[clamav-users] Private Local Mirror with NFS
Hi, I want to provide a private local mirror with NFS. On my server, which has access to the internet, I use freshclam to download the updates to a folder which is shared via NFS. On my clients I use LogSyslog yes ScriptedUpdates no DatabaseCustomURL file:///net//clamav/main.cvd DatabaseCustomURL file:///net//clamav/daily.cvd DatabaseCustomURL file:///net//clamav/bytecode.cvd PrivateMirror in /etc/freshclam.conf. I'm able to download the updates on my clients but I always get errors because of the PrivateMirror line freshclam ClamAV update process started at Thu Apr 26 17:21:53 2018 Downloading main.cvd [100%] main.cvd updated (version: custom database, sigs: 4566249) Downloading daily.cvd [100%] daily.cvd updated (version: custom database, sigs: 1922512) Downloading bytecode.cvd [100%] bytecode.cvd updated (version: custom database, sigs: 75) Reading CVD header (main.cld): connect_error: getsockopt(SO_ERROR): fd=4 error=111: Connection refused Can't connect to port 80 of host (IP: ) Reading CVD header (main.cvd): connect_error: getsockopt(SO_ERROR): fd=4 error=111: Connection refused Can't connect to port 80 of host (IP: ) WARNING: Can't read main.cvd header from (IP: ) Trying again in 5 secs... ClamAV update process started at Thu Apr 26 17:22:15 2018 Downloading main.cvd [100%] main.cvd updated (version: custom database, sigs: 4566249) Downloading daily.cvd [100%] daily.cvd updated (version: custom database, sigs: 1922512) Downloading bytecode.cvd [100%] bytecode.cvd updated (version: custom database, sigs: 75) Reading CVD header (main.cld): connect_error: getsockopt(SO_ERROR): fd=4 error=111: Connection refused Can't connect to port 80 of host (IP: ) Reading CVD header (main.cvd): connect_error: getsockopt(SO_ERROR): fd=4 error=111: Connection refused Can't connect to port 80 of host (IP: ) WARNING: Can't read main.cvd header from (IP: ) Trying again in 5 secs... ClamAV update process started at Thu Apr 26 17:22:33 2018 Downloading main.cvd [100%] main.cvd updated (version: custom database, sigs: 4566249) Downloading daily.cvd [100%] daily.cvd updated (version: custom database, sigs: 1922512) Downloading bytecode.cvd [100%] bytecode.cvd updated (version: custom database, sigs: 75) Reading CVD header (main.cld): connect_error: getsockopt(SO_ERROR): fd=4 error=111: Connection refused Can't connect to port 80 of host (IP: ) Reading CVD header (main.cvd): connect_error: getsockopt(SO_ERROR): fd=4 error=111: Connection refused Can't connect to port 80 of host (IP: ) WARNING: Can't read main.cvd header from (IP: ) Giving up on ... Update failed. Your network may be down or none of the mirrors listed in /etc/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons. Is it possible to avoid them? I would actually like to just use DatabaseCustomURL as I don't need the PrivateMirror setting. I know that the PrivateMirror line is just for http, but I have to add it, since freshclam won't start otherwise. It also seems like on my clients freshclam always downloads the updates no matter whether the files have changed or not. Is there a way to avoid this? Best regards, Jens ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] CompressLocalDatabase does not work
Hi, I'm trying to setup a private mirror at our site. I plan to download the signatures on a server using freshclam and then provide the signatures with an apache web server for the clients. On the server I set "CompressLocalDatabase yes" in /etc/freshclam.conf to reduce the filesize of the signatures provided by our private mirror to reduce the network load. When I run freshclam I get the following files: bytecode.cvd daily.cvd main.cvd but after a couple of days the daily.cvd file is replaced by daily.cld. Why does this happen? When I copy the signature files to the www folder, I end up with a daily.cld and a daily.cvd file after a couple of days, one of them is outdated. Freshclam on the clients seem to prefer to download the daily.cld file, even if there is a newer daily.cvd file on the web server. I can of course always check the folder and delete the older version, but this seems like treating symptoms instead of fixing the root cause. Best regards, Jens ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] On Access Scanning: Exclude files starting with a "."
Hi, is it possible to exclude files and folders starting with a "." when using on access scanning? We use the following configuration for on access scanning: ScanOnAccess yes OnAccessIncludePath /home/user1 OnAccessIncludePath /home/user2 OnAccessExtraScanning yes I have tried the following configurations: ExcludePath ^/home/user1/\.* ExcludePath ^/home/user1/\..* ExcludePath ^/home/user1/\. (and many more that I don't remember) but they did not work. Even ExcludePath .* does not work, so I might be doing something else wrong. By the way, is it possible to hide the messages Jul 18 13:32:54 clamd[7249]: ScanOnAccess: Performing additional scanning on file '/home/user1/.test11' when OnAccessExtraScanning is enabled? Best regards, Jens ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] ScanOnAccess: ... (null) FOUND
Hi, we have ScanOnAccess and OnAccessExtraScanning activated. When I open firefox I get a lot of messages written to /var/log/messages every couple of seconds: Aug 1 12:07:02 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/3F5C8E984584F19905AC4995D97962FE97EFFBEB: (null) FOUND Aug 1 12:07:02 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1472223436: (null) FOUND Aug 1 12:07:02 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5A9A7B6DCAF96FA85AB400F1EFB97A4D2BE4289E: (null) FOUND Aug 1 12:07:02 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/715632663: (null) FOUND Aug 1 12:07:04 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/8F2E3CF4AC8F00C3ACE4C932BEA76F2089A593E1: (null) FOUND Aug 1 12:07:04 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/277127757: (null) FOUND Aug 1 12:07:05 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/703A8CB3B4C8311394915B3A285359E7E1AF7520: (null) FOUND Aug 1 12:07:06 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1628703657: (null) FOUND Aug 1 12:07:06 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5D7DBEB1898CFD7B33E3406F9CA1B6D3BA12C3B6: (null) FOUND Aug 1 12:07:06 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1952686252: (null) FOUND Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/449677348: (null) FOUND Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/829574285: (null) FOUND Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/D2BB3C327EF38DDD2FE5E544DBBE084493F1D608: (null) FOUND Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/8F2E3CF4AC8F00C3ACE4C932BEA76F2089A593E1: (null) FOUND Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/636557989: (null) FOUND Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5A9A7B6DCAF96FA85AB400F1EFB97A4D2BE4289E: (null) FOUND Aug 1 12:07:10 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1707731390: (null) FOUND Aug 1 12:07:10 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/617693635: (null) FOUND Aug 1 12:07:11 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5D7DBEB1898CFD7B33E3406F9CA1B6D3BA12C3B6: (null) FOUND Aug 1 12:07:11 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1367025624: (null) FOUND Aug 1 12:07:12 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1089051163: (null) FOUND Aug 1 12:07:13 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/2003921810: (null) FOUND Aug 1 12:07:15 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/703A8CB3B4C8311394915B3A285359E7E1AF7520: (null) FOUND Aug 1 12:07:15 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1845070701: (null) FOUND Aug 1 12:07:16 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/250378345: (null) FOUND Aug 1 12:07:16 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5D7DBEB1898CFD7B33E3406F9CA1B6D3BA12C3B6: (null) FOUND I already hide the "ScanOnAccess: Performing additional scanning on file ..." messages by adding :msg, startswith, "ScanOnAccess: Performing additional scanning on file" stop to a file in /etc/rsyslog.d/. But the messages mentioned above have exactly the same format as when malware is found, so I would rather not hide them. Apart from the fact that those messages are cluttering /var/log/messages, they also trigger malware alarms on our central syslog server. What can I do to stop those messages? Best regards, Jens ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us
Re: [clamav-users] ScanOnAccess: ... (null) FOUND
> How long as this been going on? Apparently it has been going on for a couple of days. I did not notice the "ScanOnAccess: ... (null) FOUND" messages, until I hid the "ScanOnAccess: Performing additional scanning on file ..." messages. The first occurrence was on July 23rd 13:00:08 with clamav-0.99.4-1.el7.x86_64 Jul 23 13:00:08 hostname1 clamd[6539]: ScanOnAccess: /home/user1/.nv/GLCache/ca7c949c26f976e0f53c14399c2ef02e/3a4ed7c703a940c9: (null) FOUND Jul 23 13:00:08 hostname1 clamd[6539]: ScanOnAccess: /home/user1/.nv/GLCache/ca7c949c26f976e0f53c14399c2ef02e: (null) FOUND As you can see, those messages do not only appear for the firefox cache. On Jul 26th we updated clamav to clamav-0.100.1-1.el7.x86_64. But the messages still appear. > What is your database set? Database information Database directory: /var/lib/clamav main.cvd: version 58, sigs: 4566249, built on Wed Jun 7 23:38:10 2017 bytecode.cld: version 326, sigs: 93, built on Thu Jul 26 18:44:35 2018 daily.cld: version 24803, sigs: 2034540, built on Wed Aug 1 18:43:39 2018 Total number of signatures: 6600882 > What version of ClamAV are you using? Currently clamav-0.100.1-1.el7.x86_64 > Are you using the VirusEvent hook? No I noticed something else. There were out of memory messages showing for clamd. Aug 02 13:07:17 cis4test clamd[4051]: out of memory [4051] Aug 02 13:17:17 cis4test clamd[4051]: out of memory [4051] Unfortunately they were not associated with clamd but with journal in rsyslog, that's why I did not notice them at first. At that time the machine had 3GB of free memory and more than 25GB of free swap, so I don't understand why those messages were showing up. They also started to show up on Jul 24th 14:38:08 (after the first "ScanOnAccess: ... (null) FOUND" messages showed up). On July 26th the messages stopped after updating clamav to 0.100.1-1, but then showed up again on Aug 1st 18:56:31. I just restarted clamav and the "out of memory" messages are no longer showing up and the "ScanOnAccess: ... (null) FOUND" are not either. Summary: Jul 23 13:00:08 -- first "ScanOnAccess: ... (null) FOUND" message Jul 24 14:38:08 -- first "out of memory" message Jul 26 14:44:03 -- update to clamav-0.100.1-1, "ScanOnAccess: ... (null) FOUND" messages and "out of memory" messages stop Jul 30 09:40:44 -- "ScanOnAccess: ... (null) FOUND" messages reappear Aug 1 18:56:31 -- "out of memory" messages reappear Aug 2 13:38:51 -- restart clamd@scan, "ScanOnAccess: ... (null) FOUND" messages and "out of memory" messages stop I will closely monitor the faulty machine and I will try to reproduce this behavior on a different machine and report back to you with my findings. I attached the output of clamconf. Best regards, Jens Checking configuration files in /etc Config file: clamd.conf --- BlockMax disabled PreludeEnable disabled PreludeAnalyzerName disabled LogFile disabled LogFileUnlock disabled LogFileMaxSize = "1048576" LogTime disabled LogClean disabled LogSyslog = "yes" LogFacility = "LOG_LOCAL6" LogVerbose disabled LogRotate disabled ExtendedDetectionInfo disabled PidFile disabled TemporaryDirectory disabled DatabaseDirectory = "/var/lib/clamav" OfficialDatabaseOnly disabled LocalSocket = "/var/run/clamd.scan/clamd.sock" LocalSocketGroup disabled LocalSocketMode disabled FixStaleSocket = "yes" TCPSocket disabled TCPAddr disabled MaxConnectionQueueLength = "200" StreamMaxLength = "26214400" StreamMinPort = "1024" StreamMaxPort = "2048" MaxThreads = "10" ReadTimeout = "120" CommandReadTimeout = "5" SendBufTimeout = "500" MaxQueue = "100" IdleTimeout = "30" ExcludePath disabled MaxDirectoryRecursion = "15" FollowDirectorySymlinks disabled FollowFileSymlinks disabled CrossFilesystems = "yes" SelfCheck = "600" DisableCache disabled VirusEvent disabled ExitOnOOM disabled AllowAllMatchScan = "yes" Foreground disabled Debug disabled LeaveTemporaryFiles disabled User = "root" Bytecode = "yes" BytecodeSecurity = "TrustSigned" BytecodeTimeout = "5000" BytecodeUnsigned disabled BytecodeMode = "Auto" DetectPUA disabled ExcludePUA disabled IncludePUA disabled AlgorithmicDetection = "yes" ScanPE = "yes" ScanELF = "yes" DetectBrokenExecutables disabled ScanMail = "yes" ScanPartialMessages disabled PhishingSignatures = "yes" PhishingScanURLs = "yes" PhishingAlwaysBlockCloak disabled PhishingAlwaysBlockSSLMismatch disabled PartitionIntersection disabled HeuristicScanPrecedence disabled StructuredDataDetection disabled StructuredMinCreditCardCount = "3" StructuredMinSSNCount = "3" StructuredSSNFormatNormal = "yes" StructuredSSNFormatStripped disabled ScanHTML = "yes" ScanOLE2 = "yes" OLE2BlockMacros disabled ScanPDF = "yes" ScanSWF = "yes" ScanXMLDOCS = "yes" ScanHWP3 = "yes" ScanArchive = "yes" ArchiveBlockEncrypted disabled ForceToDisk disabled MaxScanSize = "104857600" MaxFileSize = "26214400" MaxRecursion = "16" MaxFiles = "1" MaxEmbeddedPE = "10485760" MaxHTMLNormalize = "10485760"
Re: [clamav-users] ScanOnAccess: ... (null) FOUND
> Do you have the OnAccessExtraScanning option on by chance? Yes, OnAccessExtraScanning is turned on. I was able to reproduce this behavior on a different machine. It uses the same configuration as the first machine (the clamconf output can be found in my previous E-Mail). I rebooted the machine yesterday at 13:45 and left it untouched. I did not even log in. Today I logged in via ssh and the first ScanOnAccess message since the reboot in the journal was: Aug 09 09:36:47 hostname2 clamd[]: SelfCheck: Database status OK. Aug 09 09:37:24 hostname2 clamd[]: ScanOnAccess: Performing additional scanning on file '/home/user1/.sh_histdir/hostname2.0' Aug 09 09:37:24 hostname2 clamd[]: ScanOnAccess: /home/user1/.sh_histdir/hostname2.0: (null) FOUND Aug 09 09:39:34 hostname2 clamd[]: ScanOnAccess: Performing additional scanning on file '/home/user1/test2' Aug 09 09:39:34 hostname2 clamd[]: ScanOnAccess: /home/user1/test2: (null) FOUND On the first machine I restarted clamd@scan yesterday 13:32:05 and ran the following script #!/bin/ksh file="testfile.txt" while true; do echo "test123" > $file sync rm $file done after about 13 hours clamd starts to show only the messages: "ScanOnAccess: Unable to kick off extra scanning." Aug 09 02:40:37 hostname1 clamd[15866]: ScanOnAccess: Performing additional scanning on file '/home/user1/test/testfile.txt' Aug 09 02:40:38 hostname1 clamd[15866]: ScanOnAccess: Performing additional scanning on file '/home/user1/test/testfile.txt' Aug 09 02:40:39 hostname1 clamd[15866]: ScanOnAccess: Unable to kick off extra scanning. Aug 09 02:40:39 hostname1 clamd[15866]: ScanOnAccess: Unable to kick off extra scanning. Best regards, Jens ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ScanOnAccess: ... (null) FOUND
Hi Micah, did you have time to investigate those issues? Should I create bug reports for them or are those issues being tracked already? Do you need any more information from my side? Kr, Jens From: Micah Snyder (micasnyd) Sent: Thursday, August 9, 2018 2:39 PM To: ClamAV users ML Subject: Re: [clamav-users] ScanOnAccess: ... (null) FOUND I've been running clamd with OnAccess on a box using Firefox and just yesterday saw the (null) FOUND as well. I haven't had a chance to take the file in question and debug with clamscan to reproduce it and figure out what's causing it but I will do so soon. Regarding your second issue, I believe there is a memory leak with the OnAccessExtraScanning feature because the threads that process the extra scanning work aren't being join()'d. I have a feeling that may be why you're seeing "Unable to kick off extra scanning". We're getting near the end of our development cycle for 0.101 and still have some tough work left, but we'll try to find a solution to the OnAccessExtraScanning thread joining issue if time permits. Micah Snyder ClamAV Development Talos Cisco Systems, Inc. On Aug 9, 2018, at 4:03 AM, Kretschmer, Jens mailto:kretschmer.j...@siemens.com>> wrote: Do you have the OnAccessExtraScanning option on by chance? Yes, OnAccessExtraScanning is turned on. I was able to reproduce this behavior on a different machine. It uses the same configuration as the first machine (the clamconf output can be found in my previous E-Mail). I rebooted the machine yesterday at 13:45 and left it untouched. I did not even log in. Today I logged in via ssh and the first ScanOnAccess message since the reboot in the journal was: Aug 09 09:36:47 hostname2 clamd[]: SelfCheck: Database status OK. Aug 09 09:37:24 hostname2 clamd[]: ScanOnAccess: Performing additional scanning on file '/home/user1/.sh_histdir/hostname2.0' Aug 09 09:37:24 hostname2 clamd[]: ScanOnAccess: /home/user1/.sh_histdir/hostname2.0: (null) FOUND Aug 09 09:39:34 hostname2 clamd[]: ScanOnAccess: Performing additional scanning on file '/home/user1/test2' Aug 09 09:39:34 hostname2 clamd[]: ScanOnAccess: /home/user1/test2: (null) FOUND On the first machine I restarted clamd@scan yesterday 13:32:05 and ran the following script #!/bin/ksh file="testfile.txt" while true; do echo "test123" > $file sync rm $file done after about 13 hours clamd starts to show only the messages: "ScanOnAccess: Unable to kick off extra scanning." Aug 09 02:40:37 hostname1 clamd[15866]: ScanOnAccess: Performing additional scanning on file '/home/user1/test/testfile.txt' Aug 09 02:40:38 hostname1 clamd[15866]: ScanOnAccess: Performing additional scanning on file '/home/user1/test/testfile.txt' Aug 09 02:40:39 hostname1 clamd[15866]: ScanOnAccess: Unable to kick off extra scanning. Aug 09 02:40:39 hostname1 clamd[15866]: ScanOnAccess: Unable to kick off extra scanning. Best regards, Jens ___ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Using OnAccess scanning with Selinux
Hi Rob, I'm facing the same issue. It's actually pretty easy to reproduce. 1) start clamd@scan service 2) login via ssh (with any user) 3) Error message shows up and clamd stops working In my opinion this is a bug and I will create a bug report. Did you find a workaround for this problem? Best regards, Jens -Original Message- From: Rob Fulton Sent: Friday, December 14, 2018 4:55 PM To: clamav-users@lists.clamav.net Subject: [clamav-users] Using OnAccess scanning with Selinux Hi, I'm trying to run clamav with ScanOnAccess on the / mount on a box running selinux. I've enabled antivirus_can_scan_system in selinux but shortly after startup clamav stops scanning reporting the following : ERROR: ScanOnAccess: Internal error (failed to read data) ... Permission denied Initially I was getting no AVC events but discovered selinux dontaudit rules, on disabling these and making the antivirus context permissive, I can see a whole load of policy denials around access to /etc/shadow and /var/log/audit/audit.log. I'd like to avoid writing a whole load of custom policies around these individual files, I might be a constant task as the so gets updated Has anybody successfully run ScanOnAccess across the whole file system whilst having selinux enabled? Is there a way to tell clamav to continue after encountering a Permission Denied? Currently it appears clamav stops it's scanning and my box eventually grinds to a halt, I guess as the fanotify queue continues to build Any other suggestions on how to run the two together? Regards Rob ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] connect clamscan output to journal with systemd-cat
Hi, I would like to redirect the output of clamscan to the journal, which should by possible by /usr/bin/clamscan -r /root/ 2>&1 | /usr/bin/systemd-cat --identifier="clamscan" or /usr/bin/systemd-cat --identifier="clamscan" /usr/bin/clamscan -r /root/ While both commands work when executed manually in the terminal, the output is not redirected when executed by a cronjob. If I put the following line into the file /etc/cron.d/clamav * * * * * root /usr/bin/systemd-cat --identifier="clamscan" /usr/bin/clamscan -r /root/ I can see that the clamscan process is started every minute, but the output is not redirected to the journal. If I put the line * * * * * root /usr/bin/systemd-cat --identifier="clamscan" ls /root/ Into the file /etc/cron.d/clamav, it is executed every minute as well and I can see the output of ls in the journal. Do you have any idea what could be causing the issue? Best regards, Jens ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] connect clamscan output to journal with systemd-cat
I probably should have mentioned that this was a minimum non-working example, which would _never_ be used on a production system. I thought that that was pretty obvious... The output is actually stored in a separate log file and not with the syslog. If you knew the complete setup, you would agree with my use of systemd-cat. Does anybody have any ideas how I can solve my problem? Best regards, Jens -Original Message- From: Dave Nelson Sent: Wednesday, April 3, 2019 5:21 PM To: ClamAV users ML Subject: Re: [clamav-users] connect clamscan output to journal with systemd-cat Also, it should be totally unnecessary to scan your filesystem every minute, and will place an unnecessary load on your server. Postfix (or whatever) will run clamav when it needs to. And you can maybe run a full scan on your filesystem once every 24 hours if you feel paranoid. (IMHO.) Postfix will log every detection of an incoming virus, so you can watch that log, too, for a fuller view of what's happening (/var/log/mail.log by default on an Ubuntu system). Dave On 2019-04-03 17:48, Dave Nelson via clamav-users wrote: > You can configure a log specially for clamav, and that should be > plenty. Also, you can install logwatch and get mail updates once a day > or more often. You can also install netdata if you want to monitor in > real time, or simply watch the output of 'tail -f > /var/log/clamav/clamav.log' it's every server admin's pleasure > and duty to watch his/her server's logs roll by in a terminal window > periodically. ;-) Dave > > On 2019-04-03 15:58, SCOTT PACKARD via clamav-users wrote: >> Logfiles are a place where a sysadmin notices a host running smoothly >> (lack of anything in logs) or has problems (error messages about the >> programs show up in the logs). >> >> Looks like you are trying to misuse logfiles as a place to put >> successful/unsuccessful output that's produced by a program. >> >> You'll want to create a separate log for your program, foo.log, and >> write it to /var/log/ directory. >> >> Others can comment about scanning a host every minute. >> >> Regards, Scott >> >> FROM: clamav-users ON BEHALF >> OF Kretschmer, Jens >> SENT: Wednesday, April 03, 2019 1:34 AM >> TO: clamav-users@lists.clamav.net >> SUBJECT: [External] [clamav-users] connect clamscan output to journal >> with systemd-cat >> >> Hi, >> >> I would like to redirect the output of clamscan to the journal, which >> should by possible by >> >> /usr/bin/clamscan -r /root/ 2>&1 | /usr/bin/systemd-cat >> --identifier="clamscan" >> >> or >> >> /usr/bin/systemd-cat --identifier="clamscan" /usr/bin/clamscan -r >> /root/ >> >> While both commands work when executed manually in the terminal, the >> output is not redirected when executed by a cronjob. If I put the >> following line into the file /etc/cron.d/clamav >> >> * * * * * root /usr/bin/systemd-cat --identifier="clamscan" >> /usr/bin/clamscan -r /root/ >> >> I can see that the clamscan process is started every minute, but the >> output is not redirected to the journal. >> >> If I put the line >> >> * * * * * root /usr/bin/systemd-cat --identifier="clamscan" ls /root/ >> >> Into the file /etc/cron.d/clamav, it is executed every minute as well >> and I can see the output of ls in the journal. >> >> Do you have any idea what could be causing the issue? >> >> Best regards, >> Jens >> >> ___ >> >> clamav-users mailing list >> clamav-users@lists.clamav.net >> https://lists.clamav.net/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > > -- > With all best wishes, > Dave > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -- With all best wishes, Dave ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] connect clamscan output to journal with systemd-cat
I need the info in syslog and I would like to avoid writing the output of clamscan to a logfile, as I need to write the output to a another logfile as well. Piping the output to logger resulted in the same issue, the output did not show up in syslog. I found a solution to my problem * * * * * root /usr/bin/bash -c '/usr/bin/clamscan -r /root/ 2>&1 > >(/usr/bin/systemd-cat --identifier=clamscan)' It looks like you were right about the missing tty causing the issue. While trying to find a solution I manage to get the following output from clamscan at one point: “Must be connected to a terminal.” Thank you for your input! Best regards, Jens From: Franky Van Liedekerke Sent: Thursday, April 4, 2019 11:03 AM To: ClamAV users ML Subject: Re: [clamav-users] connect clamscan output to journal with systemd-cat Do you want the info in journald or just in syslog? Because rsyslog can monitor logfiles directly too. Your call to clamscan from cron might refuse to output info (because no tty perhaps), maybe first try to get logs from clamscan via cron directly? Franky Op Donderdag, 04-04-2019 om 09:46 schreef Kretschmer, Jens: I probably should have mentioned that this was a minimum non-working example, which would _never_ be used on a production system. I thought that that was pretty obvious... The output is actually stored in a separate log file and not with the syslog. If you knew the complete setup, you would agree with my use of systemd-cat. Does anybody have any ideas how I can solve my problem? Best regards, Jens -Original Message- From: Dave Nelson mailto:li...@traduction.biz>> Sent: Wednesday, April 3, 2019 5:21 PM To: ClamAV users ML mailto:clamav-users@lists.clamav.net>> Subject: Re: [clamav-users] connect clamscan output to journal with systemd-cat Also, it should be totally unnecessary to scan your filesystem every minute, and will place an unnecessary load on your server. Postfix (or whatever) will run clamav when it needs to. And you can maybe run a full scan on your filesystem once every 24 hours if you feel paranoid. (IMHO.) Postfix will log every detection of an incoming virus, so you can watch that log, too, for a fuller view of what's happening (/var/log/mail.log by default on an Ubuntu system). Dave On 2019-04-03 17:48, Dave Nelson via clamav-users wrote: > You can configure a log specially for clamav, and that should be > plenty. Also, you can install logwatch and get mail updates once a day > or more often. You can also install netdata if you want to monitor in > real time, or simply watch the output of 'tail -f > /var/log/clamav/clamav.log' it's every server admin's pleasure > and duty to watch his/her server's logs roll by in a terminal window > periodically. ;-) Dave > > On 2019-04-03 15:58, SCOTT PACKARD via clamav-users wrote: >> Logfiles are a place where a sysadmin notices a host running smoothly >> (lack of anything in logs) or has problems (error messages about the >> programs show up in the logs). >> >> Looks like you are trying to misuse logfiles as a place to put >> successful/unsuccessful output that's produced by a program. >> >> You'll want to create a separate log for your program, foo.log, and >> write it to /var/log/ directory. >> >> Others can comment about scanning a host every minute. >> >> Regards, Scott >> >> FROM: clamav-users >> mailto:clamav-users-boun...@lists.clamav.net>> >> ON BEHALF >> OF Kretschmer, Jens >> SENT: Wednesday, April 03, 2019 1:34 AM >> TO: clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> >> SUBJECT: [External] [clamav-users] connect clamscan output to journal >> with systemd-cat >> >> Hi, >> >> I would like to redirect the output of clamscan to the journal, which >> should by possible by >> >> /usr/bin/clamscan -r /root/ 2>&1 | /usr/bin/systemd-cat >> --identifier="clamscan" >> >> or >> >> /usr/bin/systemd-cat --identifier="clamscan" /usr/bin/clamscan -r >> /root/ >> >> While both commands work when executed manually in the terminal, the >> output is not redirected when executed by a cronjob. If I put the >> following line into the file /etc/cron.d/clamav >> >> * * * * * root /usr/bin/systemd-cat --identifier="clamscan" >> /usr/bin/clamscan -r /root/ >> >> I can see that the clamscan process is started every minute, but the >> output is not redirected to the journal. >> >> If I put the line >> >> * * * * * root /usr/bin/systemd-cat --identifier="clamscan" ls /root/ >> >> Into the file /etc/cron.d/clamav, it is executed e
