You are not logged in.

#1 2022-06-18 23:37:37

qu@rk
Member
Registered: 2021-07-28
Posts: 55

exclude clamav files and folders

How exactly would I exclude some files and folders from clamav daemon scan? It keeps removing my custom hosts file, and almost all firefox extensions.

Tried:

ExcludePath ^/home/user/.mozilla/
ExcludePath ^/etc/hosts

in /etc/clamav/clamd.conf but doesn't seem to work.

Last edited by qu@rk (2022-06-18 23:38:05)

Offline

#2 2022-06-19 12:56:15

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: exclude clamav files and folders

Not  a solution, but have you tried disabling (commented) VirusEvent line in clamd.conf ?


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#3 2022-06-20 12:03:04

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: exclude clamav files and folders

I commented it out and it does the same. Have to completely stop the daemon just to be able to put the hosts file back. ublock gets deleted constantly as well.

Offline

#4 2022-06-24 20:29:25

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: exclude clamav files and folders

So then...do I just remove clamav altogether? How can a modified hosts file be a deal-breaker for clamav?

Offline

#5 2022-06-25 08:30:43

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: exclude clamav files and folders

Hello,
What does the logs from the scans say? Why those files keep being deleted?
Are you even sure it comes from the scan? Because you also saying it is deleted in real-time.

Can you provide logs? What is the clamav's conf?

Offline

#6 2022-06-25 21:03:09

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: exclude clamav files and folders

Here's clamd.conf

LogFile /var/log/clamav/clamd.log
LogTime yes
PidFile /run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /run/clamav/clamd.ctl

ExcludePath ^/home/user/.mozilla/
ExcludePath ^/etc/hosts

OnAccessExcludePath /run
OnAccessExcludePath /sys
OnAccessExcludePath ^/home/user/.mozilla/
OnAccessExcludePath ^/etc/hosts
OnAccessMountPath /
OnAccessExcludePath /proc
OnAccessExcludeUID 0

OnAccessPrevention false
OnAccessExtraScanning true
OnAccessExcludeUname clamav
User clamav

and in the log I get only two types of warnings:

 -> /etc/hosts: PhishTank.Phishing.7428060.UNOFFICIAL FOUND
 -> /home/user/.mozilla/firefox/.../uBlock0@raymondhill.net.xpi: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND

It comes from clamd because if I don't stop clamav-daemon I can't copy hosts file back in /etc.

Last edited by qu@rk (2022-06-25 21:03:59)

Offline

#7 2022-06-26 19:33:54

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: exclude clamav files and folders

I edited the clamav-daemon service file and modified it by adding --config-file=/etc/clamav/clamd.conf to the executable.
So far so good, but I'll confirm later.

Offline

#8 2022-06-26 21:51:27

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: exclude clamav files and folders

Nope, they still get removed.
Is the exclude stuff broken or?

Offline

#9 2022-06-26 22:04:46

loqs
Member
Registered: 2014-03-06
Posts: 17,196

Re: exclude clamav files and folders

If you add /uncomment in clamd.conf

# Enable verbose logging.
# Default: no
LogVerbose yes

# Enable debug messages in libclamav.
# Default: no
Debug yes

Then restart the service then clamd should hopefully document how it parsed the config file and if it is using the exclude lines.

Offline

#10 2022-06-27 00:17:13

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: exclude clamav files and folders

I get this:

Mon Jun 27 02:14:46 2022 -> +++ Started at Mon Jun 27 02:14:46 2022
Mon Jun 27 02:14:46 2022 -> Received 1 file descriptor(s) from systemd.
Mon Jun 27 02:14:46 2022 -> clamd daemon 0.105.0 (OS: Linux, ARCH: x86_64, CPU: x86_64)
Mon Jun 27 02:14:46 2022 -> Log file size limited to 1048576 bytes.
Mon Jun 27 02:14:46 2022 -> Reading databases from /var/lib/clamav
Mon Jun 27 02:14:46 2022 -> Not loading PUA signatures.
Mon Jun 27 02:14:46 2022 -> Bytecode: Security mode set to "TrustSigned".
Mon Jun 27 02:14:56 2022 -> Loaded 8758395 signatures.
Mon Jun 27 02:14:59 2022 -> TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd.
Mon Jun 27 02:14:59 2022 -> LOCAL: Received AF_UNIX SOCK_STREAM socket from systemd.
Mon Jun 27 02:14:59 2022 -> Limits: Global time limit set to 120000 milliseconds.
Mon Jun 27 02:14:59 2022 -> Limits: Global size limit set to 419430400 bytes.
Mon Jun 27 02:14:59 2022 -> Limits: File size limit set to 104857600 bytes.
Mon Jun 27 02:14:59 2022 -> Limits: Recursion level limit set to 17.
Mon Jun 27 02:14:59 2022 -> Limits: Files limit set to 10000.
Mon Jun 27 02:14:59 2022 -> Limits: Core-dump limit is 18446744073709551615.
Mon Jun 27 02:14:59 2022 -> Limits: MaxEmbeddedPE limit set to 41943040 bytes.
Mon Jun 27 02:14:59 2022 -> Limits: MaxHTMLNormalize limit set to 41943040 bytes.
Mon Jun 27 02:14:59 2022 -> Limits: MaxHTMLNoTags limit set to 8388608 bytes.
Mon Jun 27 02:14:59 2022 -> Limits: MaxScriptNormalize limit set to 20971520 bytes.
Mon Jun 27 02:14:59 2022 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Mon Jun 27 02:14:59 2022 -> Limits: MaxPartitions limit set to 50.
Mon Jun 27 02:14:59 2022 -> Limits: MaxIconsPE limit set to 100.
Mon Jun 27 02:14:59 2022 -> Limits: MaxRecHWP3 limit set to 16.
Mon Jun 27 02:14:59 2022 -> Limits: PCREMatchLimit limit set to 100000.
Mon Jun 27 02:14:59 2022 -> Limits: PCRERecMatchLimit limit set to 2000.
Mon Jun 27 02:14:59 2022 -> Limits: PCREMaxFileSize limit set to 104857600.
Mon Jun 27 02:14:59 2022 -> Archive support enabled.
Mon Jun 27 02:14:59 2022 -> AlertExceedsMax heuristic detection disabled.
Mon Jun 27 02:14:59 2022 -> Heuristic alerts enabled.
Mon Jun 27 02:14:59 2022 -> Portable Executable support enabled.
Mon Jun 27 02:14:59 2022 -> ELF support enabled.
Mon Jun 27 02:14:59 2022 -> Mail files support enabled.
Mon Jun 27 02:14:59 2022 -> OLE2 support enabled.
Mon Jun 27 02:14:59 2022 -> PDF support enabled.
Mon Jun 27 02:14:59 2022 -> SWF support enabled.
Mon Jun 27 02:14:59 2022 -> HTML support enabled.
Mon Jun 27 02:14:59 2022 -> XMLDOCS support enabled.
Mon Jun 27 02:14:59 2022 -> HWP3 support enabled.
Mon Jun 27 02:14:59 2022 -> Self checking every 600 seconds.
Mon Jun 27 02:14:59 2022 -> Listening daemon: PID: 978
Mon Jun 27 02:14:59 2022 -> MaxQueue set to: 100
Mon Jun 27 02:18:12 2022 -> /etc/hosts: PhishTank.Phishing.7428060.UNOFFICIAL FOUND
Mon Jun 27 02:18:20 2022 -> /root/quarantine/hosts.001: PhishTank.Phishing.7428060.UNOFFICIAL FOUND
Mon Jun 27 02:18:24 2022 -> /root/quarantine/hosts.001.003: PhishTank.Phishing.7428060.UNOFFICIAL FOUND
Mon Jun 27 02:18:29 2022 -> /root/quarantine/hosts.001.003.001: PhishTank.Phishing.7428060.UNOFFICIAL FOUND
Mon Jun 27 02:18:51 2022 -> /home/user/.mozilla/firefox/.../extensions/uBlock0@raymondhill.net.xpi: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND
Mon Jun 27 02:19:51 2022 -> /root/quarantine/hosts.001.003.001.001: PhishTank.Phishing.7428060.UNOFFICIAL FOUND
Mon Jun 27 02:24:59 2022 -> SelfCheck: Database status OK.
Mon Jun 27 02:34:59 2022 -> SelfCheck: Database status OK.
Mon Jun 27 02:44:59 2022 -> SelfCheck: Database status OK.
Mon Jun 27 02:54:59 2022 -> SelfCheck: Database status OK.
Mon Jun 27 03:04:59 2022 -> SelfCheck: Database status OK.

and a whole lot of this:

Mon Jun 27 03:14:09 2022 -> Client disconnected (FD 9)
Mon Jun 27 03:14:09 2022 -> Client disconnected (FD 9)

Offline

#11 2022-06-27 00:28:28

loqs
Member
Registered: 2014-03-06
Posts: 17,196

Re: exclude clamav files and folders

Was hoping to see debug messages such as from https://github.com/Cisco-Talos/clamav/b … tif.c#L410

Offline

#12 2022-06-27 01:25:52

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: exclude clamav files and folders

I enabled LogSyslog and this is what I have in journalctl:

iun 27 04:17:23 arch clamd[980]: Received 1 file descriptor(s) from systemd.
iun 27 04:17:23 arch clamd[980]: clamd daemon 0.105.0 (OS: Linux, ARCH: x86_64, CPU: x86_64)
iun 27 04:17:23 arch clamd[980]: Log file size limited to 1048576 bytes.
iun 27 04:17:23 arch clamd[980]: Reading databases from /var/lib/clamav
iun 27 04:17:23 arch clamd[980]: Not loading PUA signatures.
iun 27 04:17:23 arch clamd[980]: Bytecode: Security mode set to "TrustSigned".
iun 27 04:17:34 arch clamd[980]: Loaded 8758383 signatures.
iun 27 04:17:36 arch clamd[980]: TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: Global time limit set to 120000 milliseconds.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: Global size limit set to 419430400 bytes.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: File size limit set to 104857600 bytes.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: Recursion level limit set to 17.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: Files limit set to 10000.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: Core-dump limit is 18446744073709551615.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: MaxEmbeddedPE limit set to 41943040 bytes.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: MaxHTMLNormalize limit set to 41943040 bytes.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: MaxHTMLNoTags limit set to 8388608 bytes.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: MaxScriptNormalize limit set to 20971520 bytes.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: MaxPartitions limit set to 50.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: MaxIconsPE limit set to 100.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: MaxRecHWP3 limit set to 16.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: PCREMatchLimit limit set to 100000.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: PCRERecMatchLimit limit set to 2000.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Limits: PCREMaxFileSize limit set to 104857600.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Archive support enabled.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> AlertExceedsMax heuristic detection disabled.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Heuristic alerts enabled.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Portable Executable support enabled.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> ELF support enabled.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Mail files support enabled.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> OLE2 support enabled.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> PDF support enabled.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> SWF support enabled.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> HTML support enabled.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> XMLDOCS support enabled.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> HWP3 support enabled.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Self checking every 600 seconds.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> Listening daemon: PID: 980
iun 27 04:17:36 arch clamd[980]: LOCAL: Received AF_UNIX SOCK_STREAM socket from systemd.
iun 27 04:17:36 arch clamd[980]: Mon Jun 27 04:17:36 2022 -> MaxQueue set to: 100
iun 27 04:17:36 arch clamd[980]: Limits: Global time limit set to 120000 milliseconds.
iun 27 04:17:36 arch clamd[980]: Limits: Global size limit set to 419430400 bytes.
iun 27 04:17:36 arch clamd[980]: Limits: File size limit set to 104857600 bytes.
iun 27 04:17:36 arch clamd[980]: Limits: Recursion level limit set to 17.
iun 27 04:17:36 arch clamd[980]: Limits: Files limit set to 10000.
iun 27 04:17:36 arch clamd[980]: Limits: Core-dump limit is 18446744073709551615.
iun 27 04:17:36 arch clamd[980]: Limits: MaxEmbeddedPE limit set to 41943040 bytes.
iun 27 04:17:36 arch clamd[980]: Limits: MaxHTMLNormalize limit set to 41943040 bytes.
iun 27 04:17:36 arch clamd[980]: Limits: MaxHTMLNoTags limit set to 8388608 bytes.
iun 27 04:17:36 arch clamd[980]: Limits: MaxScriptNormalize limit set to 20971520 bytes.
iun 27 04:17:36 arch clamd[980]: Limits: MaxZipTypeRcg limit set to 1048576 bytes.
iun 27 04:17:36 arch clamd[980]: Limits: MaxPartitions limit set to 50.
iun 27 04:17:36 arch clamd[980]: Limits: MaxIconsPE limit set to 100.
iun 27 04:17:36 arch clamd[980]: Limits: MaxRecHWP3 limit set to 16.
iun 27 04:17:36 arch clamd[980]: Limits: PCREMatchLimit limit set to 100000.
iun 27 04:17:36 arch clamd[980]: Limits: PCRERecMatchLimit limit set to 2000.
iun 27 04:17:36 arch clamd[980]: Limits: PCREMaxFileSize limit set to 104857600.
iun 27 04:17:36 arch clamd[980]: Archive support enabled.
iun 27 04:17:36 arch clamd[980]: AlertExceedsMax heuristic detection disabled.
iun 27 04:17:36 arch clamd[980]: Heuristic alerts enabled.
iun 27 04:17:36 arch clamd[980]: Portable Executable support enabled.
iun 27 04:17:36 arch clamd[980]: ELF support enabled.
iun 27 04:17:36 arch clamd[980]: Mail files support enabled.
iun 27 04:17:36 arch clamd[980]: OLE2 support enabled.
iun 27 04:17:36 arch clamd[980]: PDF support enabled.
iun 27 04:17:36 arch clamd[980]: SWF support enabled.
iun 27 04:17:36 arch clamd[980]: HTML support enabled.
iun 27 04:17:36 arch clamd[980]: XMLDOCS support enabled.
iun 27 04:17:36 arch clamd[980]: HWP3 support enabled.
iun 27 04:17:36 arch clamd[980]: Self checking every 600 seconds.
iun 27 04:17:36 arch clamd[980]: Listening daemon: PID: 980
iun 27 04:17:36 arch clamd[980]: MaxQueue set to: 100
iun 27 04:19:28 arch clamd[980]: /etc/hosts: PhishTank.Phishing.7428060.UNOFFICIAL FOUND
iun 27 04:19:28 arch clamd[980]: Mon Jun 27 04:19:28 2022 -> /etc/hosts: PhishTank.Phishing.7428060.UNOFFICIAL FOUND

Offline

#13 2022-06-27 01:31:16

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: exclude clamav files and folders

I did see they added in the wiki that OnAccessScan is still immature so that might be the cause.

Offline

#14 2022-06-27 02:21:19

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: exclude clamav files and folders

thing is clamonacc passes the filedescriptor to clamd as clamd is not running as root. so then I suppose there's an issue where clamd doesn't ignore the files if they come from clamonacc? then I should pass the ignore lists to clamonacc service with --exclude-list=FILE

edit:

I did find this:

The OnAccessMountPath option uses a different fanotify api configuration which makes it incompatible with OnAccessIncludePath and the DDD System. Therefore, inotify watch-point limitations will not be a concern when using this option. Unfortunately, this also means that the following options cannot be used in conjunction with OnAccessMountPath:

    OnAccessExtraScanning - is built around catching inotify events.
    OnAccessExcludePath - is built upon the DDD System.
    OnAccessPrevention - would lock up the system if / was selected for OnAccessMountPath. If you need OnAccessPrevention, you should use OnAccessIncludePath instead of OnAccessMountPath.

So 

OnAccessMountPath /

is in the wiki. that means that I can't use OnAccessExcludePath to exclude directories.

Last edited by qu@rk (2022-06-27 03:10:37)

Offline

#15 2022-06-27 03:56:33

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: exclude clamav files and folders

Interesting. So I removed

OnAccessMountPath /

and added

OnAccessIncludePath /home/user/Desktop

and now if I copy /etc/hosts to desktop it triggers clamd and clamonacc.
Still some issues because if I add /etc or other dirs it kinda locks up completely. Gotta see what's what folders to add and exclude but this looks promising.

edit:
also in the wiki config a weird phenomena appears where infected files would get moved to /root/quarantine (folder which must be manually created for one reason or another, else files don't get moved here) but that folder itself is not excluded and it starts to detect the file and copy it in the same folder over and over again once every few seconds.

Last edited by qu@rk (2022-06-27 04:06:56)

Offline

#16 2022-06-27 16:55:14

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: exclude clamav files and folders

Yeah it's working without OnAccessMountPath, it triggers on access/copy of the infected file, and I can exclude files and dirs (apart from /etc it locks up when I include it).
The problem is that it's dog slow. Apps take a long time to open and there's high CPU activity from clamd even with only /home/user included. I'm not using OnAccessScan anymore atm.

Last edited by qu@rk (2022-06-27 16:55:40)

Offline

Board footer

Powered by FluxBB