clamav on-access scan in 14.04

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Nobody can answer?
Can you point me to an alternative, instead?
      From: Launchpad Janitor <email address hidden>
 To: <email address hidden>
 Sent: Wednesday, March 18, 2015 4:22 PM
 Subject: Re: [Question #263109]: clamav on-access scan in 14.04

Your question #263109 on clamav in Ubuntu changed:
https://answers.launchpad.net/ubuntu/+source/clamav/+question/263109

    Status: Open => Expired

Launchpad Janitor expired the question:
This question was expired because it remained in the 'Open' state
without activity for the last 15 days.

--
If you're still having this problem, you can reopen your question either
by replying to this email or by going to the following page and
entering more information about your problem:
https://answers.launchpad.net/ubuntu/+source/clamav/+question/263109

You received this question notification because you asked the question.

based on https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/comments/2

What are the contents of

/etc/apparmor.d/usr.sbin.clamd

(remark: contents of a Debian version http://apt-browse.org/browse/debian/wheezy/main/i386/clamav-daemon/0.98.5%2Bdfsg-0%2Bdeb7u2/file/etc/apparmor.d/usr.sbin.clamd )

My /etc/apparmor.d/usr.sbin.clamd looks slightly different.
So, I added in that file "capability setgid," and installed apparmor-utils to run aa-complain clamd, as advisewd in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/comments/2.

My actual usr.sbin.clamd:

# vim:syntax=apparmor
# Author: Jamie Strandboge <email address hidden>
# Last Modified: Sun Aug 3 09:39:03 2008

#include <tunables/global>

/usr/sbin/clamd flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  # LP: #433764:
  capability dac_override,

  # needed, when using systemd
  capability setgid,

  @{PROC}/filesystems r,
  owner @{PROC}/[0-9]*/status r,

  /etc/clamav/clamd.conf r,

  /usr/sbin/clamd mr,

  /tmp/ rw,
  /tmp/** krw,

  /var/lib/clamav/ r,
  /var/lib/clamav/** krw,
  /var/log/clamav/* krw,

  /{,var/}run/clamav/clamd.ctl w,
  /{,var/}run/clamav/clamd.pid w,

  /var/spool/clamsmtp/* r,

  /var/spool/qpsmtpd/* r,

  /var/spool/p3scan/children/** r,

  /var/spool/havp/** r,

  # For amavisd-new integration
  /var/lib/amavis/tmp/** r,

  # For mimedefang integration
  /var/spool/MIMEDefang/mdefang-*/Work/ r,
  /var/spool/MIMEDefang/mdefang-*/Work/** r,

  # For use with exim
  /var/spool/exim4/** r,

  # Allow home dir to be scanned
  @{HOME}/ r,
  @{HOME}/** r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.clamd>
}

On restart the log still has
ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted
ScanOnAccess: clamd must be started by root

If you try adding " capability setuid," as well, reload apparmor and restart clamav demon, do you still have the same error message?

with changes in /etc/clamav/clamd.conf:
# User clamav
User root

restarting clamd does not have error messages anymore, clamav.log:
  ScanOnAccess: Protecting directory '/home'
  ScanOnAccess: Protecting directory '/mnt'
  ScanOnAccess: Protecting directory '/media'
  ScanOnAccess: Max file size limited to 5242880 bytes

But, I can copy an Eicar file without problems (scanning that file on-demand finds a virus).
I have expected an error message (clamdazer).

Anything in /var/log/audit/audit.log or the clamav.log

What options with respect to log and virus alert have you set in your clamd.conf ?

I do not have /var/log/audit/audit.log, but there are some messages in syslog related to clamav:
- type=1400 audit(1426762240.564:80): apparmor="DENIED" operation="open" profile="/usr/sbin/clamd" name="/etc/ld.so.preload" pid=2713 comm="clamd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
- type=1400 audit(1426762240.716:81): apparmor="DENIED" operation="capable" profile="/usr/sbin/clamd" pid=2713 comm="clamd" capability=6 capname="setgid"
- type=1400 audit(1426762241.212:82): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/etc/ld.so.preload" pid=2826 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=119 ouid=0

The line in clamd.conf which should activate a virus message:
VirusEvent /opt/clamdazer %v &

I found at a restart, that on-access was not started, restarting clamd failed with "ERROR: initgroups() failed"
However, if I turn aa complaints on (sudo aa-complain clamd), restarting clamd goes without problems, on-access starts according to clamav.log.

Any way to do that automatically?

another try:
- in clamd.conf
  # User clamav
  User root
- in usr.sbin.clamd
   capability setuid
reload apparmor (sudo invoke-rc.d apparmor reload)
aa-enforce clamd (sudo aa-enforce clamd)
restart clamd (sudo invoke-rc.d clamav-daemon restart) leads to
  ERROR: Failed to change socket ownership to group clamav
  Closing the main socket.

The only way to get something running seems to be with aa-complain clamd.
However, this should produce some messages in /var/log/audit/audit.log, which I do not have.
Also, aa-complain clamd needs to be done at every start-up.
This will run clamd, with on-access enabled.
But, I still have no indication that it finds viruses (Eicar file can be opened).

Sorry, I do not know.
Maybe you better try asking at a clamav forum.

Thank you for your efforts. I was under the impression that this would be the right place to ask.
Can you point me to a better place?

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

During my attempts to solve the problem I found I had a file "usr.sbin(Kopie).clamd" in /etc/apparmor.d; this file was a backup of the original, and got used by apparmor (went into the cache folder). After removing this backup copy, and adding "capability setgid," in usr.sbin.clamd, clamd startet at reboot without error.

So, it was the backup file in /etc/apparmor.d which caused the trouble.
Still to find out how to let clamav on-access find an Eicar file.

Now, that on-access scan seems to be working, I tried some cases:

1. No detections when I copied some Eicar files around in subfolders of /home/hartwig. However, I got a detection when I placed an Eicar file directly into that folder (mentioned in /var/log/clamav/clamav.log). It looks like that only the folder mentioned in the OnAccessIncludePath parameter is scanned, but no subfolders.
Any way to include subfolders?

2. The following found in an old post from 2005 was supposed to give me an error message at detection:
    - in clamd.conf: VirusEvent /opt/clamdazer %v &
    - /opt/clamdazer:
      #!/bin/sh
      #Clamdazer script by Gabor Igloi (2005) GPL
      v=`tail -n 1 /var/log/clamav/clamav.log`
      v=${v#*: }
      v=${v%:*}
      f=${v##*/}
      zenity --title ClamDazer --warning --text '"'"$f"$'" CONTAINS A VIRUS!\n[ '"$1"$' ]\nWould you like to delete it?'
      if [ $? -eq 0 ]; then
    rm $v
    zenity --title ClamDazer --info --text '"'"$f"$'"\nRemoved successfully!'
      fi

Unfortunately, no such message comes up.

It's possible that clamav isn't properly using the fanotify API; note the FAN_MARK_ADD line here: http://sources.debian.net/src/clamav/0.98.6%2Bdfsg-1/clamd/fan.c/?hl=133#L133 -- it's using FAN_ACCESS | FAN_EVENT_ON_CHILD to tell fanotify which events to be notified to, but the FAN_EVENT_ON_CHILD description includes:

       FAN_EVENT_ON_CHILD
              Events for the immediate children of marked directories shall
              be created. The flag has no effect when marking mounts. Note
              that events are not generated for children of the
              subdirectories of marked directories. To monitor complete
              directory trees it is necessary to mark the relevant mount.

I suspect this was never tested beyond one level of directories.

That would be an explanation. But, it does not solve the problem.
I have problems to accept that with such a big effort to introduce on-access scanning for clamav, a glitch like that would go unnoticed, effectively making on-access scanning pointless.

Hello

Wow, can't say more. I ve been trying for 1 hour to make that onaccess scan work, as it is an extremly basic and essential for any antivirus software, but no recursion just nullify the daemon. It's useless if it can't scan subfolders !!