Discussion:
[clamav-users] ScanOnAccess issue when clamd launched from systemd
(too old to reply)
Mikko Caldara
2016-05-05 15:47:17 UTC
Permalink
Hi Mickey,

I tried disabling SELinux and will report back later on that issue.

I understand OnAccess cannot prevent access or write attempts
if OnAccessMountPath is enabled: not a problem for us, will disable OnAccessPrevention.

So I changed my config to:

ScanOnAccess yes
OnAccessMountPath /
OnAccessExcludeUID 0

But still, whenever I access (cat/vim) a fake virus, clamd goes into a crazy infinite loop, trying to access /tmp/clamav-RANDOM_UUID.tmp/nocomment.html which from what I understand is created by clamav itself.

The CPU usage is perfectly fine until an infected file is found: then it goes into the loop and I need to kill it.
According to a previous reply, "OnAccessExcludeUID 0" should fix this behaviour, but it doesn't in my case.

Thanks
Mikko

________________________________________
From: clamav-users [clamav-users-***@lists.clamav.net] on behalf of Mickey Sola [***@sourcefire.com]
Sent: 05 May 2016 16:27
To: ClamAV users ML
Subject: Re: [clamav-users] ScanOnAccess issue when clamd launched from systemd

Mikko,

I know you didn't find anything in audit.log, but is your primary issue
resolved when you set SELinux to Permissive? Looking at the code, and the
debug output, so far everything points to this being an issue with
permissions.

Regarding your secondary problems:

As documented, OnAccess scanning will not prevent access or write attempts
if OnAccessMountPath is enabled. This is to prevent users from accidentally
locking up their systems via an fanotify induced deadlock.

The cpu resource utilization when watching the entire filesystem is
expected, due to the constant system-wide access events which must be
queued and processed individually. Unfortunately, delaying or throttling
event handling in this case would quickly overflow the fanotify event
queue. You might consider being more selective with your watchpoints to
reduce unwanted noise and free up cpu cycles.

- Mickey
ScanOnAccess yes
OnAccessMountPath /
OnAccessExcludeUID 0
OnAccessPrevention yes
the user is root.
I guess there's a bug then?
________________________________________
Sent: 05 May 2016 11:07
Subject: Re: [clamav-users] ScanOnAccess issue when clamd launched from
systemd
Not sure if it's related, but when I launch clamd *without* systemd and
- clamd does not prevent access, despite having the option enabled
Win.Trojan.cve_2011_2657-1(30e2f8e333f1624bb5ab66bed16eb110:274398) FOUND
Win.Trojan.cve_2011_2657-1(d361373a52eb4e0cfcb1fd4783700152:273785) FOUND
Looks like it is also scanning temporary files created turing
the scanning. Could you set OnAccessExlcudeUID to clamd user id?
--
Virgo Pärna
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
This communication and any attachments contain information which is
confidential and may be subject to legal privilege. It is for intended
recipients only. If you are not the intended recipient you must not copy,
distribute, publish, rely on or otherwise use it without our consent. Some
of our communications may contain confidential information which it could
be a criminal offence for you to disclose or use without authority. If you
immediately and delete the email from your computer. Further information on
the classification and handling of FCA information can be found on the FCA
website (http://www.fca.org.uk/site-info/legal/fca-classified-information
).
The FCA (or, if this email originates from the PSR, the FCA on behalf of
the PSR/the PSR) reserves the right to monitor all email communications for
compliance with legal, regulatory and professional standards.
This email is not intended to nor should it be taken to create any legal
relations or contractual relationships. This email has originated from the
Financial Conduct Authority (FCA), or the Payment Systems Regulator (PSR).
The Financial Conduct Authority (FCA) is registered as a limited company
in England and Wales No. 1920623. Registered office: 25 The North
Colonnade, Canary Wharf, London E14 5HS, United Kingdom
The Payment Systems Regulator (PSR) is registered as a limited company in
England and Wales No. 8970864. Registered office: 25 The North Colonnade,
Canary Wharf, London E14 5HS, United Kingdom
Switchboard 020 7066 1000
Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (PSR)
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Mikko Caldara
2016-05-06 09:07:54 UTC
Permalink
Disabling SELinux actually gets rid of the error. Unfortunately, this is not viable for us.

How do I go about debugging this further? No blocking/denied messages appear in the logs...
Has anyone got ScanOnAccess working with SElinux enabled?

Thanks

Mikko

________________________________________
From: Mikko Caldara
Sent: 05 May 2016 16:47
To: ClamAV users ML
Subject: RE: [clamav-users] ScanOnAccess issue when clamd launched from systemd

Hi Mickey,

I tried disabling SELinux and will report back later on that issue.

I understand OnAccess cannot prevent access or write attempts
if OnAccessMountPath is enabled: not a problem for us, will disable OnAccessPrevention.

So I changed my config to:

ScanOnAccess yes
OnAccessMountPath /
OnAccessExcludeUID 0

But still, whenever I access (cat/vim) a fake virus, clamd goes into a crazy infinite loop, trying to access /tmp/clamav-RANDOM_UUID.tmp/nocomment.html which from what I understand is created by clamav itself.

The CPU usage is perfectly fine until an infected file is found: then it goes into the loop and I need to kill it.
According to a previous reply, "OnAccessExcludeUID 0" should fix this behaviour, but it doesn't in my case.

Thanks
Mikko

________________________________________
From: clamav-users [clamav-users-***@lists.clamav.net] on behalf of Mickey Sola [***@sourcefire.com]
Sent: 05 May 2016 16:27
To: ClamAV users ML
Subject: Re: [clamav-users] ScanOnAccess issue when clamd launched from systemd

Mikko,

I know you didn't find anything in audit.log, but is your primary issue
resolved when you set SELinux to Permissive? Looking at the code, and the
debug output, so far everything points to this being an issue with
permissions.

Regarding your secondary problems:

As documented, OnAccess scanning will not prevent access or write attempts
if OnAccessMountPath is enabled. This is to prevent users from accidentally
locking up their systems via an fanotify induced deadlock.

The cpu resource utilization when watching the entire filesystem is
expected, due to the constant system-wide access events which must be
queued and processed individually. Unfortunately, delaying or throttling
event handling in this case would quickly overflow the fanotify event
queue. You might consider being more selective with your watchpoints to
reduce unwanted noise and free up cpu cycles.

- Mickey
Post by Mikko Caldara
ScanOnAccess yes
OnAccessMountPath /
OnAccessExcludeUID 0
OnAccessPrevention yes
the user is root.
I guess there's a bug then?
________________________________________
Sent: 05 May 2016 11:07
Subject: Re: [clamav-users] ScanOnAccess issue when clamd launched from
systemd
Not sure if it's related, but when I launch clamd *without* systemd and
- clamd does not prevent access, despite having the option enabled
Win.Trojan.cve_2011_2657-1(30e2f8e333f1624bb5ab66bed16eb110:274398) FOUND
Win.Trojan.cve_2011_2657-1(d361373a52eb4e0cfcb1fd4783700152:273785) FOUND
Looks like it is also scanning temporary files created turing
the scanning. Could you set OnAccessExlcudeUID to clamd user id?
--
Virgo Pärna
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
This communication and any attachments contain information which is
confidential and may be subject to legal privilege. It is for intended
recipients only. If you are not the intended recipient you must not copy,
distribute, publish, rely on or otherwise use it without our consent. Some
of our communications may contain confidential information which it could
be a criminal offence for you to disclose or use without authority. If you
immediately and delete the email from your computer. Further information on
the classification and handling of FCA information can be found on the FCA
website (http://www.fca.org.uk/site-info/legal/fca-classified-information
).
The FCA (or, if this email originates from the PSR, the FCA on behalf of
the PSR/the PSR) reserves the right to monitor all email communications for
compliance with legal, regulatory and professional standards.
This email is not intended to nor should it be taken to create any legal
relations or contractual relationships. This email has originated from the
Financial Conduct Authority (FCA), or the Payment Systems Regulator (PSR).
The Financial Conduct Authority (FCA) is registered as a limited company
in England and Wales No. 1920623. Registered office: 25 The North
Colonnade, Canary Wharf, London E14 5HS, United Kingdom
The Payment Systems Regulator (PSR) is registered as a limited company in
England and Wales No. 8970864. Registered office: 25 The North Colonnade,
Canary Wharf, London E14 5HS, United Kingdom
Switchboard 020 7066 1000
Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (PSR)
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Loading...