You are not logged in.

#1 2018-05-28 14:35:28

Kisuke-CZE
Member
Registered: 2017-03-16
Posts: 12
Website

ClamAV OnAccess scanning does not trigger VirusEvent action

Hi,

I just managed to set-up OnAccess virus scanner using ClamAV. It seems to be working fine.
Clamd runs as root. I can see "virus" was successfuly found in clamav logfile (and in journalctl)

Mon May 28 14:32:19 2018 -> ScanOnAccess: /path/to/eicar_com.zip: Eicar-Test-Signature FOUND

But clamav aparently does not run VirusEvent action configured in /etc/clamav/clamd.conf

VirusEvent /etc/clamav/detected.sh

Script works OK if I run it as root. I also tried to map VirusEvent to simple:

VirusEvent /usr/bin/echo "Found virus: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME" >> /var/log/clamav/infected.log

But it does not work eighter.
Found a mailing list where someone has same problem probably. But no solution here
http://lists.clamav.net/pipermail/clama … 04156.html

Has anyone get this working properly?

Offline

#2 2018-07-30 17:07:54

2-d
Member
Registered: 2015-05-18
Posts: 6

Re: ClamAV OnAccess scanning does not trigger VirusEvent action

Hey,

Were you able to figure anything else out about this?  I am currently having the exact same issue.

Offline

#3 2018-07-30 23:21:29

2-d
Member
Registered: 2015-05-18
Posts: 6

Re: ClamAV OnAccess scanning does not trigger VirusEvent action

So I downloaded the source to take a look at what was happening.

This is the function that is called when ScanOnAccess scans a file (clamd/onaccess_fan.c):

static int onas_fan_scanfile(int fan_fd, const char *fname, struct fanotify_event_metadata *fmd, int scan, int extinfo, struct thrarg *tharg)
{
	struct fanotify_response res;
	const char *virname;
	int ret = 0;

    res.fd = fmd->fd;
    res.response = FAN_ALLOW;

    if (scan) {
        if (onas_scan(fname, fmd->fd, &virname, tharg->engine, tharg->options, extinfo) == CL_VIRUS) {
            /* TODO : FIXME? virusaction forks. This could be extraordinarily problematic, lead to deadlocks, 
             * or at the very least lead to extreme memory consumption. Leaving disabled for now.*/ 
            //virusaction(fname, virname, tharg->opts);
            res.response = FAN_DENY;
        }
    }

    if(fmd->mask & FAN_ALL_PERM_EVENTS) {
	ret = write(fan_fd, &res, sizeof(res));
	if(ret == -1)
	    logg("!ScanOnAccess: Internal error (can't write to fanotify)\n");
    }

    return ret;
}

The function that fires off the VirusEvent is commented out with a warning:

/* TODO : FIXME? virusaction forks. This could be extraordinarily problematic, lead to deadlocks, 
* or at the very least lead to extreme memory consumption. Leaving disabled for now.*/ 
//virusaction(fname, virname, tharg->opts);

So I uncommented it and compiled it.  Afterwards the VirusEvent fires off successfully. However, I don't really recommend doing this given the warning of which I have no clue how to fix.  It's best wait for the developers to fix it in a subsequent release.

I know this isn't the most helpful post, but at least we know what's happening now.

Offline

#4 2018-09-06 10:14:05

pathogenferry
Member
Registered: 2018-09-06
Posts: 1

Re: ClamAV OnAccess scanning does not trigger VirusEvent action

I had this issue which doesn't affect version 0.99 but does 0.100. My solution was to downgrade all clam packages to version 0.99. There is still odd behaviour though in version 0.99 - if you direct VirusEvent to run a script in /usr/local/bin, it will not work, but does in other locations.

Offline

#5 2018-11-04 13:52:31

chimist
Member
Registered: 2018-11-04
Posts: 1

Re: ClamAV OnAccess scanning does not trigger VirusEvent action

Hi, I also have this problem and want to try your solution but am not sure about a thing.
Is this a correctly uncommented "onaccess_fan.c"?
-------------------------------
if (scan) {
        if (onas_scan(fname, fmd->fd, &virname, tharg->engine, tharg->options, extinfo) == CL_VIRUS) {
            virusaction(fname, virname, tharg->opts);
            res.response = FAN_DENY;
        }
-----------------------------
thanks for your work

Offline

Board footer

Powered by FluxBB