Discussion:
[clamav-users] USB key scan on access
(too old to reply)
john doe
2016-06-28 10:15:16 UTC
Permalink
I'm trying to achieve the following: auto mount USB key and detect if a
user uploads or downloads a virus from it.
An additional feature I can live without: access prevention upon virus
detection.

The "OnAccessIncludePath" option in clamd configuration file seems the way
to go. The best solution we could come up is:
- auto-mounting key in /run/media/$USER/$KEY using udisks2
- use homemade script (based on inotifywait) to watch the /run/media for
new mounted media
- when so, add mount path to "OnAccessIncludePath" and restart clamd
service

This solution has MANY caveats, namely:
- clamd takes some times (around 10s) to start. During that time the user
can {up,down}load viruses.
- requires some kind of supervision, if either the homemade script or the
clamd service crash, the solution does not work.
- can't specify mount options with udisks2

I've stumbled upon the clamfs project which seems promising. Any advice on
it?

Do you guys have a better way of achieving my goal?

I haven't dove in the clamd source code, but from the documentation I could
not find a way to feed the DDD (Dynamic Directory Determination) module new
path on the fly.

Thank you for your time!
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Che
2016-06-28 23:39:44 UTC
Permalink
Post by john doe
I'm trying to achieve the following: auto mount USB key and detect if a
user uploads or downloads a virus from it.
An additional feature I can live without: access prevention upon virus
detection.
The "OnAccessIncludePath" option in clamd configuration file seems the way
- auto-mounting key in /run/media/$USER/$KEY using udisks2
- use homemade script (based on inotifywait) to watch the /run/media for
new mounted media
- when so, add mount path to "OnAccessIncludePath" and restart clamd
service
- clamd takes some times (around 10s) to start. During that time the user
can {up,down}load viruses.
- requires some kind of supervision, if either the homemade script or the
clamd service crash, the solution does not work.
- can't specify mount options with udisks2
I've stumbled upon the clamfs project which seems promising. Any advice on
it?
Do you guys have a better way of achieving my goal?
Wouldn't running these as a systemd service -- with an explicit 'path'
service written for mounting USB devices and then clamAV scanning them,
etc. -- do what you want?
Post by john doe
I haven't dove in the clamd source code, but from the documentation I could
not find a way to feed the DDD (Dynamic Directory Determination) module new
path on the fly.
Thank you for your time!
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Che
2016-06-28 23:43:49 UTC
Permalink
On Tue, Jun 28, 2016 at 6:15 AM, john doe <***@gmail.com> wrote:

I've stumbled upon the clamfs project which seems promising. Any advice on
Post by john doe
it?
Do you guys have a better way of achieving my goal?
https://www.freedesktop.org/software/systemd/man/systemd.mount.html

https://www.freedesktop.org/software/systemd/man/systemd.automount.html

etc.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
maiki
2016-06-30 05:45:48 UTC
Permalink
Thank you for your answer. But in that case, I'll have to scan the
entire key. As it could take some time, I prefer the on access approach.
In addition this does not detect when a virus is copied to the key after
the initial scan.
Post by Che
Post by john doe
I'm trying to achieve the following: auto mount USB key and detect if a
user uploads or downloads a virus from it.
An additional feature I can live without: access prevention upon virus
detection.
The "OnAccessIncludePath" option in clamd configuration file seems the way
- auto-mounting key in /run/media/$USER/$KEY using udisks2
- use homemade script (based on inotifywait) to watch the /run/media for
new mounted media
- when so, add mount path to "OnAccessIncludePath" and restart clamd
service
- clamd takes some times (around 10s) to start. During that time the user
can {up,down}load viruses.
- requires some kind of supervision, if either the homemade script or the
clamd service crash, the solution does not work.
- can't specify mount options with udisks2
I've stumbled upon the clamfs project which seems promising. Any advice on
it?
Do you guys have a better way of achieving my goal?
Wouldn't running these as a systemd service -- with an explicit 'path'
service written for mounting USB devices and then clamAV scanning them,
etc. -- do what you want?
Post by john doe
I haven't dove in the clamd source code, but from the documentation I could
not find a way to feed the DDD (Dynamic Directory Determination) module new
path on the fly.
Thank you for your time!
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Vladislav Kurz
2016-06-30 07:11:37 UTC
Permalink
Post by maiki
Thank you for your answer. But in that case, I'll have to scan the
entire key. As it could take some time, I prefer the on access approach.
In addition this does not detect when a virus is copied to the key after
the initial scan.
In that case I would recommend clamfs, it is not perfect, but simple.
The main problem is that it will still allow direct (unscanned) access
to the original filesystem, so you have to be careful.
--
Regards
Vladislav Kurz

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Loading...