[SOLVED] clamav-clamonacc won't start (easily)

Ferdinand · 2021-06-16 09:39:38

I have the exact same problem as @Hamsterkill in the topic https://bbs.archlinux.org/viewtopic.php?id=260985, but I kind of got it to work, so I'll share what I did in case it can be useful for others - and as there are remaining problems, I also hope for pointers to get it to work better

My /usr/lib/systemd/system/clamav-clamonacc.service:

# clamonacc systemd service file primarily the work of ChadDevOps & Aaron Brighton
# See: https://medium.com/@aaronbrighton/installation-configuration-of-clamav-antivirus-on-ubuntu-18-04-a6416bab3b41#a340

[Unit]
Description=ClamAV On-Access Scanner
Documentation=man:clamonacc(8) man:clamd.conf(5) https://www.clamav.net/documents
Requires=clamav-daemon.service
After=clamav-daemon.service syslog.target network.target

[Service]
Type=simple
User=root
ExecStartPre=/bin/bash -c "while [ ! -S /run/clamav/clamd.ctl ]; do sleep 1; done"
ExecStart=/usr/sbin/clamonacc -F --config-file=@APP_CONFIG_DIRECTORY@/clamd.conf --log=/var/log/clamav/clamonacc.log --move=/root/quarantine

[Install]
WantedBy=multi-user.target

My /etc/systemd/system/clamav-clamonacc.service.d/override.conf:

ExecStart=/usr/sbin/clamonacc -F --config-file=/etc/clamav/clamd.conf --log=/var/log/clamav/clamonacc.log --move=/root/quarantine

And the output from systemctl status clamav-clamonacc:

× clamav-clamonacc.service - ClamAV On-Access Scanner
     Loaded: loaded (/usr/lib/systemd/system/clamav-clamonacc.service; enabled; vendor preset: disabled)
    Drop-In: /etc/systemd/system/clamav-clamonacc.service.d
             └─override.conf
     Active: failed (Result: exit-code) since Wed 2021-06-16 09:44:44 CEST; 5s ago
       Docs: man:clamonacc(8)
             man:clamd.conf(5)
             https://www.clamav.net/documents
    Process: 2607 ExecStartPre=/bin/bash -c while [ ! -S /run/clamav/clamd.ctl ]; do sleep 1; done (code=exited, status=0/SUCCESS)
    Process: 2608 ExecStart=/usr/sbin/clamonacc -F --config-file=@APP_CONFIG_DIRECTORY@/clamd.conf --log=/var/log/clamav/clamonacc.log --move=/root>
   Main PID: 2608 (code=exited, status=2)
        CPU: 15ms

Jun 16 09:44:44 EliteBook systemd[1]: Starting ClamAV On-Access Scanner...
Jun 16 09:44:44 EliteBook systemd[1]: Started ClamAV On-Access Scanner.
Jun 16 09:44:44 EliteBook clamonacc[2608]: ERROR: Clamonacc: can't parse clamd configuration file @APP_CONFIG_DIRECTORY@/clamd.conf
Jun 16 09:44:44 EliteBook systemd[1]: clamav-clamonacc.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jun 16 09:44:44 EliteBook systemd[1]: clamav-clamonacc.service: Failed with result 'exit-code'.
Jun 16 09:44:50 EliteBook systemd[1]: /etc/systemd/system/clamav-clamonacc.service.d/override.conf:1: Assignment outside of section. Ignoring.

Now, if I try to edit the /usr/lib/systemd/system/clamav-clamonacc.service directly, and then start the service I get a sensible error from systemctl status:

ERROR: Clamonacc: at least one of OnAccessExcludeUID, OnAccessExcludeUname, or OnAccessExcludeRootUID must be specified ... it is reccomended you exclude the clamd instance UID or uname to prevent infinite event scanning loops

Since clamd runs under root, I add OnAccessExcludeRootUID to clamd.conf.

Now it will start, but only if I edit /usr/lib/systemd/system/clamav-clamonacc.service
My /etc/systemd/system/clamav-clamonacc.service.d/override.conf is still not accepted:

● clamav-clamonacc.service - ClamAV On-Access Scanner
     Loaded: loaded (/usr/lib/systemd/system/clamav-clamonacc.service; enabled; vendor preset: disabled)
    Drop-In: /etc/systemd/system/clamav-clamonacc.service.d
             └─override.conf
     Active: active (running) since Wed 2021-06-16 10:05:26 CEST; 6min ago
       Docs: man:clamonacc(8)
             man:clamd.conf(5)
             https://www.clamav.net/documents
    Process: 3066 ExecStartPre=/bin/bash -c while [ ! -S /run/clamav/clamd.ctl ]; do sleep 1; done (code=exited, status=0/SUCCESS)
   Main PID: 3067 (clamonacc)
      Tasks: 12 (limit: 8797)
     Memory: 2.8M
        CPU: 764ms
     CGroup: /system.slice/clamav-clamonacc.service
             └─3067 /usr/sbin/clamonacc -F --config-file=/etc/clamav/clamd.conf --log=/var/log/clamav/clamonacc.log --move=/root/quarantine

Jun 16 10:05:29 EliteBook systemd[1]: /etc/systemd/system/clamav-clamonacc.service.d/override.conf:1: Assignment outside of section. Ignoring.
Jun 16 10:05:37 EliteBook clamonacc[3067]: ERROR: ClamCom: TIMEOUT while waiting on socket (recv)
Jun 16 10:05:50 EliteBook clamonacc[3067]: ERROR: ClamCom: TIMEOUT while waiting on socket (recv)
Jun 16 10:05:55 EliteBook clamonacc[3067]: ERROR: ClamCom: TIMEOUT while waiting on socket (recv)
Jun 16 10:06:00 EliteBook clamonacc[3067]: ERROR: ClamCom: TIMEOUT while waiting on socket (recv)
Jun 16 10:06:05 EliteBook clamonacc[3067]: ERROR: ClamCom: TIMEOUT while waiting on socket (recv)
Jun 16 10:06:10 EliteBook clamonacc[3067]: ERROR: ClamCom: TIMEOUT while waiting on socket (recv)
Jun 16 10:08:28 EliteBook clamonacc[3067]: /home/username/.mozilla/firefox/un2s0w14.default-release/sessionstore-backups/recovery.jsonlz4.tmp: Access denied. ERROR
Jun 16 10:11:00 EliteBook clamonacc[3067]: /home/username/.mozilla/firefox/un2s0w14.default-release/datareporting/glean/db/data.safe.bin: Can't allocate memory ERROR
Jun 16 10:11:00 EliteBook clamonacc[3067]: ClamMisc: Unexpected issue; Daemon failed to scan: /home/username/.mozilla/firefox/un2s0w14.default-release/datareporting/glean/>

It's working now; if I open the EICAR test-file I get notified (albeit almost a minute delayed), but I have three concerns:

It won't scan files I access as root (because clamd must be run as root)
That override thing doesn't work (I get the "Assignment outside of section"-error), so I guess I'll have to re-edit /usr/lib/systemd/system/clamav-clamonacc.service after the next ClamAV update
I get a lot of errors related to connecting to clamd (and I don't always get a warning about the EICAR-file, so it matters)

For reference, here's my /etc/clamav/clamd.conf stripped of comments and empty lines:

$ grep -v \# /etc/clamav/clamd.conf | awk NF
LogFile /var/log/clamav/clamd.log
LogTime yes
PidFile /run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /run/clamav/clamd.ctl
MaxThreads 20
MaxDirectoryRecursion 25
VirusEvent /etc/clamav/detected.sh
User root
OnAccessMaxFileSize 100M
OnAccessMaxThreads 10
OnAccessMountPath /
OnAccessExtraScanning yes
OnAccessExcludeRootUID yes
OnAccessExcludeUID 0

Last edited by Ferdinand (2021-06-16 11:58:42)

schard · 2021-06-16 10:00:46

Ferdinand wrote:

My /etc/systemd/system/clamav-clamonacc.service.d/override.conf:
ExecStart=/usr/sbin/clamonacc -F --config-file=/etc/clamav/clamd.conf --log=/var/log/clamav/clamonacc.log --move=/root/quarantine
[...]
That override thing doesn't work (I get the "Assignment outside of section"-error), so I guess I'll have to re-edit /usr/lib/systemd/system/clamav-clamonacc.service after the next ClamAV update

If you override a value in a systemd unit, you need to specify which section it's in.

[Service]
ExecStart=/usr/sbin/clamonacc -F --config-file=/etc/clamav/clamd.conf --log=/var/log/clamav/clamonacc.log --move=/root/quarantine

Ferdinand · 2021-06-16 10:37:06

Thank you, @schard - that removed, and made sense of, the Assignment outside of section-error.

However, adding the section header produces an error "clamav-clamonacc.service: Service has more than one ExecStart= setting, which is only allowed for Type=oneshot services. Refusing."

Commenting out the ExecStart= in /usr/lib/systemd/system/clamav-clamonacc.service fixes that, but still leaves me with that file edited

schard · 2021-06-16 11:34:19

Ferdinand wrote:

Thank you, @schard - that removed, and made sense of, the Assignment outside of section-error.
However, adding the section header produces an error "clamav-clamonacc.service: Service has more than one ExecStart= setting, which is only allowed for Type=oneshot services. Refusing."
Commenting out the ExecStart= in /usr/lib/systemd/system/clamav-clamonacc.service fixes that, but still leaves me with that file edited

Ah, yes. This shit weird behaviour.

[Service]
ExecStart=
ExecStart=/usr/sbin/clamonacc -F --config-file=/etc/clamav/clamd.conf --log=/var/log/clamav/clamonacc.log --move=/root/quarantine

The empty setting removes all the previous ExecStart settings.

Ferdinand · 2021-06-16 11:58:18

That did it
Thank's for helping out!

I guess that pretty much nails it.

On a side note I just got a truckload of (presumably) false positives for my Firefox extensions.
Moving those to /root/quarantine did me no good, so now the ExecStart is /usr/sbin/clamonacc -F --config-file=/etc/clamav/clamd.conf --log=/var/log/clamav/clamonacc.log
and it seems to work well - alerting me but not messing with my files

Arch Linux

#1 2021-06-16 09:39:38

[SOLVED] clamav-clamonacc won't start (easily)

#2 2021-06-16 10:00:46

Re: [SOLVED] clamav-clamonacc won't start (easily)

#3 2021-06-16 10:37:06

Re: [SOLVED] clamav-clamonacc won't start (easily)

#4 2021-06-16 11:34:19

Re: [SOLVED] clamav-clamonacc won't start (easily)

#5 2021-06-16 11:58:18

Re: [SOLVED] clamav-clamonacc won't start (easily)

Board footer