Discussion:
[clamav-users] OnAccessScan doesn't prevent Access
vamp898
2018-11-08 09:25:39 UTC
Permalink
Hi there,

i am running an Kernel 4.19.1 System with fanotify enabled

CONFIG_FANOTIFY=y
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y

And i enabled OnAccessScan in clamd

OnAccessMountPath /var/www/localhost/htdocs/nextcloud/data
OnAccessMaxFileSize 50M
OnAccessPrevention yes

But he does not block the access :(

cat
/var/www/localhost/htdocs/nextcloud/data/administrator/files/eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

This is how the logs looks like when i do this

Thu Nov 8 10:13:51 2018 -> ScanOnAccess: notifying only for access
attempts.
Thu Nov 8 10:13:51 2018 -> ScanOnAccess: Protecting
'/var/www/localhost/htdocs/nextcloud/data' and rest of mount.
Thu Nov 8 10:13:51 2018 -> ScanOnAccess: Max file size limited to
52428800 bytes
Thu Nov 8 10:15:09 2018 -> ScanOnAccess:
/var/www/localhost/htdocs/nextcloud-14.0.3/data/administrator/files/eicar.com:
Eicar-Test-Signature FOUND

Any help highly appriciated =)
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Andreas Schulze
2018-11-08 09:39:22 UTC
Permalink
Post by vamp898
This is how the logs looks like when i do this
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: notifying only for access attempts.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Protecting '/var/www/localhost/htdocs/nextcloud/data' and rest of mount.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 52428800 bytes
Thu Nov  8 10:15:09 2018 -> ScanOnAccess: /var/www/localhost/htdocs/nextcloud-14.0.3/data/administrator/files/eicar.com: Eicar-Test-Signature FOUND
Any help highly appriciated =)
looks like a bug: https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155

the second condition should not be negated for my feeling.
--
A. Schulze
DATEV eG
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/co
vamp898
2018-11-08 10:37:12 UTC
Permalink
Post by Andreas Schulze
Post by vamp898
This is how the logs looks like when i do this
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: notifying only for access attempts.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Protecting
'/var/www/localhost/htdocs/nextcloud/data' and rest of mount.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 52428800 bytes
Eicar-Test-Signature FOUND
Any help highly appriciated =)
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155
the second condition should not be negated for my feeling.
Dear Mr. Schulze,

thank you for your email.

Eeeyup, looks like a bug for me too. Maybe someone had one to many beer
writing that part of the code :P

Am i supposed to open the bug report or would/could you do that? (I dont
have an account or something).

If not, please feel free to tell me and i will registert myself there.



Best Regards

Former Avira Employee who exclusively supported DATEV back then when
they had Webgate :P
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrt
vamp898
2018-11-08 10:54:38 UTC
Permalink
Post by vamp898
Post by Andreas Schulze
Post by vamp898
This is how the logs looks like when i do this
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: notifying only for access attempts.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Protecting
'/var/www/localhost/htdocs/nextcloud/data' and rest of mount.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 52428800 bytes
Eicar-Test-Signature FOUND
Any help highly appriciated =)
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155
the second condition should not be negated for my feeling.
Dear Mr. Schulze,
thank you for your email.
Eeeyup, looks like a bug for me too. Maybe someone had one to many
beer writing that part of the code :P
Am i supposed to open the bug report or would/could you do that? (I
dont have an account or something).
If not, please feel free to tell me and i will registert myself there.
Best Regards
Former Avira Employee who exclusively supported DATEV back then when
they had Webgate :P
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
For the reference, i also tested the following

OnAccessMaxFileSize 50M
OnAccessIncludePath /var/www/localhost/htdocs/nextcloud/data
OnAccessDisableDDD yes
OnAccessPrevention yes

And the log looks different

Thu Nov 8 11:52:27 2018 -> ScanOnAccess: preventing access attempts on
malicious files.
Thu Nov 8 11:52:27 2018 -> ScanOnAccess: Protecting directory
'/var/www/localhost/htdocs/nextcloud/data'
Thu Nov 8 11:52:27 2018 -> ScanOnAccess: Max file size limited to
52428800 bytes

but there is still full access to this file, it no longer gets detected
at all.
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#
vamp898
2018-11-08 11:08:52 UTC
Permalink
Post by vamp898
Post by vamp898
Post by Andreas Schulze
Post by vamp898
This is how the logs looks like when i do this
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: notifying only for access attempts.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Protecting
'/var/www/localhost/htdocs/nextcloud/data' and rest of mount.
Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 52428800 bytes
Eicar-Test-Signature FOUND
Any help highly appriciated =)
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155
the second condition should not be negated for my feeling.
Dear Mr. Schulze,
thank you for your email.
Eeeyup, looks like a bug for me too. Maybe someone had one to many
beer writing that part of the code :P
Am i supposed to open the bug report or would/could you do that? (I
dont have an account or something).
If not, please feel free to tell me and i will registert myself there.
Best Regards
Former Avira Employee who exclusively supported DATEV back then when
they had Webgate :P
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
For the reference, i also tested the following
OnAccessMaxFileSize 50M
OnAccessIncludePath /var/www/localhost/htdocs/nextcloud/data
OnAccessDisableDDD yes
OnAccessPrevention yes
And the log looks different
Thu Nov 8 11:52:27 2018 -> ScanOnAccess: preventing access attempts
on malicious files.
Thu Nov 8 11:52:27 2018 -> ScanOnAccess: Protecting directory
'/var/www/localhost/htdocs/nextcloud/data'
Thu Nov 8 11:52:27 2018 -> ScanOnAccess: Max file size limited to
52428800 bytes
but there is still full access to this file, it no longer gets detected
at all.
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Of course, because
Post by vamp898
OnAccessDisableDDD yes
have to be no.

So that if looks intentional, it looks like it really is supposed to
deactivate the blocking is OnAccessMountPath is used (it also says so in
the comment of the config file).

At least i now managed to get this far

Thu Nov 8 11:55:53 2018 -> ScanOnAccess: preventing access attempts on
malicious files.
Thu Nov 8 11:55:53 2018 -> ScanOnAccess: Max file size limited to
52428800 bytes
Thu Nov 8 11:55:53 2018 -> ScanOnAccess: Protecting directory
'/var/www/localhost/htdocs/nextcloud/data' (and all sub-directories)
Thu Nov 8 11:55:53 2018 -> ERROR: ScanOnAccess: Could not watch path
'/var/www/localhost/htdocs/nextcloud/data', No space left on device

After adjusting the current limits of inotify
fs.inotify.max_queued_events
fs.inotify.max_user_instances
fs.inotify.max_user_watches
user.max_inotify_instances
user.max_inotify_watches

This also was solved. So OnAccessScan WORKSFORME now =)
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http
Micah Snyder (micasnyd)
2018-11-08 16:12:13 UTC
Permalink
The negation is intentional, though perhaps it should print a warning.

From the documentation here: https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/docs/UserManual/Usage.md#On-access-Scanning

Watch your entire filesystem only using the clamd.conf OnAccessMountPath option. While this will disable on-access prevention, it will avoid potential system lockups caused by fanotify’s blocking functionality.

To use OnAccessPrevention, you'll need to use OnAccessIncludePath instead of OnAccessMountPath.

Regards,
Micah



On Nov 8, 2018, at 4:39 AM, Andreas Schulze <***@datev.de<mailto:***@datev.de>> wrote:

Am 08.11.18 um 10:25 schrieb vamp898:
This is how the logs looks like when i do this

Thu Nov 8 10:13:51 2018 -> ScanOnAccess: notifying only for access attempts.
Thu Nov 8 10:13:51 2018 -> ScanOnAccess: Protecting '/var/www/localhost/htdocs/nextcloud/data' and rest of mount.
Thu Nov 8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 52428800 bytes
Thu Nov 8 10:15:09 2018 -> ScanOnAccess: /var/www/localhost/htdocs/nextcloud-14.0.3/data/administrator/files/eicar.com<http://eicar.com>: Eicar-Test-Signature FOUND

Any help highly appriciated =)

looks like a bug: https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155

the second condition should not be negated for my feeling.
--
A. Schulze
DATEV eG
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Loading...