You are not logged in.

#1 2019-12-12 15:36:51

Biboozz
Member
Registered: 2016-10-18
Posts: 64

[SOLVED] Clamav keep scanning filesystem again and again

Hi i just followed Archwiki Clamav OnAccessScan and my clamav daemon keep notifying me without any read/write access. And wheb i access my test file `eicar.txt` i don't have a notification, it look like clamav is scanning my files every 30 seconds.

$ sudo tail -f /var/log/clamav/clamd.log
Thu Dec 12 16:25:44 2019 -> /var/lib/clamav/MiscreantPunch099-Low.ldb: MiscreantPunch.EvilPDpdEgg.1.UNOFFICIAL FOUND
Thu Dec 12 16:25:44 2019 -> /home/thor/eicar.txt: Eicar-Test-Signature FOUND
Thu Dec 12 16:26:26 2019 -> /var/lib/clamav/MiscreantPunch099-Low.ldb: MiscreantPunch.EvilPDpdEgg.1.UNOFFICIAL FOUND
Thu Dec 12 16:26:27 2019 -> /home/thor/eicar.txt: Eicar-Test-Signature FOUND
Thu Dec 12 16:26:56 2019 -> /var/lib/clamav/MiscreantPunch099-Low.ldb: MiscreantPunch.EvilPDpdEgg.1.UNOFFICIAL FOUND
Thu Dec 12 16:26:57 2019 -> /home/thor/eicar.txt: Eicar-Test-Signature FOUND
Thu Dec 12 16:27:21 2019 -> /var/lib/clamav/MiscreantPunch099-Low.ldb: MiscreantPunch.EvilPDpdEgg.1.UNOFFICIAL FOUND
Thu Dec 12 16:27:22 2019 -> /home/thor/eicar.txt: Eicar-Test-Signature FOUND
Thu Dec 12 16:27:45 2019 -> /var/lib/clamav/MiscreantPunch099-Low.ldb: MiscreantPunch.EvilPDpdEgg.1.UNOFFICIAL FOUND
ThuDec 12 16:27:46 2019 -> /home/thor/eicar.txt: Eicar-Test-Signature FOUND
Thu Dec 12 16:28:10 2019 -> /var/lib/clamav/MiscreantPunch099-Low.ldb: MiscreantPunch.EvilPDpdEgg.1.UNOFFICIAL FOUND
Thu Dec 12 16:28:10 2019 -> /home/thor/eicar.txt: Eicar-Test-Signature FOUND
Thu Dec 12 16:28:38 2019 -> /var/lib/clamav/MiscreantPunch099-Low.ldb: MiscreantPunch.EvilPDpdEgg.1.UNOFFICIAL FOUND
Thu Dec 12 16:28:39 2019 -> /home/thor/eicar.txt: Eicar-Test-Signature FOUND
Thu Dec 12 16:29:05 2019 -> /var/lib/clamav/MiscreantPunch099-Low.ldb: MiscreantPunch.EvilPDpdEgg.1.UNOFFICIAL FOUND
Thu Dec 12 16:29:05 2019 -> /home/thor/eicar.txt: Eicar-Test-Signature FOUND
Thu Dec 12 16:29:29 2019 -> /var/lib/clamav/MiscreantPunch099-Low.ldb: MiscreantPunch.EvilPDpdEgg.1.UNOFFICIAL FOUND
Thu Dec 12 16:29:30 2019 -> /home/thor/eicar.txt: Eicar-Test-Signature FOUND

My kernel is compiled with the fanotify kernel module

$ zgrep FANOTIFY /proc/config.gz
CONFIG_FANOTIFY=y
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y

Here is my dections script (copied from archwiki, i juste modified the notify send content)

$ cat /etc/clamav/detected.sh
#!/bin/bash
PATH=/usr/bin
alert="Signature detected: $CLAM_VIRUSEVENT_VIRUSNAME in <b>$CLAM_VIRUSEVENT_FILENAME</b>"

# Send the alert to systemd logger if exist, othewise to /var/log
if [[ -z $(command -v systemd-cat) ]]; then
        echo "$(date) - $alert" >> /var/log/clamav/detections.log
else
        # This could cause your DE to show a visual alert. Happens in Plasma, but the next visual alert is much nicer.
        echo "$alert" | /usr/bin/systemd-cat -t clamav -p emerg
fi

# Send an alert to all graphical users.
XUSERS=($(who|awk '{print $1$NF}'|sort -u))

for XUSER in $XUSERS; do
    NAME=(${XUSER/(/ })
    DISPLAY=${NAME[1]/)/}
    DBUS_ADDRESS=unix:path=/run/user/$(id -u ${NAME[0]})/bus
    echo "run $NAME - $DISPLAY - $DBUS_ADDRESS -" >> /tmp/testlog 
    /usr/bin/sudo -u ${NAME[0]} DISPLAY=${DISPLAY} \
                       DBUS_SESSION_BUS_ADDRESS=${DBUS_ADDRESS} \
                       PATH=${PATH} \
                       /usr/bin/notify-send -i security-low "Virus signature found" "$alert"
done

And here is my clamd configuration file (shortened):

$ cat /etc/clamav/clamd.conf |  egrep -v "(^#.*|^$)"

LogFile /var/log/clamav/clamd.log
LogTime yes
PidFile /run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /run/clamav/clamd.ctl
User root
ScanOnAccess true
OnAccessMountPath /usr
OnAccessMountPath /home/
OnAccessExcludePath /var/log/
OnAccessPrevention false
OnAccessExtraScanning true
OnAccessExcludeUID 0
OnAccessExcludeUname clamav
VirusEvent /etc/clamav/detected.sh
Edit

It look like it's not related to OnAccess Scanning, with the following config file i still get notified (but way less often) after restarting `clamav-daemon.service`:

Thu Dec 12 16:40:56 2019 -> +++ Started at Thu Dec 12 16:40:56 2019
Thu Dec 12 16:40:56 2019 -> Received 1 file descriptor(s) from systemd.
Thu Dec 12 16:40:56 2019 -> clamd daemon 0.102.1 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Thu Dec 12 16:40:56 2019 -> Running as user root (UID 0, GID 0)
Thu Dec 12 16:40:56 2019 -> Log file size limited to 1048576 bytes.
Thu Dec 12 16:40:56 2019 -> Reading databases from /var/lib/clamav
Thu Dec 12 16:40:56 2019 -> Not loading PUA signatures.
Thu Dec 12 16:40:56 2019 -> Bytecode: Security mode set to "TrustSigned".
Thu Dec 12 16:41:05 2019 -> Loaded 6805203 signatures.
Thu Dec 12 16:41:06 2019 -> TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd.
Thu Dec 12 16:41:06 2019 -> LOCAL: Received AF_UNIX SOCK_STREAM socket from systemd.
Thu Dec 12 16:41:06 2019 -> Limits: Global time limit set to 120000 milliseconds.
Thu Dec 12 16:41:06 2019 -> Limits: Global size limit set to 104857600 bytes.
Thu Dec 12 16:41:06 2019 -> Limits: File size limit set to 26214400 bytes.
Thu Dec 12 16:41:06 2019 -> Limits: Recursion level limit set to 16.
Thu Dec 12 16:41:06 2019 -> Limits: Files limit set to 10000.
Thu Dec 12 16:41:06 2019 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Thu Dec 12 16:41:06 2019 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Thu Dec 12 16:41:06 2019 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Thu Dec 12 16:41:06 2019 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
Thu Dec 12 16:41:06 2019 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Thu Dec 12 16:41:06 2019 -> Limits: MaxPartitions limit set to 50.
Thu Dec 12 16:41:06 2019 -> Limits: MaxIconsPE limit set to 100.
Thu Dec 12 16:41:06 2019 -> Limits: MaxRecHWP3 limit set to 16.
Thu Dec 12 16:41:06 2019 -> Limits: PCREMatchLimit limit set to 100000.
Thu Dec 12 16:41:06 2019 -> Limits: PCRERecMatchLimit limit set to 2000.
Thu Dec 12 16:41:06 2019 -> Limits: PCREMaxFileSize limit set to 26214400.
Thu Dec 12 16:41:06 2019 -> Archive support enabled.
Thu Dec 12 16:41:06 2019 -> AlertExceedsMax heuristic detection disabled.
Thu Dec 12 16:41:06 2019 -> Heuristic alerts enabled.
Thu Dec 12 16:41:06 2019 -> Portable Executable support enabled.
Thu Dec 12 16:41:06 2019 -> ELF support enabled.
Thu Dec 12 16:41:06 2019 -> Mail files support enabled.
Thu Dec 12 16:41:06 2019 -> OLE2 support enabled.
Thu Dec 12 16:41:06 2019 -> PDF support enabled.
Thu Dec 12 16:41:06 2019 -> SWF support enabled.
Thu Dec 12 16:41:06 2019 -> HTML support enabled.
Thu Dec 12 16:41:06 2019 -> XMLDOCS support enabled.
Thu Dec 12 16:41:06 2019 -> HWP3 support enabled.
Thu Dec 12 16:41:06 2019 -> Self checking every 600 seconds.
Thu Dec 12 16:41:17 2019 -> /var/lib/clamav/MiscreantPunch099-Low.ldb: MiscreantPunch.EvilPDpdEgg.1.UNOFFICIAL FOUND
Thu Dec 12 16:41:40 2019 -> /var/lib/clamav/MiscreantPunch099-Low.ldb: MiscreantPunch.EvilPDpdEgg.1.UNOFFICIAL FOUND
$ cat /etc/clamav/clamd.conf |  egrep -v "(^#.*|^$)"

LogFile /var/log/clamav/clamd.log
LogTime yes
PidFile /run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /run/clamav/clamd.ctl
User root
VirusEvent /etc/clamav/detected.sh
Edit 2

I killed clamonacc process and i don't get notified anymore but i'm not notified when i access infected file either

Solved

Hey i solved my problem by reading the clamav documentation, archlinux wiki is outdated for `clamav 0.102`. Now OnAccess Scanning use another binary `clamonacc` which need to be started apart from clamav-daemon using

sudo clamonacc

Last edited by Biboozz (2019-12-12 16:12:56)

Offline

Board footer

Powered by FluxBB