshclam[1185]: Tue Mar 18
23:59:48 2025 -> bytecode.cvd database is up-to-date (version: 335,
sigs: 86, f-level: 90, builder: raynman)
2025-03-19T00:05:17.993096+01:00 TestVM clamd[863]: Wed Mar 19 00:05:17
2025 -> /home/meuser/Downloads/eicar.com:
Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND
Again, I'm no expert, but the following two lines look suspiciously like
they might indicate that AppArmor is preventing clamd from running the
shell, which it will need to do to run the shell script:
2025-03-19T00:05:17.993322+01:00 TestVM kernel: audit: type=1400
audit(1742339117.991:165): apparmor="DENIED" operation="exec"
class="file" profile="/usr/sbin/clamd" name="/usr/bin/dash" pid=5476
comm="clamd" requested_mask="x" denied_mask="x" fsuid=120 ouid=0
2025-03-19T00:05:17.998773+01:00 TestVM kernel: audit: type=1400
audit(1742339117.996:166): apparmor="DENIED" operation="exec"
class="file" profile="/usr/sbin/clamd" name="/usr/bin/dash" pid=5477
comm="clamd" requested_mask="x" denied_mask="x" fsuid=120 ouid=0
2025-03-19T00:05:18.001618+01:00 TestVM clamd[863]: Wed Mar 19 00:05:17
2025 -> Client disconnected (FD 10)
2025-03-19T00:05:18.001661+01:00 TestVM clamd[863]: Wed Mar 19 00:05:17
2025 -> /home/meuser/Downloads/eicar.com:
Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND
2025-03-19T00:05:18.001673+01:00 TestVM clamd[863]: Wed Mar 19 00:05:17
2025 -> Client disconnected (FD 10)
This was a terrible lot of log-files showing that nearly everything
works, except that no activity seen of my script VDetected.
Any help will be appreciated, even just ideas to debug the problem further.
Regards LinUser166
--
Mark.
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
