clamav on-access scan in 14.04

Asked by Hartwig Kolbe on 2015-03-03

I have asked the same question in askubuntu, but did not get any reply. Maybe too specific.

I try to use clamav for on-access virus scanning for my home directory and all mounted drives. I found some rather old (2005) instructions in http://ubuntuforums.org/showthread.php?t=52385, and adjusted them.

Since dazuko was replaced by fanotify, the parameters in clamd.conf are slightly different. Here are my relevant clamd.conf entries:
ScanOnAccess true
# ClamukoScanOnOpen true
# ClamukoScanOnExec true
OnAccessIncludePath /home
OnAccessIncludePath /mnt
OnAccessIncludePath /media
VirusEvent /opt/clamdazer %v &

If I restart clamd (by "sudo invoke-rc.d clamav-daemon restart"), the log has the following:
ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted
ScanOnAccess: clamd must be started by root

I tried to change the "User clamav" line in clamd.conf to "User root", but then the start of clamd will fail with "ERROR: initgroups() failed".

I found some bug reports which maybe relevant here: Ubuntu Bug #1404762 and possibly Debian bug 749027 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749027).
Unfortunately, I did not succeed using the solutions described there.
Presently, it seems, on-access scanning does not work at all.

How to get this to work?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu clamav Edit question
Assignee:
No assignee Edit question
Last query:
2015-04-09
Last reply:
2015-04-09
Launchpad Janitor (janitor) said : #1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Hartwig Kolbe (kolbeb) said : #2

Nobody can answer?
Can you point me to an alternative, instead?
      From: Launchpad Janitor <email address hidden>
 To: <email address hidden>
 Sent: Wednesday, March 18, 2015 4:22 PM
 Subject: Re: [Question #263109]: clamav on-access scan in 14.04

Your question #263109 on clamav in Ubuntu changed:
https://answers.launchpad.net/ubuntu/+source/clamav/+question/263109

    Status: Open => Expired

Launchpad Janitor expired the question:
This question was expired because it remained in the 'Open' state
without activity for the last 15 days.

--
If you're still having this problem, you can reopen your question either
by replying to this email or by going to the following page and
entering more information about your problem:
https://answers.launchpad.net/ubuntu/+source/clamav/+question/263109

You received this question notification because you asked the question.

Hartwig Kolbe (kolbeb) said : #4

My /etc/apparmor.d/usr.sbin.clamd looks slightly different.
So, I added in that file "capability setgid," and installed apparmor-utils to run aa-complain clamd, as advisewd in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/comments/2.

My actual usr.sbin.clamd:

# vim:syntax=apparmor
# Author: Jamie Strandboge <email address hidden>
# Last Modified: Sun Aug 3 09:39:03 2008

#include <tunables/global>

/usr/sbin/clamd flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  # LP: #433764:
  capability dac_override,

  # needed, when using systemd
  capability setgid,

  @{PROC}/filesystems r,
  owner @{PROC}/[0-9]*/status r,

  /etc/clamav/clamd.conf r,

  /usr/sbin/clamd mr,

  /tmp/ rw,
  /tmp/** krw,

  /var/lib/clamav/ r,
  /var/lib/clamav/** krw,
  /var/log/clamav/* krw,

  /{,var/}run/clamav/clamd.ctl w,
  /{,var/}run/clamav/clamd.pid w,

  /var/spool/clamsmtp/* r,

  /var/spool/qpsmtpd/* r,

  /var/spool/p3scan/children/** r,

  /var/spool/havp/** r,

  # For amavisd-new integration
  /var/lib/amavis/tmp/** r,

  # For mimedefang integration
  /var/spool/MIMEDefang/mdefang-*/Work/ r,
  /var/spool/MIMEDefang/mdefang-*/Work/** r,

  # For use with exim
  /var/spool/exim4/** r,

  # Allow home dir to be scanned
  @{HOME}/ r,
  @{HOME}/** r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.clamd>
}

On restart the log still has
ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted
ScanOnAccess: clamd must be started by root

Manfred Hampl (m-hampl) said : #5

If you try adding " capability setuid," as well, reload apparmor and restart clamav demon, do you still have the same error message?

Hartwig Kolbe (kolbeb) said : #6

with changes in /etc/clamav/clamd.conf:
# User clamav
User root

restarting clamd does not have error messages anymore, clamav.log:
  ScanOnAccess: Protecting directory '/home'
  ScanOnAccess: Protecting directory '/mnt'
  ScanOnAccess: Protecting directory '/media'
  ScanOnAccess: Max file size limited to 5242880 bytes

But, I can copy an Eicar file without problems (scanning that file on-demand finds a virus).
I have expected an error message (clamdazer).

Manfred Hampl (m-hampl) said : #7

Anything in /var/log/audit/audit.log or the clamav.log

What options with respect to log and virus alert have you set in your clamd.conf ?

Hartwig Kolbe (kolbeb) said : #8

I do not have /var/log/audit/audit.log, but there are some messages in syslog related to clamav:
- type=1400 audit(1426762240.564:80): apparmor="DENIED" operation="open" profile="/usr/sbin/clamd" name="/etc/ld.so.preload" pid=2713 comm="clamd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
- type=1400 audit(1426762240.716:81): apparmor="DENIED" operation="capable" profile="/usr/sbin/clamd" pid=2713 comm="clamd" capability=6 capname="setgid"
- type=1400 audit(1426762241.212:82): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/etc/ld.so.preload" pid=2826 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=119 ouid=0

The line in clamd.conf which should activate a virus message:
VirusEvent /opt/clamdazer %v &

I found at a restart, that on-access was not started, restarting clamd failed with "ERROR: initgroups() failed"
However, if I turn aa complaints on (sudo aa-complain clamd), restarting clamd goes without problems, on-access starts according to clamav.log.

Any way to do that automatically?

Hartwig Kolbe (kolbeb) said : #9

another try:
- in clamd.conf
  # User clamav
  User root
- in usr.sbin.clamd
   capability setuid
reload apparmor (sudo invoke-rc.d apparmor reload)
aa-enforce clamd (sudo aa-enforce clamd)
restart clamd (sudo invoke-rc.d clamav-daemon restart) leads to
  ERROR: Failed to change socket ownership to group clamav
  Closing the main socket.

The only way to get something running seems to be with aa-complain clamd.
However, this should produce some messages in /var/log/audit/audit.log, which I do not have.
Also, aa-complain clamd needs to be done at every start-up.
This will run clamd, with on-access enabled.
But, I still have no indication that it finds viruses (Eicar file can be opened).

Manfred Hampl (m-hampl) said : #10

Sorry, I do not know.
Maybe you better try asking at a clamav forum.

Hartwig Kolbe (kolbeb) said : #11

Thank you for your efforts. I was under the impression that this would be the right place to ask.
Can you point me to a better place?

Launchpad Janitor (janitor) said : #12

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Hartwig Kolbe (kolbeb) said : #13

During my attempts to solve the problem I found I had a file "usr.sbin(Kopie).clamd" in /etc/apparmor.d; this file was a backup of the original, and got used by apparmor (went into the cache folder). After removing this backup copy, and adding "capability setgid," in usr.sbin.clamd, clamd startet at reboot without error.

So, it was the backup file in /etc/apparmor.d which caused the trouble.
Still to find out how to let clamav on-access find an Eicar file.

Hartwig Kolbe (kolbeb) said : #14

Now, that on-access scan seems to be working, I tried some cases:

1. No detections when I copied some Eicar files around in subfolders of /home/hartwig. However, I got a detection when I placed an Eicar file directly into that folder (mentioned in /var/log/clamav/clamav.log). It looks like that only the folder mentioned in the OnAccessIncludePath parameter is scanned, but no subfolders.
Any way to include subfolders?

2. The following found in an old post from 2005 was supposed to give me an error message at detection:
    - in clamd.conf: VirusEvent /opt/clamdazer %v &
    - /opt/clamdazer:
      #!/bin/sh
      #Clamdazer script by Gabor Igloi (2005) GPL
      v=`tail -n 1 /var/log/clamav/clamav.log`
      v=${v#*: }
      v=${v%:*}
      f=${v##*/}
      zenity --title ClamDazer --warning --text '"'"$f"$'" CONTAINS A VIRUS!\n[ '"$1"$' ]\nWould you like to delete it?'
      if [ $? -eq 0 ]; then
    rm $v
    zenity --title ClamDazer --info --text '"'"$f"$'"\nRemoved successfully!'
      fi

Unfortunately, no such message comes up.

Seth Arnold (seth-arnold) said : #15

It's possible that clamav isn't properly using the fanotify API; note the FAN_MARK_ADD line here: http://sources.debian.net/src/clamav/0.98.6%2Bdfsg-1/clamd/fan.c/?hl=133#L133 -- it's using FAN_ACCESS | FAN_EVENT_ON_CHILD to tell fanotify which events to be notified to, but the FAN_EVENT_ON_CHILD description includes:

       FAN_EVENT_ON_CHILD
              Events for the immediate children of marked directories shall
              be created. The flag has no effect when marking mounts. Note
              that events are not generated for children of the
              subdirectories of marked directories. To monitor complete
              directory trees it is necessary to mark the relevant mount.

I suspect this was never tested beyond one level of directories.

Hartwig Kolbe (kolbeb) said : #16

That would be an explanation. But, it does not solve the problem.
I have problems to accept that with such a big effort to introduce on-access scanning for clamav, a glitch like that would go unnoticed, effectively making on-access scanning pointless.

tntteam (tntteam-5) said : #17

Hello

Wow, can't say more. I ve been trying for 1 hour to make that onaccess scan work, as it is an extremly basic and essential for any antivirus software, but no recursion just nullify the daemon. It's useless if it can't scan subfolders !!

Can you help with this problem?

Provide an answer of your own, or ask Hartwig Kolbe for more information if necessary.

To post a message you must log in.