vscan-clamav

Discussion:

vscan-clamav

jens s

2013-05-16 07:40:08 UTC

Dear

I'm a trainee and 1 of my tasks is to research antivirus software programs to be used on all linux production servers.

What I dont understand quite yet is if clamav is scanning real time, I
presume it is because it has a daemon. Please correct me if i'm wrong.

I'm also researching samba-vscan, I've downloaded the package and copied
it to the samba folder I added following rules to the samba share :

vfs objects = vscan-clamav
vscan-clamav: config-file = /etc/samba/samba-vscan/clamav/vscan-clamav.conf

And edited the samba-vscan file to my likings. If this is done will clamav scan the shared filesystem aswell ?

Friendly Regards

Jens Snyers
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Matus UHLAR - fantomas

2013-05-16 09:35:09 UTC

Permalink

On 16.05.13 09:40, jens s wrote:
>I'm a trainee and 1 of my tasks is to research antivirus software programs
> to be used on all linux production servers.
>
>What I dont understand quite yet is if clamav is scanning real time, I
>presume it is because it has a daemon. Please correct me if i'm wrong.

ClamAV is running as daemon mostly because loading database into memory is
cpu expensive operation, while daemon can do it only once (per update) which
saves the cycles.

Clamav is scanning what(ever) you ask it to scan, but it does not care
itself about what s that.

You can feed the files/filenames to clamav to scan from external programs
like mail servers, FTP servers ... (samba?).
There is also a clamuko extension which requires dazukofs that can feed
files to clamav on access.

>I'm also researching samba-vscan, I've downloaded the package and copied
> it to the samba folder I added following rules to the samba share :
>
>vfs objects = vscan-clamav
>vscan-clamav: config-file = /etc/samba/samba-vscan/clamav/vscan-clamav.conf
>
>And edited the samba-vscan file to my likings. If this is done will clamav
> scan the shared filesystem aswell ?

apparently - haven't tried.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

jens s

2013-05-16 12:06:48 UTC

Permalink

Dear

If I do understand you I'll have to make a cronjob with clamscan command in it wich will scann my whole system specifying the folders I want it to scan.

Because i've been looking into the clamd.conf file but there is no option to specify the folders it has to scan.

Thanks for your time and answers !

Frienly Regards
Jens Snyers

> Date: Thu, 16 May 2013 11:35:09 +0200
> From: ***@fantomas.sk
> To: clamav-***@lists.clamav.net
> Subject: Re: [clamav-users] vscan-clamav
>
> On 16.05.13 09:40, jens s wrote:
> >I'm a trainee and 1 of my tasks is to research antivirus software programs
> > to be used on all linux production servers.
> >
> >What I dont understand quite yet is if clamav is scanning real time, I
> >presume it is because it has a daemon. Please correct me if i'm wrong.
>
> ClamAV is running as daemon mostly because loading database into memory is
> cpu expensive operation, while daemon can do it only once (per update) which
> saves the cycles.
>
> Clamav is scanning what(ever) you ask it to scan, but it does not care
> itself about what s that.
>
> You can feed the files/filenames to clamav to scan from external programs
> like mail servers, FTP servers ... (samba?).
> There is also a clamuko extension which requires dazukofs that can feed
> files to clamav on access.
>
> >I'm also researching samba-vscan, I've downloaded the package and copied
> > it to the samba folder I added following rules to the samba share :
> >
> >vfs objects = vscan-clamav
> >vscan-clamav: config-file = /etc/samba/samba-vscan/clamav/vscan-clamav.conf
> >
> >And edited the samba-vscan file to my likings. If this is done will clamav
> > scan the shared filesystem aswell ?
>
> apparently - haven't tried.
> --
> Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Rob Sterenborg (lists)

2013-05-16 13:36:20 UTC

Permalink

On 16-05-13 14:06, jens s wrote:
> Dear
>
> If I do understand you I'll have to make a cronjob with clamscan
> command in it wich will scann my whole system specifying the folders
> I want it to scan.

That would be clamdscan (notice the d in between) instead.

- Clamscan is the standalone command line scanner which loads the
database every time it is called.

- Clamdscan just tells clamd to scan something and what to scan. Check
'man clamscan' and 'man clamdscan' for differences between the two.
(Of course clamdscan will only work if clamd is started.)

> Because i've been looking into the clamd.conf file but there is no
> option to specify the folders it has to scan.

Which is why clamdscan is used, instead of clamscan.

--
Rob

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

c***@itmanx.com

2013-05-16 13:54:22 UTC

Permalink

Hi,

Can you please remove me from your mailing list.

Happy AVing :)

Christian
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Giles Coochey

2013-05-16 14:12:43 UTC

Permalink

List-Unsubscribe: <http://lists.clamav.net/cgi-bin/mailman/options/clamav-users>,
<mailto:clamav-users-***@lists.clamav.net?subject=unsubscribe>

On 16/05/2013 14:54, ***@itmanx.com wrote:
> Hi,
>
> Can you please remove me from your mailing list.
>
> Happy AVing :)
>
> Christian
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

--
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
***@coochey.net

Greg Folkert

2013-05-16 14:37:41 UTC

Permalink

On Thu, 2013-05-16 at 15:12 +0100, Giles Coochey wrote:
> On 16/05/2013 14:54, ***@itmanx.com wrote:
> > Hi,
> >
> > Can you please remove me from your mailing list.
> >
> > Happy AVing :)
> >
> > Christian
>
> List-Unsubscribe:
> <http://lists.clamav.net/cgi-bin/mailman/options/clamav-users>
> <mailto:clamav-users-***@lists.clamav.net?subject=unsubscribe>
>

I was going to post that, but I figured it would be easier to just put
his e-mail address in the form to unsubscribe and pressed "send me a
confirmation"

So, all he has to do is properly respond back to the e-mail. Meh.
--
greg folkert - systems administration and support
web: donor.com
email: ***@donor.com
phone: 877-751-3300 x416
direct: 616-328-6449 (direct dial and fax)
"The privilege of a lifetime is being who you are."
-- Joseph Campbell

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Joel Esler

2013-05-16 14:42:14 UTC

Permalink

On May 16, 2013, at 10:37 AM, Greg Folkert <***@donor.com> wrote:
> On Thu, 2013-05-16 at 15:12 +0100, Giles Coochey wrote:
>> On 16/05/2013 14:54, ***@itmanx.com wrote:
>>> Hi,
>>>
>>> Can you please remove me from your mailing list.
>>>
>>> Happy AVing :)
>>>
>>> Christian
>>
>> List-Unsubscribe:
>> <http://lists.clamav.net/cgi-bin/mailman/options/clamav-users>
>> <mailto:clamav-users-***@lists.clamav.net?subject=unsubscribe>
>>
>
> I was going to post that, but I figured it would be easier to just put
> his e-mail address in the form to unsubscribe and pressed "send me a
> confirmation"
>
> So, all he has to do is properly respond back to the e-mail. Meh.

Which he did. He's gone now.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Jerry

2013-05-16 14:24:39 UTC

Permalink

On Thu, 16 May 2013 14:54:22 +0100
***@itmanx.com articulated:

> Hi,
>
> Can you please remove me from your mailing list.

Per the email headers:

List-Id: ClamAV users ML <clamav-users.lists.clamav.net>

List-Unsubscribe: <http://lists.clamav.net/cgi-bin/mailman/options/clamav-users>,
<mailto:clamav-users-***@lists.clamav.net?subject=unsubscribe>

List-Post: <mailto:clamav-***@lists.clamav.net>

List-Help: <mailto:clamav-users-***@lists.clamav.net?subject=help>

List-Subscribe: <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>,
<mailto:clamav-users-***@lists.clamav.net?subject=subscribe>

--
Jerry ♔

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________
The first marriage is the triumph of imagination over intelligence,
and the second the triumph of hope over experience.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav

Matus UHLAR - fantomas

2013-05-16 15:10:32 UTC

Permalink

On 16.05.13 14:54, ***@itmanx.com wrote:
>Can you please remove me from your mailing list.

the list asks for confirmation when you are subscribing, and it provides the
way to unsubscribe. You should save these confirmation requests to avoid
asking people on the list to do something they can not do.

--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Matus UHLAR - fantomas

2013-05-16 15:08:38 UTC

Permalink

On 16.05.13 14:06, jens s wrote:
>If I do understand you I'll have to make a cronjob with clamscan command in
> it wich will scann my whole system specifying the folders I want it to
> scan.

If you want to scan files/folders periodically, yes, you have to do it
throgh a cron job.

as I have told before, there are ways to tell clamd which files are tobe
scanned, e.g. proftpd and samba plugins to scan files after they are put
onto filesystem.

Of course, on-access scanning can be useful too, it can catch malware not
detected (known) at the tie it's put on the filesystem.

>Because i've been looking into the clamd.conf file but there is no option
> to specify the folders it has to scan.

Because clamd only scan files you ask(tell) it to, so you need something
that tells clamd to scan. Either plugins mentioned or something like
clamdscan (note the 'd', clamscan scans by itself, loads the virus DB to
memory which takes extra time).

--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

G.W. Haywood

2013-05-17 11:05:14 UTC

Permalink

Hi there,

On Thu, 16 May 2013, jens s wrote:

> I'm a trainee and 1 of my tasks is to research antivirus software programs
> to be used on all linux production servers.

Welcome to the treadmill. :)

If this is to protect the "linux production servers" themselves then
you might want to consider whether you're regularly going to scan the
servers for well over a million threats which don't actually exist on
Linux servers because they only affect Windows boxes.

Also look into 'inotify' and similar utilities.

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml