search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.42k stars 705 forks source link

VirusEvent does not trigger #1062

Open spiarh opened 1 year ago

spiarh commented 1 year ago

Describe the bug

Hi *, I've been scratching my head for a few hours with trying to make VirusEvent work without success, it seems the command is never executed even though a file is actually detected. I haven't seen anything helpful in the logs.

I've also tried to run as root with the same results.

How to reproduce the problem

Config:

# clamconf -n
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
LogTime = "yes"
LogVerbose = "yes"
ExtendedDetectionInfo = "yes"
TemporaryDirectory = "/tmp"
LocalSocket = "/var/run/clamav/clamd.ctl"
ExcludePath = "/root/quarantine"
SelfCheck = "1800"
VirusEvent = "/usr/bin/touch /tmp/TOTO"
Foreground = "yes"
Debug = "yes"
User = "clamav"
MaxFileSize = "104857600"
OnAccessIncludePath = "/home/vagrant/Documents", "/home/vagrant/Downloads"
OnAccessExcludeRootUID = "yes"
OnAccessExcludeUname = "clamav"
OnAccessPrevention = "yes"
OnAccessMaxThreads = "7"

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
UpdateLogFile = "/var/log/clamav/freshclam.log"
Checks = "24"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
MaxAttempts = "5"

clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.9
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON 

Database information
--------------------
Database directory: /var/lib/clamav
daily.cld: version 27066, sigs: 2044052, built on Thu Oct 19 09:45:47 2023
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 14:32:42 2021
bytecode.cvd: version 334, sigs: 91, built on Wed Feb 22 22:33:21 2023
Total number of signatures: 8691570

Platform information
--------------------
uname: Linux 6.2.0-34-generic #34~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 13:12:03 UTC 2 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
Full OS version: Ubuntu 22.04.3 LTS
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a21818108000000000b0400

Build information
-----------------
GNU C: 11.4.0 (11.4.0)
CPPFLAGS: -Wdate-time -D_FORTIFY_SOURCE=2
CFLAGS: -g -O2 -ffile-prefix-map=/build/clamav-N4N4RG/clamav-0.103.9+dfsg=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -g -O2 -ffile-prefix-map=/build/clamav-N4N4RG/clamav-0.103.9+dfsg=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64
LDFLAGS: -Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,--as-needed
Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-N4N4RG/clamav-0.103.9+dfsg=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-N4N4RG/clamav-0.103.9+dfsg=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--with-dbdir=/var/lib/clamav' '--sysconfdir=/etc/clamav' '--disable-clamav' '--disable-unrar' '--enable-milter' '--enable-dns-fix' '--with-libjson' '--with-system-libmspack' '--with-libcurl=/usr' '--with-gnu-ld' '--with-systemdsystemunitdir=/lib/systemd/system' 'build_alias=x86_64-linux-gnu' 'OBJCFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-N4N4RG/clamav-0.103.9+dfsg=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security'
sizeof(void*) = 8
Engine flevel: 129, dconf: 129

When scanning with clamdscan, the eicar file is correctly detected but the VirusEvent /usr/bin/touch /tmp/TOTO is never triggered. I originally tried with a script that has the right permission 0755 and the script was also not executed.

$ clamdscan -v  --fdpass eicar.com
/home/vagrant/eicar.com: Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.004 sec (0 m 0 s)
Start Date: 2023:10:19 19:39:27
End Date:   2023:10:19 19:39:27

This is the outputs in the logs.

vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $Received POLLIN|POLLHUP on fd 3
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $Got new connection, FD 8
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $Received POLLIN|POLLHUP on fd 4
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $fds_poll_recv: timeout after 30 seconds
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $Received POLLIN|POLLHUP on fd 8
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $got command FILDES (7, 11), argument:
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $RECVTH: mode -> MODE_WAITANCILL
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $Moved partial command: 8
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $fds_poll_recv: timeout after 30 seconds
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $Received POLLIN|POLLHUP on fd 8
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $Receveived a file descriptor: 9
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $mode -> MODE_COMMAND
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $got command FILDES (7, 11), argument:
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $RECVTH: FILDES command complete
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $mode -> MODE_WAITREPLY
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $Breaking command loop, mode is no longer MODE_COMMAND
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $Consumed entire command
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $Number of file descriptors polled: 1 fds
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $fds_poll_recv: timeout after 1800 seconds
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $THRMGR: queue (single) crossed low threshold -> signaling
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $THRMGR: queue (bulk) crossed low threshold -> signaling
vm-test clamd[9114]: LibClamAV debug: cli_get_filepath_from_filedesc: File path for fd [9] is: /home/vagrant/eicar.com
vm-test clamd[9114]: LibClamAV debug: Recognized ASCII text
vm-test clamd[9114]: LibClamAV debug: cache_check: 44d88612fea8a8f36de82e1278abb02f is negative
vm-test clamd[9114]: LibClamAV debug: matcher_run: performing regex matching on full map: 0+68(68) >= 68
vm-test clamd[9114]: LibClamAV debug: FP SIGNATURE: 44d88612fea8a8f36de82e1278abb02f:68:Win.Test.EICAR_HDB-1  # Name: eicar.com, Type: CL_TYPE_TEXT_ASCII
vm-test clamd[9114]: LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
vm-test clamd[9114]: LibClamAV debug: Win.Test.EICAR_HDB-1 found
vm-test clamd[9114]: LibClamAV debug: cli_magic_scan_desc: returning 1  at line 4725
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> /home/vagrant/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $Closed fd 9
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $Finished scanthread
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $Scanthread: connection shut down (FD 8)
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $THRMGR: queue (single) crossed low threshold -> signaling
vm-test clamd[9114]: Thu Oct 19 19:39:27 2023 -> $THRMGR: queue (bulk) crossed low threshold -> signaling

Any idea where should I look at ? Thanks!

squalou commented 1 year ago

Hi, I came to the same result 2 hours ago and was about to open an issue here.

I found this since :

https://gist.github.com/johnfedoruk/19820540dc096380784c8cf0b7ef333b

with an interesting part

No matter what I did, I could not get the clamd.conf VirusEvent directive to work.

Reading the source, it becomes clear that the issue is with line 83 of the code as of version v0.100 (and >removed completely in the latest stable versions)

/* TODO : FIXME? virusaction forks. This could be extraordinarily problematic, lead to deadlocks,
* or at the very least lead to extreme memory consumption. Leaving disabled for now.*/
//virusaction(fname, virname, tharg->opts);

It would be great if we could have an official statement about this.

I'm thinking about a dirty workaround : monitoring the log file.

Consider this script : /etc/clamav/clamonacc-log-notifier.sh (make it chmod +x)

#!/bin/bash
while IFS= read LINE;do
    if [[ $LINE == *"FOUND"* ]];then
     export CLAM_VIRUSEVENT_FILENAME=$(echo $LINE | cut -d : -f 1)
     SIG=$(echo $LINE | cut -d : -f 2)
     export CLAM_VIRUSEVENT_VIRUSNAME=${SIG/ FOUND//}
     /etc/clamav/virus-event.bash
    fi
done

and create a small service somehow that runs this

then this script : /etc/clamav/clamonacc-log-monitor.sh (make it chmod +x)

#!/bin/bash
tail -F -n 0  /var/log/clamav/clamonacc.log | /etc/clamav/clamonacc-log-notifier.sh

-F takes care of log rotation, -n 0 avoid spam from history.

Now a service file /etc/systemd/system/clamav-clamonacc-notifier.service

[Unit]
Description=ClamAV On-Access Notifier
Requires=clamav-clamonacc.service
After=clamav-daemon.service syslog.target network.target

[Service]
Type=simple
User=root
ExecStart=/etc/clamav/clamonacc-log-monitor.sh
Restart=always

[Install]
WantedBy=multi-user.target

then

systemctl daemon-reload
systemctl enable clamav-clamonacc-notifier.
systemctl start clamav-clamonacc-notifier.

and for reference

/etc/clamav/virus-event.bash

#!/bin/bash
PATH=/usr/bin
ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"
# Send an alert to all graphical users.
for ADDRESS in /run/user/*; do
    USERID=${ADDRESS#/run/user/}
    /usr/bin/sudo -u "#$USERID" DBUS_SESSION_BUS_ADDRESS="unix:path=$ADDRESS/bus" PATH=${PATH} \
        /usr/bin/notify-send -i dialog-warning "Virus found!" "$ALERT"
done

Seems to work.

Not nice but works.

On the other hand I discovered /etc/clamav/virusevent.d so I wonder if something's cooking in the future, official guidance would be great.

spiarh commented 1 year ago

I wonder how I missed that, I was using this gist for my testing :sweat_smile:

I'll go down this road as well but by looking at the logs in systemd journal, I'll share back my solution.

micahsnyder commented 1 year ago

VirusEvent absolutely should work on non-Windows platforms.

Reading the source, it becomes clear that the issue is with line 83 of the code as of version v0.100 (and removed completely in the latest stable versions)

/* TODO : FIXME? virusaction forks. This could be extraordinarily problematic, lead to deadlocks,
* or at the very least lead to extreme memory consumption. Leaving disabled for now.*/
//virusaction(fname, virname, tharg->opts);

It would be great if we could have an official statement about this.

In ClamAV 0.101 and prior, the on-access scanner features were a part of ClamD. If my memory is correct, this is the reason for the statement about virusaction being problematic. In ClamAV 0.102 we migrated the on-access feature out into the separate clamonacc program to get away from those and other bugs, and so that people never have to run clamd as root (which is a terrible idea since clamd processes untrusted user input with C code).

So this remark about //virusaction has to do with on-access features not supporting the VirusEvent back in the day. It should work with clamd today.

Tangent: By the way you may often still start clamd as root, but have it set up to drop privileges on startup and run as a "clamav" service account (low privilege user account).

To confirm that it works, I just did this test using the touch test you attempted.

❯ clamconf -n
Checking configuration files in /usr/local/etc

Config file: clamd.conf
-----------------------
LogFile = "/tmp/clamd.log"
LogClean = "yes"
DatabaseDirectory = "/var/lib/clamav"
LocalSocket = "/tmp/clamd.sock"
VirusEvent = "/usr/bin/touch /tmp/hello.txt"
User = "clamav"
OnAccessIncludePath = "/home/micah/tmpe", "/home/micah/tmp"
OnAccessExcludeUname = "clamav"
OnAccessPrevention = "yes"

freshclam.conf not found

clamav-milter.conf not found
...

I started clamd like this in another tab, with -F so I could easily see the log:

❯ clamd -F
Limits: Global time limit set to 120000 milliseconds.
Limits: Global size limit set to 419430400 bytes.
Limits: File size limit set to 104857600 bytes.
Limits: Recursion level limit set to 17.
Limits: Files limit set to 10000.
Limits: MaxEmbeddedPE limit set to 41943040 bytes.
Limits: MaxHTMLNormalize limit set to 41943040 bytes.
Limits: MaxHTMLNoTags limit set to 8388608 bytes.
Limits: MaxScriptNormalize limit set to 20971520 bytes.
Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Limits: MaxPartitions limit set to 50.
Limits: MaxIconsPE limit set to 100.
Limits: MaxRecHWP3 limit set to 16.
Limits: PCREMatchLimit limit set to 100000.
Limits: PCRERecMatchLimit limit set to 2000.
Limits: PCREMaxFileSize limit set to 104857600.
Archive support enabled.
AlertExceedsMax heuristic detection disabled.
Heuristic alerts enabled.
Portable Executable support enabled.
ELF support enabled.
Mail files support enabled.
OLE2 support enabled.
PDF support enabled.
SWF support enabled.
HTML support enabled.
XMLDOCS support enabled.
HWP3 support enabled.
Self checking every 600 seconds.

Then in another window I ran this:

❯ ls /tmp/hello*
fish: No matches for wildcard '/tmp/hello*'. See `help expand`.
ls /tmp/hello*
   ^

~
❯ clamdscan ~/eicar.com.txt
/home/micah/eicar.com.txt: Eicar-Signature FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.016 sec (0 m 0 s)
Start Date: 2023:10:20 11:57:01
End Date:   2023:10:20 11:57:01

~
❯ ls /tmp/hello*
/tmp/hello.txt

So that worked.

I wonder if on your system each user has a private /tmp directory. If so, that may explain why you're not seeing the file created by clamd.

squalou commented 1 year ago

Hi, thank you for the explanation, and I confirm : using clamscan -> VirusEvent is triggered just fine in my case.

Issue is with clamonacc only - which is problematic for something running in the back.

micahsnyder commented 1 year ago

VirusEvent is a clamd feature. It should not matter if you're using clamonacc or clamdscan.

To demonstrate, I started clamd and clamonacc with the same configuration as above, except that I started them both as root. Note that clamonacc runs as root, and clamd is dropping to run as the "clamav" user. My configuration has clamonacc ignore activity performned by the "clamav" user so that we don't get into an infinite loop.

Here's clamd starting up:

root@DESKTOP-N3L21K2 /h/micah# clamd -F
Limits: Global time limit set to 120000 milliseconds.
Limits: Global size limit set to 419430400 bytes.
Limits: File size limit set to 104857600 bytes.
Limits: Recursion level limit set to 17.
Limits: Files limit set to 10000.
Limits: MaxEmbeddedPE limit set to 41943040 bytes.
Limits: MaxHTMLNormalize limit set to 41943040 bytes.
Limits: MaxHTMLNoTags limit set to 8388608 bytes.
Limits: MaxScriptNormalize limit set to 20971520 bytes.
Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Limits: MaxPartitions limit set to 50.
Limits: MaxIconsPE limit set to 100.
Limits: MaxRecHWP3 limit set to 16.
Limits: PCREMatchLimit limit set to 100000.
Limits: PCRERecMatchLimit limit set to 2000.
Limits: PCREMaxFileSize limit set to 104857600.
Archive support enabled.
AlertExceedsMax heuristic detection disabled.
Heuristic alerts enabled.
Portable Executable support enabled.
ELF support enabled.
Mail files support enabled.
OLE2 support enabled.
PDF support enabled.
SWF support enabled.
HTML support enabled.
XMLDOCS support enabled.
HWP3 support enabled.
Self checking every 600 seconds.

Here's clamonacc starting up:

root@DESKTOP-N3L21K2 /h/micah# clamonacc -F --verbose

ClamClient: client setup for continuous scanning
Clamonacc: daemon is local
ClamFanotif: kernel-level blocking feature enabled ... preventing malicious files access attempts
ClamFanotif: max file size limited to 5242880 bytes
ClamScanQueue: initializing event queue consumer ... (5) threads in thread pool
Clamonacc: beginning event loops
ClamFanotif: starting fanotify event loop with process id (19599) ...
ClamInotif: starting inotify event loop ...
ClamScanQueue: waiting to consume events ...
ClamInotif: dynamically determining directory hierarchy...
ClamInotif: watching '/home/micah/tmp' (and all sub-directories)
Excluding temp directory: /tmp
ClamInotif: NVM, didn't actually need to exclude '/tmp'

Here I check if the file exists:

❯ ls -la /tmp/hello*
fish: No matches for wildcard '/tmp/hello*'. See `help expand`.
ls -la /tmp/hello*

Then I touch an eicar.com.txt file situated in the /home/micah/tmp directory that I'm monitoring with clamonacc:

❯ touch tmp/eicar.com.txt

clamonacc reports:

ClamWorker: performing scanning on file '/home/micah/tmp/eicar.com.txt'
ClamFanotif: /home/micah/tmp/eicar.com.txt skipped (excluded UID)
ClamFanotif: /home/micah/tmp/eicar.com.txt skipped (excluded UID)
/home/micah/tmp/eicar.com.txt: Eicar-Signature FOUND

and clamd reports:

/home/micah/tmp/eicar.com.txt: Eicar-Signature FOUND

I check in /tmp and find:

❯ ls -la /tmp/hello*
-rw-r--r-- 1 clamav clamav 0 Oct 20 13:44 /tmp/hello.txt

So it worked.

spiarh commented 1 year ago

No success on my side, the file is correctly detected, either with clamdscan or clamonacc but the script or touch is never executed.

If you try to exec a script that is not executable for example, would the logs show an error message with something like "permission denied" ?

squalou commented 1 year ago

No success on my side either, I did try with the script that does not try to create a file, but use ilbnotity : worked fine from clamsan not from clamonacc. Could be

micahsnyder commented 1 year ago

If you try to exec a script that is not executable for example, would the logs show an error message with something like "permission denied" ?

It really should. But no, it doesn't. I don't know why not.

alchemist18 commented 9 months ago

Hi, I am using clamav 0.103.11 on ubuntu 20.04 and found that VirusEvent is correctly triggered both with clamdscan and clamonacc. Here is the clamconf -n output.

$ clamconf -n
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
PreludeAnalyzerName = "ClamAV"
LogFile = "/var/log/clamav/clamd.log"
LogTime = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
LocalSocket = "/usr/local/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
MaxConnectionQueueLength = "15"
MaxThreads = "12"
ReadTimeout = "180"
SendBufTimeout = "200"
SelfCheck = "3600"
VirusEvent = "/etc/clamav/virusevent.d/virusevent.bash"
User = "clamav"
BytecodeTimeout = "60000"
MaxScanTime = "120000"
MaxRecursion = "16"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"
OnAccessIncludePath = "/home/paoloberti"
OnAccessExcludePath = "/home/paoloberti/.local", "/home/paoloberti/snap", "/home/paoloberti/.cache", "/home/paoloberti/.config"
OnAccessExcludeUname = "clamav"
OnAccessPrevention = "yes"

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
UpdateLogFile = "/var/log/clamav/freshclam.log"
Checks = "24"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
MaxAttempts = "5"
ConnectTimeout = "30000"
ReceiveTimeout = "300"

Config file: clamav-milter.conf
-------------------------------
LogFile = "/var/log/clamav/clamav-milter.log"
LogTime = "yes"
LogRotate = "yes"
PidFile = "/var/run/clamav/clamav-milter.pid"
TemporaryDirectory = "/tmp"
User = "clamav"
ClamdSocket = "unix:/var/run/clamav/clamd.ctl"
MilterSocket = "/var/run/clamav/clamav-milter.ctl"
MilterSocketGroup = "clamav"
MilterSocketMode = "666"
AddHeader = "Replace"
LogInfected = "Off"
LogClean = "Off"

Software settings
-----------------
Version: 0.103.11
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR 

Database information
--------------------
Database directory: /var/lib/clamav
[3rd Party] winnow_malware_links.ndb: 133 sigs
[3rd Party] doppelstern.hdb: 1 sig 
[3rd Party] bofhland_malware_attach.hdb: 1836 sigs
daily.cld: version 27190, sigs: 2053641, built on Mon Feb 19 12:24:27 2024
[3rd Party] rogue.hdb: 5886 sigs
[3rd Party] bofhland_phishing_URL.ndb: 72 sigs
[3rd Party] jurlbl.ndb: 24064 sigs
[3rd Party] bofhland_malware_URL.ndb: 4 sigs
[3rd Party] scam.ndb: 12925 sigs
[3rd Party] winnow_malware.hdb: 1 sig 
[3rd Party] sanesecurity.ftm: 185 sigs
[3rd Party] phish.ndb: 29953 sigs
main.cld: version 62, sigs: 6647427, built on Thu Sep 16 15:32:42 2021
[3rd Party] phishtank.ndb: 1 sig 
[3rd Party] spamimg.hdb: 222 sigs
bytecode.cld: version 334, sigs: 91, built on Thu Feb 23 00:33:21 2023
[3rd Party] winnow_extended_malware.hdb: 1 sig 
[3rd Party] sigwhitelist.ign2: 16 sigs
[3rd Party] porcupine.ndb: 2772 sigs
[3rd Party] blurl.ndb: 1948 sigs
[3rd Party] crdfam.clamav.hdb: 1 sig 
[3rd Party] spamattach.hdb: 14 sigs
[3rd Party] bofhland_cracked_URL.ndb: 40 sigs
[3rd Party] winnow_bad_cw.hdb: 1 sig 
[3rd Party] junk.ndb: 56515 sigs
[3rd Party] winnow.attachments.hdb: 1 sig 
Total number of signatures: 8837751

Platform information
--------------------
uname: Linux 5.4.0-171-generic #189-Ubuntu SMP Fri Jan 5 14:23:02 UTC 2024 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
Full OS version: Ubuntu 20.04.6 LTS
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a2184840800000000090400

Build information
-----------------
GNU C: 9.4.0 (9.4.0)
CPPFLAGS: -Wdate-time -D_FORTIFY_SOURCE=2
CFLAGS: -g -O2 -fdebug-prefix-map=/build/clamav-29UvHP/clamav-0.103.11+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -g -O2 -fdebug-prefix-map=/build/clamav-29UvHP/clamav-0.103.11+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64
LDFLAGS: -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed
Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-29UvHP/clamav-0.103.11+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-29UvHP/clamav-0.103.11+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--with-dbdir=/var/lib/clamav' '--sysconfdir=/etc/clamav' '--disable-clamav' '--disable-unrar' '--enable-milter' '--enable-dns-fix' '--with-libjson' '--with-system-libmspack' '--with-libcurl=/usr' '--with-gnu-ld' '--with-systemdsystemunitdir=/lib/systemd/system' 'build_alias=x86_64-linux-gnu' 'OBJCFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-29UvHP/clamav-0.103.11+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security'
sizeof(void*) = 8
Engine flevel: 132, dconf: 132

To test I used this "virusevent.bash":

#!/bin/bash
/bin/touch /home/paoloberti/touchme.txt
ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"
/usr/bin/sudo -u paoloberti DISPLAY=:0 $DBUS_SESSION_BUS_ADDRESS /usr/bin/notify-send -i dialog-warning "Virus found!" "$ALERT"

The touch command worked correctly. But the notification did not come. In /var/log/syslog I found the reason:

Feb 19 20:33:16 hp clamd[17715]: Mon Feb 19 20:33:16 2024 -> ~/home/paoloberti/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
Feb 19 20:33:16 hp clamd[20840]: sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper

It looks like the trouble is executing the sudo command with user "clamav". Up to now I was not able to solve the issue.

alchemist18 commented 8 months ago

A solution to run the sudo command with "clamav" user: Modify sudoers with visudo

$sudo visudo

Add the line:

clamav your_host_name=(your_user) NOPASSWD:/usr/bin/notify-send

Please note that this approach is still considered risky, as any bug or vulnerability in the script (notify-send) could potentially allow users to modify the script and gain full access to the operating system. For this reason I thought it is better to remove the write privileges from notify-send for all users...

micahsnyder commented 8 months ago

The purpose of the "clamav" service user account is so that clamd does not have permissions to do things like sudo. If someone manages to hack clamd, they would gain full control of your system. Considering that clamd is made to scan malware, and is written in C which, while fast, is not a memory safe language, the risk is significant.

I strongly caution against giving permission to the clamav user to use sudo. I don't have any specific recommendations for how to set up notifications that do not require sudo, however. Perhaps someone else can help.

alchemist18 commented 8 months ago

Thanks for the tip!

On Fri, Feb 23, 2024, 19:53 Micah Snyder @.***> wrote:

The purpose of the "clamav" service user account is so that clamd does not have permissions to do things like sudo. If someone manages to hack clamd, they would gain full control of your system. Considering that clamd is made to scan malware, and is written in C which, while fast, is not a memory safe language, the risk is significant.

I strongly caution against giving permission to the clamav user to use sudo. I don't have any specific recommendations for how to set up notifications that do not require sudo, however. Perhaps someone else can help.

— Reply to this email directly, view it on GitHub https://github.com/Cisco-Talos/clamav/issues/1062#issuecomment-1961669606, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMWYXLLLUZLVTWTURMNZPNDYVDCQZAVCNFSM6AAAAAA6HSZ3IWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRRGY3DSNRQGY . You are receiving this because you commented.Message ID: @.***>

Schnoogemetzger commented 6 months ago

Hi,

I also have the problem with version 1.0.5. I tested it in exactly the same way as @micahsnyder did: Terminal A as root:

$ id
uid=0(root) gid=0(root) groups=0(root)

$ clamd -F
Wed Apr 24 08:31:00 2024 -> Limits: Global time limit set to 120000 milliseconds.
Wed Apr 24 08:31:00 2024 -> Limits: Global size limit set to 104857600 bytes.
Wed Apr 24 08:31:00 2024 -> Limits: File size limit set to 26214400 bytes.
Wed Apr 24 08:31:00 2024 -> Limits: Recursion level limit set to 16.
Wed Apr 24 08:31:00 2024 -> Limits: Files limit set to 10000.
Wed Apr 24 08:31:00 2024 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Wed Apr 24 08:31:00 2024 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Wed Apr 24 08:31:00 2024 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Wed Apr 24 08:31:00 2024 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
Wed Apr 24 08:31:00 2024 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Wed Apr 24 08:31:00 2024 -> Limits: MaxPartitions limit set to 50.
Wed Apr 24 08:31:00 2024 -> Limits: MaxIconsPE limit set to 100.
Wed Apr 24 08:31:00 2024 -> Limits: MaxRecHWP3 limit set to 16.
Wed Apr 24 08:31:00 2024 -> Limits: PCREMatchLimit limit set to 10000.
Wed Apr 24 08:31:00 2024 -> Limits: PCRERecMatchLimit limit set to 5000.
Wed Apr 24 08:31:00 2024 -> Limits: PCREMaxFileSize limit set to 26214400.
Wed Apr 24 08:31:00 2024 -> Archive support enabled.
Wed Apr 24 08:31:00 2024 -> AlertExceedsMax heuristic detection disabled.
Wed Apr 24 08:31:00 2024 -> Heuristic alerts enabled.
Wed Apr 24 08:31:00 2024 -> Portable Executable support enabled.
Wed Apr 24 08:31:00 2024 -> ELF support enabled.
Wed Apr 24 08:31:00 2024 -> Mail files support enabled.
Wed Apr 24 08:31:00 2024 -> OLE2 support enabled.
Wed Apr 24 08:31:00 2024 -> PDF support enabled.
Wed Apr 24 08:31:00 2024 -> SWF support enabled.
Wed Apr 24 08:31:00 2024 -> HTML support enabled.
Wed Apr 24 08:31:00 2024 -> XMLDOCS support enabled.
Wed Apr 24 08:31:00 2024 -> HWP3 support enabled.
Wed Apr 24 08:31:00 2024 -> Self checking every 3600 seconds.
Wed Apr 24 08:31:59 2024 -> /tmp/eicar.com.txt: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND

Terminal B as root:

$ id
uid=0(root) gid=0(root) groups=0(root)

$ clamd --version
ClamAV 1.0.5/27254/Tue Apr 23 10:23:39 2024

$ clamconf -n | grep VirusEvent
VirusEvent = "/usr/bin/touch /root/clamhello"

$ ls -alh /root/clam*
ls: cannot access '/root/clam*': No such file or directory

$ clamdscan /tmp/eicar.com.txt 
/tmp/eicar.com.txt: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.004 sec (0 m 0 s)
Start Date: 2024:04:24 08:31:59
End Date:   2024:04:24 08:31:59

$ ls -alh /root/clam*
ls: cannot access '/root/clam*': No such file or directory

It's not working for me. Any chance to analyze this further (debugging)?

Schnoogemetzger commented 6 months ago

Update on this: I just installed the latest release (clamav-1.3.1.linux.x86_64.deb) and it works now. So I guess, this is a bug in 1.0.5 and to be precise, I'm talking about the 1.0.5 version from Debian Testing: https://packages.debian.org/trixie/clamav

hinricht commented 1 month ago

I'm using clamav 1.3.1-1 on Manjaro and also can't get VirusEvent to work with clamonacc.