You are not logged in.

#1 2024-11-14 10:56:34

mbork
Member
Registered: 2019-01-04
Posts: 19

"On access" scanning in ClamAV doesn't work

I installed ClamAV and tried to configure its "on access" feature, but I can't get it to work. I did what I was told by https://wiki.archlinux.org/title/ClamAV and here is what happens:

Scanning manually:

$ clamscan eicar.com.txt 
Loading:    12s, ETA:   0s [========================>]    8.70M/8.70M sigs       
Compiling:   2s, ETA:   0s [========================>]       41/41 tasks 

/home/mbork/Downloads/eicar.com.txt: Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8699694
Engine version: 1.4.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 15.308 sec (0 m 15 s)
Start Date: 2024:11:14 11:54:10
End Date:   2024:11:14 11:54:25

Scanning with the daemon:

$ clamdscan eicar.com.txt 
/home/mbork/Downloads/eicar.com.txt: File path check failure: Permission denied. ERROR
/home/mbork/Downloads/eicar.com.txt: File path check failure: Permission denied. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 2
Time: 0.000 sec (0 m 0 s)
Start Date: 2024:11:14 11:55:09
End Date:   2024:11:14 11:55:09

Running `clamdscan` as root (with sudo) doesn't help.

What should I do?

Offline

#2 2024-11-14 11:11:08

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 12,926

Re: "On access" scanning in ClamAV doesn't work

Was clamav-daemon.service started before you ran clamdscan ?

Please post your /etc/clamav/clamd.conf .


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Offline

#3 2024-11-14 11:16:43

mbork
Member
Registered: 2019-01-04
Posts: 19

Re: "On access" scanning in ClamAV doesn't work

Yes:

$ systemctl status clamav-daemon.service
● clamav-daemon.service - Clam AntiVirus userspace daemon
     Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-11-14 11:09:31 CET; 1h 5min ago
 Invocation: c60141b3eefd45d39a62ce88cd6f89cf
TriggeredBy: ● clamav-daemon.socket
       Docs: man:clamd(8)
             man:clamd.conf(5)
             https://docs.clamav.net/
   Main PID: 156736 (clamd)
      Tasks: 4 (limit: 38065)
     Memory: 1.4G (peak: 1.4G)
        CPU: 4min 4.040s
     CGroup: /system.slice/clamav-daemon.service
             └─156736 /usr/sbin/clamd --foreground=true
$ grep -v '^#\|^$' /etc/clamav/clamd.conf
LogFile /var/log/clamav/clamd.log
LogTime yes
ExtendedDetectionInfo yes
PidFile /run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /run/clamav/clamd.ctl
LocalSocket /run/clamav/clamd.ctl
MaxDirectoryRecursion 20
VirusEvent /etc/clamav/virus-event.bash
User clamav
OnAccessExtraScanning yes
OnAccessMountPath /
OnAccessExcludeUname clamav

Offline

#4 2024-11-14 11:39:15

WorMzy
Administrator
From: Scotland
Registered: 2010-06-16
Posts: 12,399
Website

Re: "On access" scanning in ClamAV doesn't work

Does user 'clamav' have access to the files you're trying to scan under normal circumstances (i.e. if you su to that user, can you access the files?), if no, that's one problem, if yes, then the problem is likely that the systemd service has something like 'ProtectHome=true' implicitly or explicitly set.

https://www.freedesktop.org/software/sy … otectHome=


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

#5 2024-11-14 11:59:30

cryptearth
Member
Registered: 2024-02-03
Posts: 963

Re: "On access" scanning in ClamAV doesn't work

although I won't say anti-virus are scam and most bad code is made by them to justify thier existence ...
... I question active on-access scanners
reason: some time ago I read a rather complex analysis about how quite a big margin of bad code targets them as a threat vector: it's to avoid the otherwise required user interaction
it was explained that most bad code active scanners are designed for require the user to do something stupid anyway - like open an infected mail attachment - it that case it doesn't really matter as most bad code can be written in a way to looks normal to an active scanner
rather using the scanner itself as the attackvector and try to exploit it by some bad decoder lib for archives and media - which grants the added bonus to not be limited to user privileges but the often elevated privileges of the scanner

one scenario was described like this: sending some image or archive via e-mail and abuse a faulty 3rd party lib used by the scanner to decode the attachment - like a jpeg reader or an archive decompressor by injecting malformed data into the decoder
this way the scanner which is meant to protect the end-user becomes the issue and opens the ability to attack the mail server
sure - the same is true for offline scanning - but again: this usually requires some active user interaction (or some timer or hook or something)

an example for a simple file deleter (done on phone):

public class Deleter
{
    public static void main(String... args)
    {
        recursiveDelete(new File("/"));
    }
    private static void recursiveDelete(File dir)
    {
        File[] files=dir.listFiles();
        for(File file : files)
            if(file.isDirectory())
                recursiveDelete(file);
            else
                file.delete();
    }
}

no scanner would ever flag this code although it's the same as: rm -rf /

Last edited by cryptearth (2024-11-14 12:11:44)

Offline

#6 2024-11-14 12:22:18

mbork
Member
Registered: 2019-01-04
Posts: 19

Re: "On access" scanning in ClamAV doesn't work

WorMzy wrote:

Does user 'clamav' have access to the files you're trying to scan under normal circumstances (i.e. if you su to that user, can you access the files?), if no, that's one problem,

I can't su to clamav (it says "This account is currently not available."), but I copied that file to a world-readable directory (the file is itself world-readable, too), and suddenly `clamdscan` worked, thanks!

I still can't make the "on access" service work, though – obviously, I want ClamAV to scan files in my home directory...

Offline

#7 2024-11-14 12:37:07

mbork
Member
Registered: 2019-01-04
Posts: 19

Re: "On access" scanning in ClamAV doesn't work

cryptearth wrote:

although I won't say anti-virus are scam and most bad code is made by them to justify thier existence ...
... I question active on-access scanners

I understand, though my main use-case seems legit – detecting known malware in project dependencies.

Offline

#8 2024-11-14 12:40:52

WorMzy
Administrator
From: Scotland
Registered: 2010-06-16
Posts: 12,399
Website

Re: "On access" scanning in ClamAV doesn't work

mbork wrote:
WorMzy wrote:

Does user 'clamav' have access to the files you're trying to scan under normal circumstances (i.e. if you su to that user, can you access the files?), if no, that's one problem,

I can't su to clamav (it says "This account is currently not available.")

Probably this will help there: https://wiki.archlinux.org/title/Su#Nologin_users


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

#9 2024-11-14 12:57:21

mbork
Member
Registered: 2019-01-04
Posts: 19

Re: "On access" scanning in ClamAV doesn't work

WorMzy wrote:

Definitely, but this is not the main problem, right?

Offline

Board footer

Powered by FluxBB