You are not logged in.
- Topics: Active | Unanswered
#1 2017-11-22 12:00:26
- Demignom
- Member
- Registered: 2014-11-13
- Posts: 13
ClamAV On-Access prevention
Hello.
I've installed and configured ClamAV with OnAccessScan according to Arch wiki. All is working fine. ClamAV detects the test EICAR file and logs infected when I'm accessing it.
However, it's not preventing actually opening the file. What I'm trying to achieve is to prevent access to infected files, and not only notify about it.
~> cat /proc/config.gz | gunzip | grep FANOTIFY
7475:CONFIG_FANOTIFY=y
7476:CONFIG_FANOTIFY_ACCESS_PERMISSIONS=yRunning:
~> cat /home/dem/Downloads/eicar.com.txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*Results in logging /var/log/clamav/clamd.log:
Wed Nov 22 13:50:25 2017 -> ScanOnAccess: /home/dem/Downloads/eicar.com.txt: Eicar-Test-Signature FOUNDBut the file is still opened.
Here is clamd.conf file:
LogFile /var/log/clamav/clamd.log
LogTime yes
PidFile /run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /var/lib/clamav/clamd.sock
# Enables on-access scan, requires clamd service running
ScanOnAccess true
# Set the mount point where to recursively perform the scan,
# this could be every path or multiple path (one line for path)
OnAccessMountPath /usr
OnAccessMountPath /home/
OnAccessIncludePath /mnt
OnAccessIncludePath /media
OnAccessExcludePath /var/log/
# Flag fanotify to block any events on monitored files to perform the scan
OnAccessPrevention true
# Perform scans on newly created, moved, or renamed files
OnAccessExtraScanning true
# Check the UID from the event of fanotify
OnAccessExcludeUID 0
# Specify an action to perform when clamav detects a malicious file
# it is possible to specify an inline command too
VirusEvent /etc/clamav/detected.zsh
# WARNING: clamd should run as root
User rootNote that I've tried setting OnAccessPrevention both to true and false with same result - only logging, but not preventing.
Offline
#2 2017-11-24 03:29:04
- cfr
- Member
- From: Cymru
- Registered: 2011-11-27
- Posts: 7,132
Re: ClamAV On-Access prevention
Why do you expect it to prevent anything? Isn't that option just blocking events while the scan is performed? The description doesn't suggest it will prevent the file being opened - just that other processes won't be able to access the file while it is being scanned.
Note: I've never used this option - I'm just going by the file description, wiki and man page.
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
#3 2017-11-24 13:20:39
- Demignom
- Member
- Registered: 2014-11-13
- Posts: 13
Re: ClamAV On-Access prevention
Ok, sounds about right....
So is there any way to actually prevent the file from being opened/executed if ClamAV detects it as malicious?
Offline
#4 2018-02-12 09:15:57
- davidhcefx
- Member
- Registered: 2018-02-12
- Posts: 1
Re: ClamAV On-Access prevention
Add the line "VirusEvent /path/to/script", and change chmod to 600 or something...
See this page: https://askubuntu.com/questions/591325/ … v-in-14-04
Offline
#5 2018-02-12 13:35:29
- R00KIE
- Forum Fellow
- From: Between a computer and a chair
- Registered: 2008-09-14
- Posts: 4,734
Re: ClamAV On-Access prevention
I would say more like chmod 000, the file could be owned by the same user trying to access it.
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline