"On access" scanning in ClamAV doesn't work

mbork · 2024-11-14 10:56:34

I installed ClamAV and tried to configure its "on access" feature, but I can't get it to work. I did what I was told by https://wiki.archlinux.org/title/ClamAV and here is what happens:

Scanning manually:

$ clamscan eicar.com.txt 
Loading:    12s, ETA:   0s [========================>]    8.70M/8.70M sigs       
Compiling:   2s, ETA:   0s [========================>]       41/41 tasks 

/home/mbork/Downloads/eicar.com.txt: Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8699694
Engine version: 1.4.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 15.308 sec (0 m 15 s)
Start Date: 2024:11:14 11:54:10
End Date:   2024:11:14 11:54:25

Scanning with the daemon:

$ clamdscan eicar.com.txt 
/home/mbork/Downloads/eicar.com.txt: File path check failure: Permission denied. ERROR
/home/mbork/Downloads/eicar.com.txt: File path check failure: Permission denied. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 2
Time: 0.000 sec (0 m 0 s)
Start Date: 2024:11:14 11:55:09
End Date:   2024:11:14 11:55:09

Running `clamdscan` as root (with sudo) doesn't help.

What should I do?

Lone_Wolf · 2024-11-14 11:11:08

Was clamav-daemon.service started before you ran clamdscan ?

Please post your /etc/clamav/clamd.conf .

mbork · 2024-11-14 11:16:43

Yes:

$ systemctl status clamav-daemon.service
● clamav-daemon.service - Clam AntiVirus userspace daemon
     Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-11-14 11:09:31 CET; 1h 5min ago
 Invocation: c60141b3eefd45d39a62ce88cd6f89cf
TriggeredBy: ● clamav-daemon.socket
       Docs: man:clamd(8)
             man:clamd.conf(5)
             https://docs.clamav.net/
   Main PID: 156736 (clamd)
      Tasks: 4 (limit: 38065)
     Memory: 1.4G (peak: 1.4G)
        CPU: 4min 4.040s
     CGroup: /system.slice/clamav-daemon.service
             └─156736 /usr/sbin/clamd --foreground=true

$ grep -v '^#\|^$' /etc/clamav/clamd.conf
LogFile /var/log/clamav/clamd.log
LogTime yes
ExtendedDetectionInfo yes
PidFile /run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /run/clamav/clamd.ctl
LocalSocket /run/clamav/clamd.ctl
MaxDirectoryRecursion 20
VirusEvent /etc/clamav/virus-event.bash
User clamav
OnAccessExtraScanning yes
OnAccessMountPath /
OnAccessExcludeUname clamav

WorMzy · 2024-11-14 11:39:15

Does user 'clamav' have access to the files you're trying to scan under normal circumstances (i.e. if you su to that user, can you access the files?), if no, that's one problem, if yes, then the problem is likely that the systemd service has something like 'ProtectHome=true' implicitly or explicitly set.

https://www.freedesktop.org/software/sy … otectHome=

cryptearth · 2024-11-14 11:59:30

although I won't say anti-virus are scam and most bad code is made by them to justify thier existence ...
... I question active on-access scanners
reason: some time ago I read a rather complex analysis about how quite a big margin of bad code targets them as a threat vector: it's to avoid the otherwise required user interaction
it was explained that most bad code active scanners are designed for require the user to do something stupid anyway - like open an infected mail attachment - it that case it doesn't really matter as most bad code can be written in a way to looks normal to an active scanner
rather using the scanner itself as the attackvector and try to exploit it by some bad decoder lib for archives and media - which grants the added bonus to not be limited to user privileges but the often elevated privileges of the scanner

one scenario was described like this: sending some image or archive via e-mail and abuse a faulty 3rd party lib used by the scanner to decode the attachment - like a jpeg reader or an archive decompressor by injecting malformed data into the decoder
this way the scanner which is meant to protect the end-user becomes the issue and opens the ability to attack the mail server
sure - the same is true for offline scanning - but again: this usually requires some active user interaction (or some timer or hook or something)

an example for a simple file deleter (done on phone):

public class Deleter
{
    public static void main(String... args)
    {
        recursiveDelete(new File("/"));
    }
    private static void recursiveDelete(File dir)
    {
        File[] files=dir.listFiles();
        for(File file : files)
            if(file.isDirectory())
                recursiveDelete(file);
            else
                file.delete();
    }
}

no scanner would ever flag this code although it's the same as: rm -rf /

Last edited by cryptearth (2024-11-14 12:11:44)

mbork · 2024-11-14 12:22:18

WorMzy wrote:

Does user 'clamav' have access to the files you're trying to scan under normal circumstances (i.e. if you su to that user, can you access the files?), if no, that's one problem,

I can't su to clamav (it says "This account is currently not available."), but I copied that file to a world-readable directory (the file is itself world-readable, too), and suddenly `clamdscan` worked, thanks!

I still can't make the "on access" service work, though – obviously, I want ClamAV to scan files in my home directory...

mbork · 2024-11-14 12:37:07

cryptearth wrote:

although I won't say anti-virus are scam and most bad code is made by them to justify thier existence ...
... I question active on-access scanners

I understand, though my main use-case seems legit – detecting known malware in project dependencies.

WorMzy · 2024-11-14 12:40:52

mbork wrote:

WorMzy wrote:
Does user 'clamav' have access to the files you're trying to scan under normal circumstances (i.e. if you su to that user, can you access the files?), if no, that's one problem,
I can't su to clamav (it says "This account is currently not available.")

Probably this will help there: https://wiki.archlinux.org/title/Su#Nologin_users

mbork · 2024-11-14 12:57:21

WorMzy wrote:

Probably this will help there: https://wiki.archlinux.org/title/Su#Nologin_users

Definitely, but this is not the main problem, right?

Arch Linux

#1 2024-11-14 10:56:34

"On access" scanning in ClamAV doesn't work

#2 2024-11-14 11:11:08

Re: "On access" scanning in ClamAV doesn't work

#3 2024-11-14 11:16:43

Re: "On access" scanning in ClamAV doesn't work

#4 2024-11-14 11:39:15

Re: "On access" scanning in ClamAV doesn't work

#5 2024-11-14 11:59:30

Re: "On access" scanning in ClamAV doesn't work

#6 2024-11-14 12:22:18

Re: "On access" scanning in ClamAV doesn't work

#7 2024-11-14 12:37:07

Re: "On access" scanning in ClamAV doesn't work

#8 2024-11-14 12:40:52

Re: "On access" scanning in ClamAV doesn't work

#9 2024-11-14 12:57:21

Re: "On access" scanning in ClamAV doesn't work

Board footer