"On access" scanning in ClamAV doesn't work

mbork · 2024-11-14 10:56:34

I installed ClamAV and tried to configure its "on access" feature, but I can't get it to work. I did what I was told by https://wiki.archlinux.org/title/ClamAV and here is what happens:

Scanning manually:

$ clamscan eicar.com.txt 
Loading:    12s, ETA:   0s [========================>]    8.70M/8.70M sigs       
Compiling:   2s, ETA:   0s [========================>]       41/41 tasks 

/home/mbork/Downloads/eicar.com.txt: Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8699694
Engine version: 1.4.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 15.308 sec (0 m 15 s)
Start Date: 2024:11:14 11:54:10
End Date:   2024:11:14 11:54:25

Scanning with the daemon:

$ clamdscan eicar.com.txt 
/home/mbork/Downloads/eicar.com.txt: File path check failure: Permission denied. ERROR
/home/mbork/Downloads/eicar.com.txt: File path check failure: Permission denied. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 2
Time: 0.000 sec (0 m 0 s)
Start Date: 2024:11:14 11:55:09
End Date:   2024:11:14 11:55:09

Running `clamdscan` as root (with sudo) doesn't help.

What should I do?

Lone_Wolf · 2024-11-14 11:11:08

Was clamav-daemon.service started before you ran clamdscan ?

Please post your /etc/clamav/clamd.conf .

mbork · 2024-11-14 11:16:43

Yes:

$ systemctl status clamav-daemon.service
● clamav-daemon.service - Clam AntiVirus userspace daemon
     Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-11-14 11:09:31 CET; 1h 5min ago
 Invocation: c60141b3eefd45d39a62ce88cd6f89cf
TriggeredBy: ● clamav-daemon.socket
       Docs: man:clamd(8)
             man:clamd.conf(5)
             https://docs.clamav.net/
   Main PID: 156736 (clamd)
      Tasks: 4 (limit: 38065)
     Memory: 1.4G (peak: 1.4G)
        CPU: 4min 4.040s
     CGroup: /system.slice/clamav-daemon.service
             └─156736 /usr/sbin/clamd --foreground=true

$ grep -v '^#\|^$' /etc/clamav/clamd.conf
LogFile /var/log/clamav/clamd.log
LogTime yes
ExtendedDetectionInfo yes
PidFile /run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /run/clamav/clamd.ctl
LocalSocket /run/clamav/clamd.ctl
MaxDirectoryRecursion 20
VirusEvent /etc/clamav/virus-event.bash
User clamav
OnAccessExtraScanning yes
OnAccessMountPath /
OnAccessExcludeUname clamav

WorMzy · 2024-11-14 11:39:15

Does user 'clamav' have access to the files you're trying to scan under normal circumstances (i.e. if you su to that user, can you access the files?), if no, that's one problem, if yes, then the problem is likely that the systemd service has something like 'ProtectHome=true' implicitly or explicitly set.

https://www.freedesktop.org/software/sy … otectHome=

cryptearth · 2024-11-14 11:59:30

although I won't say anti-virus are scam and most bad code is made by them to justify thier existence ...
... I question active on-access scanners
reason: some time ago I read a rather complex analysis about how quite a big margin of bad code targets them as a threat vector: it's to avoid the otherwise required user interaction
it was explained that most bad code active scanners are designed for require the user to do something stupid anyway - like open an infected mail attachment - it that case it doesn't really matter as most bad code can be written in a way to looks normal to an active scanner
rather using the scanner itself as the attackvector and try to exploit it by some bad decoder lib for archives and media - which grants the added bonus to not be limited to user privileges but the often elevated privileges of the scanner

one scenario was described like this: sending some image or archive via e-mail and abuse a faulty 3rd party lib used by the scanner to decode the attachment - like a jpeg reader or an archive decompressor by injecting malformed data into the decoder
this way the scanner which is meant to protect the end-user becomes the issue and opens the ability to attack the mail server
sure - the same is true for offline scanning - but again: this usually requires some active user interaction (or some timer or hook or something)

an example for a simple file deleter (done on phone):

public class Deleter
{
    public static void main(String... args)
    {
        recursiveDelete(new File("/"));
    }
    private static void recursiveDelete(File dir)
    {
        File[] files=dir.listFiles();
        for(File file : files)
            if(file.isDirectory())
                recursiveDelete(file);
            else
                file.delete();
    }
}

no scanner would ever flag this code although it's the same as: rm -rf /

Last edited by cryptearth (2024-11-14 12:11:44)

mbork · 2024-11-14 12:22:18

WorMzy wrote:

Does user 'clamav' have access to the files you're trying to scan under normal circumstances (i.e. if you su to that user, can you access the files?), if no, that's one problem,

I can't su to clamav (it says "This account is currently not available."), but I copied that file to a world-readable directory (the file is itself world-readable, too), and suddenly `clamdscan` worked, thanks!

I still can't make the "on access" service work, though – obviously, I want ClamAV to scan files in my home directory...

mbork · 2024-11-14 12:37:07

cryptearth wrote:

although I won't say anti-virus are scam and most bad code is made by them to justify thier existence ...
... I question active on-access scanners

I understand, though my main use-case seems legit – detecting known malware in project dependencies.

WorMzy · 2024-11-14 12:40:52

mbork wrote:

WorMzy wrote:
Does user 'clamav' have access to the files you're trying to scan under normal circumstances (i.e. if you su to that user, can you access the files?), if no, that's one problem,
I can't su to clamav (it says "This account is currently not available.")

Probably this will help there: https://wiki.archlinux.org/title/Su#Nologin_users

mbork · 2024-11-14 12:57:21

WorMzy wrote:

Probably this will help there: https://wiki.archlinux.org/title/Su#Nologin_users

Definitely, but this is not the main problem, right?

mbork · 2024-11-25 12:23:31

Hi all,
any tips here? I'd really like to be able to run the ClamAV "on access" service...

WorMzy · 2024-11-25 12:33:05

Since copying the file to a world-readable location allowed clamdscan to scan the file, the problem is likely one of the two scenarios I outlined in post #4, did you identify which? The solution would likely be

1) changing the user the service runs as to one that can access your home directory.
or
2) adding the clamav user to the group that owns your home directory.
or
3) overriding the systemd service to disable ProtectHome.
or
4) some combination of the above.

mbork · 2024-11-25 14:14:49

Thanks!
I finally succeeded! I added myself to the `clamav` group AND changed the permissions of my $HOME:

sudo usermod --append --groups $USER clamav
chmod g+rx $HOME

Now, here's an important question: is the above `chmod` a good idea? Is it safe to enable access to my home directory to my user group? It seems fine to me, but I am no security expert...

Archcan_98 · 2024-11-25 19:24:06

WorMzy wrote:

I want ClamAV to scan files in my home directory...

Here's how:

- Update AV Sig

$ sudo freshclam

- Scans entire disk

$ clamscan --recursive /

- Scans a directory

$ clamscan --recursive /home

- Scans directory specific file

$ clamscan --recursive /home/user_name/path_to_file/...

Look for macOS method, no need to tweak ports, nor to run Daemon or doing anything else:

https://docs.clamav.net/manual/Usage/Scanning.html

Archcan_98 · 2024-11-25 19:59:26

Full scan + clamd config

- Entire disk with 3 snapshots AV 24666 minimal install

$ clamscan --recursive /
...
Known viruses: 8699947
Engine version: 1.4.1
Scanned directories: 72649
Scanned files: 664461
Infected files: 0
Total errors: 14984
Data scanned: 26810.90 MB
Data read: 24957.12 MB (ratio 1.07:1)
Time: 4296.481 sec (71 m 36 s)

- AV 24667

$ grep -v '^#\|^$' /etc/clamav/clamd.conf
LogFile /var/log/clamav/clamd.log
LogTime yes
PidFile /run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /run/clamav/clamd.ctl
LocalSocket /run/clamav/clamd.ctl
User clamav
DetectPUA yes
IncludePUA Spy
IncludePUA Scanner
IncludePUA RAT
HeuristicAlerts yes
HeuristicScanPrecedence yes
AlertPhishingSSLMismatch yes
AlertPartitionIntersection yes
ScanPE yes
DisableCertCheck no
ScanELF yes
ScanOLE2 yes
ScanPDF yes
ScanSWF yes
ScanXMLDOCS yes
ScanHWP3 yes
ScanOneNote yes
ScanImageFuzzyHash yes
ScanMail yes
PhishingSignatures yes
PhishingScanURLs yes
StructuredDataDetection yes
StructuredMinCreditCardCount 5
StructuredCCOnly yes
StructuredMinSSNCount 5
StructuredSSNFormatNormal yes
StructuredSSNFormatStripped yes
ScanHTML yes
ScanArchive yes
AlertExceedsMax yes
OnAccessPrevention yes
OnAccessExtraScanning yes
OnAccessExcludeRootUID no
Bytecode yes
BytecodeSecurity TrustSigned
Sun Nov 24 08:53:43 2024 -> +++ Started at Sun Nov 24 08:53:43 2024
Sun Nov 24 08:53:43 2024 -> Received 0 file descriptor(s) from systemd.
Sun Nov 24 08:53:43 2024 -> clamd daemon 1.4.1 (OS: Linux, ARCH: x86_64, CPU: x86_64)
Sun Nov 24 08:53:43 2024 -> Log file size limited to 1048576 bytes.
Sun Nov 24 08:53:43 2024 -> Reading databases from /var/lib/clamav
Sun Nov 24 08:53:43 2024 -> Included PUA categories:Sun Nov 24 08:53:43 2024 -> SpySun Nov 24 08:53:43 2024 -> ScannerSun Nov 24 08:53:43 2024 -> RATSun Nov 24 08:53:43 2024 ->
Sun Nov 24 08:53:43 2024 -> Bytecode: Security mode set to "TrustSigned".
Sun Nov 24 08:53:50 2024 -> Loaded 8700049 signatures.
Sun Nov 24 08:53:52 2024 -> LOCAL: Unix socket file /run/clamav/clamd.ctl
Sun Nov 24 08:53:52 2024 -> LOCAL: Setting connection queue length to 200
Sun Nov 24 08:53:52 2024 -> Limits: Global time limit set to 120000 milliseconds.
Sun Nov 24 08:53:52 2024 -> Limits: Global size limit set to 419430400 bytes.
Sun Nov 24 08:53:52 2024 -> Limits: File size limit set to 104857600 bytes.
Sun Nov 24 08:53:52 2024 -> Limits: Recursion level limit set to 17.
Sun Nov 24 08:53:52 2024 -> Limits: Files limit set to 10000.
Sun Nov 24 08:53:52 2024 -> Limits: MaxEmbeddedPE limit set to 41943040 bytes.
Sun Nov 24 08:53:52 2024 -> Limits: MaxHTMLNormalize limit set to 41943040 bytes.
Sun Nov 24 08:53:52 2024 -> Limits: MaxHTMLNoTags limit set to 8388608 bytes.
Sun Nov 24 08:53:52 2024 -> Limits: MaxScriptNormalize limit set to 20971520 bytes.
Sun Nov 24 08:53:52 2024 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Sun Nov 24 08:53:52 2024 -> Limits: MaxPartitions limit set to 50.
Sun Nov 24 08:53:52 2024 -> Limits: MaxIconsPE limit set to 100.
Sun Nov 24 08:53:52 2024 -> Limits: MaxRecHWP3 limit set to 16.
Sun Nov 24 08:53:52 2024 -> Limits: PCREMatchLimit limit set to 100000.
Sun Nov 24 08:53:52 2024 -> Limits: PCRERecMatchLimit limit set to 2000.
Sun Nov 24 08:53:52 2024 -> Limits: PCREMaxFileSize limit set to 104857600.
Sun Nov 24 08:53:52 2024 -> Archive support enabled.
Sun Nov 24 08:53:52 2024 -> Image (graphics) scanning support enabled.
Sun Nov 24 08:53:52 2024 -> Detection using image fuzzy hash enabled.
Sun Nov 24 08:53:52 2024 -> Heuristic alerting enabled for scans that exceed set maximums.
Sun Nov 24 08:53:52 2024 -> Heuristic alerts enabled.
Sun Nov 24 08:53:52 2024 -> Portable Executable support enabled.
Sun Nov 24 08:53:52 2024 -> ELF support enabled.
Sun Nov 24 08:53:52 2024 -> Mail files support enabled.
Sun Nov 24 08:53:52 2024 -> OLE2 support enabled.
Sun Nov 24 08:53:52 2024 -> PDF support enabled.
Sun Nov 24 08:53:52 2024 -> SWF support enabled.
Sun Nov 24 08:53:52 2024 -> HTML support enabled.
Sun Nov 24 08:53:52 2024 -> XMLDOCS support enabled.
Sun Nov 24 08:53:52 2024 -> HWP3 support enabled.
Sun Nov 24 08:53:52 2024 -> OneNote support enabled.
Sun Nov 24 08:53:52 2024 -> Phishing: Always checking for ssl mismatches
Sun Nov 24 08:53:52 2024 -> Raw DMG: Alert on partitions intersections
Sun Nov 24 08:53:52 2024 -> Heuristic: precedence enabled
Sun Nov 24 08:53:52 2024 -> Structured: Minimum Credit Card Number Count set to 5
Sun Nov 24 08:53:52 2024 -> Structured: Minimum Social Security Number Count set to 5
Sun Nov 24 08:53:52 2024 -> Self checking every 600 seconds.
Sun Nov 24 09:03:52 2024 -> SelfCheck: Database status OK.
Sun Nov 24 09:13:52 2024 -> SelfCheck: Database status OK.
Sun Nov 24 09:23:53 2024 -> SelfCheck: Database status OK.

WorMzy · 2024-11-25 21:58:38

mbork wrote:

Thanks!
I finally succeeded! I added myself to the `clamav` group AND changed the permissions of my $HOME:
sudo usermod --append --groups $USER clamav
chmod g+rx $HOME
Now, here's an important question: is the above `chmod` a good idea? Is it safe to enable access to my home directory to my user group? It seems fine to me, but I am no security expert...

You probably don't want your user to be a member of the 'clamav' group, it could(?) make it possible for a malicious script, run as your user, to replace the virus definition file with some bogus definition file.

As for your security question, you've already established that the clamav user cannot be used under usual circumstances ("This account is currently not available."), so it's fairly safe. It's up to you to decide whether you want to allow this level of access or not.

mbork · 2024-11-26 08:36:32

WorMzy wrote:

You probably don't want your user to be a member of the 'clamav' group

Ah, sorry – I mistyped the command. I meant adding `clamav` to my user's group:

sudo usermod --append --groups clamav $USER

mbork · 2024-11-26 11:19:54

So, it seems that my enthusiasm was a bit too early.

For starters, the idea of adding user clamav to my group doesn't help much for files in my home directory which are not group-readable.

And then, this does not help at all for files outside my home directory and not readable by my user.

It seems that I should really run clamd as root so that it can scan all files (also belonging to root). However, the wiki page says explicitly this:

# WARNING: for security reasons, clamd should NEVER run as root.

So, what should I do to be able to scan my whole drive on access?

Lone_Wolf · 2024-11-27 09:30:03

For clarity :

clamav-daemon.service and clamav-clamonacc.service are started succesfully ?

mbork · 2024-11-27 10:24:49

Yes, and `clamdscan` works in places accessible by every user (like `/tmp`).

Arch Linux

#1 2024-11-14 10:56:34

"On access" scanning in ClamAV doesn't work

#2 2024-11-14 11:11:08

Re: "On access" scanning in ClamAV doesn't work

#3 2024-11-14 11:16:43

Re: "On access" scanning in ClamAV doesn't work

#4 2024-11-14 11:39:15

Re: "On access" scanning in ClamAV doesn't work

#5 2024-11-14 11:59:30

Re: "On access" scanning in ClamAV doesn't work

#6 2024-11-14 12:22:18

Re: "On access" scanning in ClamAV doesn't work

#7 2024-11-14 12:37:07

Re: "On access" scanning in ClamAV doesn't work

#8 2024-11-14 12:40:52

Re: "On access" scanning in ClamAV doesn't work

#9 2024-11-14 12:57:21

Re: "On access" scanning in ClamAV doesn't work

#10 2024-11-25 12:23:31

Re: "On access" scanning in ClamAV doesn't work

#11 2024-11-25 12:33:05

Re: "On access" scanning in ClamAV doesn't work

#12 2024-11-25 14:14:49

Re: "On access" scanning in ClamAV doesn't work

#13 2024-11-25 19:24:06

Re: "On access" scanning in ClamAV doesn't work

#14 2024-11-25 19:59:26

Re: "On access" scanning in ClamAV doesn't work

#15 2024-11-25 21:58:38

Re: "On access" scanning in ClamAV doesn't work

#16 2024-11-26 08:36:32

Re: "On access" scanning in ClamAV doesn't work

#17 2024-11-26 11:19:54

Re: "On access" scanning in ClamAV doesn't work

#18 2024-11-27 09:30:03

Re: "On access" scanning in ClamAV doesn't work

#19 2024-11-27 10:24:49

Re: "On access" scanning in ClamAV doesn't work

Board footer