Bugzilla – Bug 12152
VirusEvent is not executed with OnAccess scan
Last modified: 2020-08-27 18:44:37 EDT
When OnAccess scan finds virus, VirusEvent is not executed but ScanOnAccess is logged in clamd.log. clamconf -n Checking configuration files in /etc/clamav Config file: clamd.conf ----------------------- LogFile = "/var/log/clamav/clamd.log" LogTime = "yes" PidFile = "/run/clamav/clamd.pid" TemporaryDirectory = "/tmp" LocalSocket = "/run/clamav/clamd.ctl" VirusEvent = "/etc/clamav/detected.sh" User = "root" ScanOnAccess = "yes" OnAccessIncludePath = "/home/taiki/Downloads" OnAccessMaxFileSize = "104857600" OnAccessExtraScanning = "yes" Config file: freshclam.conf --------------------------- PidFile = "/run/clamav/freshclam.pid" UpdateLogFile = "/var/log/clamav/freshclam.log" DatabaseMirror = "database.clamav.net", "database.clamav.net" SafeBrowsing = "yes" Config file: clamav-milter.conf ------------------------------- LogFile = "/var/log/clamav/clamav-milter.log" LogTime = "yes" PidFile = "/run/clamav/clamav-milter.pid" TemporaryDirectory = "/tmp" User = "clamav" Software settings ----------------- Version: 0.100.0 Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR Database information -------------------- Database directory: /var/lib/clamav [3rd Party] bofhland_phishing_URL.ndb: 20 sigs [3rd Party] rfxn.hdb: 12602 sigs daily.cld: version 24712, sigs: 2000714, built on Sun Jul 1 13:40:19 2018 safebrowsing.cvd: version 47568, sigs: 2968478, built on Sun Jul 1 13:52:58 2018 [3rd Party] spamimg.hdb: 158 sigs main.cvd: version 58, sigs: 4566249, built on Thu Jun 8 06:38:10 2017 [3rd Party] winnow_extended_malware.hdb: 245 sigs [3rd Party] Sanesecurity_spam.yara: 46 sigs [3rd Party] scam.ndb: 12485 sigs [3rd Party] spamattach.hdb: 14 sigs [3rd Party] bofhland_malware_URL.ndb: 2 sigs [3rd Party] porcupine.hsb: 289 sigs [3rd Party] blurl.ndb: 44382 sigs [3rd Party] porcupine.ndb: 3169 sigs [3rd Party] winnow_bad_cw.hdb: 1 sig [3rd Party] winnow_malware.hdb: 293 sigs [3rd Party] foxhole_generic.cdb: 211 sigs [3rd Party] bofhland_malware_attach.hdb: 1835 sigs [3rd Party] junk.ndb: 56757 sigs [3rd Party] winnow_malware_links.ndb: 4623 sigs [3rd Party] winnow_malware.yara: 169 sigs [3rd Party] winnow.attachments.hdb: 5894 sigs [3rd Party] malwarehash.hsb: 771 sigs [3rd Party] bofhland_cracked_URL.ndb: 18 sigs [3rd Party] Sanesecurity_sigtest.yara: 54 sigs [3rd Party] phish.ndb: 27394 sigs [3rd Party] hackingteam.hsb: 435 sigs [3rd Party] rogue.hdb: 4482 sigs [3rd Party] jurlbl.ndb: 13014 sigs [3rd Party] sanesecurity.ftm: 170 sigs [3rd Party] phishtank.ndb: 33551 sigs [3rd Party] rfxn.ndb: 2028 sigs bytecode.cld: version 322, sigs: 90, built on Fri Jun 22 23:08:32 2018 [3rd Party] foxhole_filename.cdb: 1613 sigs Total number of signatures: 9762256 Platform information -------------------- uname: Linux 4.17.2-1-ARCH #1 SMP PREEMPT Sat Jun 16 11:08:59 UTC 2018 x86_64 OS: linux-gnu, ARCH: x86_64, CPU: x86_64 zlib version: 1.2.11 (1.2.11), compile flags: a9 platform id: 0x0a215b5b0800000000080101 Build information ----------------- GNU C: 8.1.1 20180531 (8.1.1) CPPFLAGS: -D_FORTIFY_SOURCE=2 CFLAGS: -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 CXXFLAGS: -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt LDFLAGS: -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now Configure: '--prefix=/usr' '--sbindir=/usr/bin' '--sysconfdir=/etc/clamav' '--with-dbdir=/var/lib/clamav' '--with-user=clamav' '--with-group=clamav' '--disable-rpath' '--disable-clamav' '--disable-llvm' '--enable-zlib-vcheck' '--enable-milter' '--enable-clamdtop' 'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt' 'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' sizeof(void*) = 8 Engine flevel: 91, dconf: 91
clamd.log: Sun Jul 1 18:04:01 2018 -> +++ Started at Sun Jul 1 18:04:01 2018 Sun Jul 1 18:04:01 2018 -> Received 1 file descriptor(s) from systemd. Sun Jul 1 18:04:01 2018 -> clamd daemon 0.100.0 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Sun Jul 1 18:04:01 2018 -> Running as user root (UID 0, GID 0) Sun Jul 1 18:04:01 2018 -> Log file size limited to 1048576 bytes. Sun Jul 1 18:04:01 2018 -> Reading databases from /var/lib/clamav Sun Jul 1 18:04:01 2018 -> Not loading PUA signatures. Sun Jul 1 18:04:01 2018 -> Bytecode: Security mode set to "TrustSigned". Sun Jul 1 18:04:14 2018 -> Loaded 9755629 signatures. Sun Jul 1 18:04:14 2018 -> TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd. Sun Jul 1 18:04:14 2018 -> LOCAL: Received AF_UNIX SOCK_STREAM socket from systemd. Sun Jul 1 18:04:14 2018 -> Limits: Global size limit set to 104857600 bytes. Sun Jul 1 18:04:14 2018 -> Limits: File size limit set to 26214400 bytes. Sun Jul 1 18:04:14 2018 -> Limits: Recursion level limit set to 16. Sun Jul 1 18:04:14 2018 -> Limits: Files limit set to 10000. Sun Jul 1 18:04:14 2018 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes. Sun Jul 1 18:04:14 2018 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes. Sun Jul 1 18:04:14 2018 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes. Sun Jul 1 18:04:14 2018 -> Limits: MaxScriptNormalize limit set to 5242880 bytes. Sun Jul 1 18:04:14 2018 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes. Sun Jul 1 18:04:14 2018 -> Limits: MaxPartitions limit set to 50. Sun Jul 1 18:04:14 2018 -> Limits: MaxIconsPE limit set to 100. Sun Jul 1 18:04:14 2018 -> Limits: MaxRecHWP3 limit set to 16. Sun Jul 1 18:04:14 2018 -> Limits: PCREMatchLimit limit set to 100000. Sun Jul 1 18:04:14 2018 -> Limits: PCRERecMatchLimit limit set to 5000. Sun Jul 1 18:04:14 2018 -> Limits: PCREMaxFileSize limit set to 26214400. Sun Jul 1 18:04:14 2018 -> Archive support enabled. Sun Jul 1 18:04:14 2018 -> BlockMax heuristic detection disabled. Sun Jul 1 18:04:14 2018 -> Algorithmic detection enabled. Sun Jul 1 18:04:14 2018 -> Portable Executable support enabled. Sun Jul 1 18:04:14 2018 -> ELF support enabled. Sun Jul 1 18:04:14 2018 -> Mail files support enabled. Sun Jul 1 18:04:14 2018 -> OLE2 support enabled. Sun Jul 1 18:04:14 2018 -> PDF support enabled. Sun Jul 1 18:04:14 2018 -> SWF support enabled. Sun Jul 1 18:04:14 2018 -> HTML support enabled. Sun Jul 1 18:04:14 2018 -> XMLDOCS support enabled. Sun Jul 1 18:04:14 2018 -> HWP3 support enabled. Sun Jul 1 18:04:14 2018 -> Self checking every 600 seconds. Sun Jul 1 18:04:14 2018 -> ScanOnAccess: notifying only for access attempts. Sun Jul 1 18:04:14 2018 -> ScanOnAccess: Max file size limited to 104857600 bytes Sun Jul 1 18:04:14 2018 -> ScanOnAccess: Protecting directory '/home/taiki/Downloads' (and all sub-directories) Sun Jul 1 18:04:14 2018 -> ScanOnAccess: Extra scanning and notifications enabled. Sun Jul 1 18:04:20 2018 -> ScanOnAccess: /home/taiki/Downloads/eicar.com.txt: Eicar-Test-Signature FOUND Sun Jul 1 18:04:21 2018 -> ScanOnAccess: /home/taiki/Downloads/eicar.com.txt: Eicar-Test-Signature FOUND Sun Jul 1 18:04:21 2018 -> ScanOnAccess: /home/taiki/Downloads/eicar.com.txt: Eicar-Test-Signature FOUND
This is currently done on purpose because the virusevent function forks the calling process. That has the potential to get extremely messy extremely quickly since onaccess runs in a separate thread from the main clamd process. I imagine if it were enabled you'd see massive memory leaks, resource contention issues, and other unforeseen problems on your system(s). We'll look into enabling it in the future if we can find an elegant way to minimize some of the drawbacks.
Thanks for your reply. I hope that it will be fixed in the future.
*** Bug 12171 has been marked as a duplicate of this bug. ***
Hi I am facing the same issue - but then, how can I instruct clamd to destroy the file when it discovers it using the onaccess handler?
(In reply to bibikitrinke from comment #5) > Hi > > I am facing the same issue - but then, how can I instruct clamd to destroy > the file when it discovers it using the onaccess handler? I highly recommend against automatically deleting files that any AV alerts on. False positives are not uncommon, and in particularly bad occurrences it may remove critical components of installed software or system files. With VirusEvent disabled for onaccess, your best options may be to either use the OnAccessPrevention option to block access to the file, and log the event, or to monitor the log with a script and move the file to a "quarantine" directory so you can investigate the file before you delete it. I welcome suggestions from others on the topic.
yeah that's what I ended up doing (real time parsing of the log) For those interested: #!/bin/sh tail -fn0 /var/log/clamav/clamav.log | \ while read line ; do echo "$line" | grep -oP "ScanOnAccess: \K(.*)(?=:(.*) FOUND)" if [ $? = 0 ] then virusfile=$(echo "$line" | grep -oP "ScanOnAccess: \K(.*)(?=:(.*) FOUND)" | grep -oP "(.*)(?=:(.*))") if [ -n "$virusfile" ] then echo "Found and quarantined virus file: $virusfile" >> /var/log/clamav/clamav-cleaner.log mv $virusfile /path/to/quarantine/ fi fi done
I also have just run into this. I use to have this working fine and I had no issues. I will have to implement the suggest work around and have a cron job monitor the log file but are there any plan's to re-implement this? Our security policy dictates that we have real-time AV scanning on all systems so running a scheduled scan of the logfile to alert isn't really inline with this, it's not technically real-time.
We're presently investigating migrating the on-access scanning feature out of clamd into a separate tool that interacts with clamd, the same way that clamav-milter and clamdscan work. Ensuring that VirusEvent works when using the new On-Access scanning tool will be a part of that task. The primary reason we're taking this approach is to eliminate the need to run clamd with root privileges. Work is still in the experimental/research phase and the completed feature is targeted for the 0.102 version.
The workaround presented in comment 7 *is* a realtime solution, which should fit your needs nicely. I will note that once set up, Prevention gets you blocking at the kernel level tied into detection, which is about as good as it gets when it comes to stopping malicious files from doing their thing. Prevention doesn't stop you from moving the file to quarantine via a cronjob at a later time. And it's far and away the fastest acting solution of the three--working as close to realtime as it's possible to get.
It looks like we neglected to close this ticket after 0.102 was released with the separate clamonacc on-access scanning clamd client. VirusEvent when using clamonacc should work. I would note that the VirusEvent is run by clamd, not by clamonacc, so whatever your event command is needs to be able to be run by clamd for it to work. To be honest, I'm not sure why the VirusEvent isn't run by clamdscan, clamonacc, or clamav-milter instead, but that's how the original design was. Anyways, I'm closing this ticket as it is now possible to use VirusEvent with on-access scanning.