Describe the bug

I have adopted /etc/clamd.conf file like mentioned below. When I access the EICAR.txt file with CAT or VI, neiter it stop the command not it write any log that somthing FOUND in syslog or the LogFile /ABC/tmp/clamav/clamav.log. I am not sure if the configuration is correct for enabling the OnAccessScan. Can anyone please help here? What am i missing?

Logging

LogFileUnlock yes LogTime yes LogVerbose yes ExtendedDetectionInfo yes Debug yes LeaveTemporaryFiles yes

LogFile /ABC/tmp/clamav/clamav.log LogSyslog yes LogFacility LOG_LOCAL6

clamd socket

PidFile /var/lib/clamav/clamd.pid LocalSocket /var/lib/clamav/clamd-socket

User for chroot

User vscan

Activate ScanOnAccess

ScanOnAccess True

Set the mount point to be scanned. The mount point specified, or the mount point

containing the specified directory will be watched. If any directories are specified,

this option will preempt the DDD system. This will notify only. It can be used multiple times.

(On-access scan only)

Default: disabled

OnAccessIncludePath /ABCsys OnAccessIncludePath /ABC OnAccessIncludePath /

Set to Yes to deny access to infected files

OnAccessPrevention True

With this option you can whitelist specific UIDs. Processes with these UIDs

will be able to access all files.

This option can be used multiple times (one per line).

Default: disabled

OnAccessExcludeUID 0

How to reproduce the problem

The above configuration can be used to reproduce this issue.

Checking configuration files in /etc

Config file: clamd.conf

LogFile = "/ABC/tmp/clamav/clamav.log" LogFileUnlock = "yes" LogTime = "yes" LogSyslog = "yes" LogVerbose = "yes" ExtendedDetectionInfo = "yes" PidFile = "/var/lib/clamav/clamd.pid" LocalSocket = "/var/lib/clamav/clamd-socket" Debug = "yes" LeaveTemporaryFiles = "yes" User = "vscan" OnAccessIncludePath = "/ABCsys", "/ABC", "/" OnAccessExcludeUID disabled OnAccessPrevention = "yes" ScanOnAccess is DEPRECATED

Config file: freshclam.conf

LogSyslog = "yes" PidFile = "/var/lib/clamav/freshclam.pid" DatabaseMirror = "database.clamav.net" OnUpdateExecute = "chmod 0644 /var/lib/clamav/*.cvd"

Config file: clamav-milter.conf

LogSyslog = "yes" LogFacility = "LOG_MAIL" PidFile = "/run/clamav/clamav-milter.pid" User = "vscan" ClamdSocket = "unix:/run/clamav/clamd-socket" MilterSocket = "/run/clamav/clamav-milter-socket"

Software settings

Version: 0.103.8 Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE ICONV RAR

Database information

Database directory: /var/lib/clamav daily.cvd: version 26930, sigs: 2036603, built on Tue Jun 6 09:25:07 2023 bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 16:21:51 2021 main.cvd: version 61, sigs: 6607162, built on Thu Jul 15 04:39:10 2021 Total number of signatures: 8643857

Platform information

uname: Linux 4.12.14-122.127-default #1 SMP Sat Jul 9 14:12:26 UTC 2022 (0f9878e) x86_64 OS: linux-gnu, ARCH: x86_64, CPU: x86_64 zlib version: 1.2.11 (1.2.11), compile flags: a9 platform id: 0x0a2181810800000000040805

Build information

GNU C: 4.8.5 (4.8.5) CPPFLAGS: CFLAGS: -fmessage-length=0 -grecord-gcc-switches -fstack-protector -O2 -Wall -D_FORTIFY_SOURCE=2 -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -fstack-protector -DFP_64BIT -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 CXXFLAGS: -fmessage-length=0 -grecord-gcc-switches -fstack-protector -O2 -Wall -D_FORTIFY_SOURCE=2 -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -fstack-protector LDFLAGS: Configure: '--prefix=/usr' '--libdir=/usr/lib64' '--mandir=/usr/share/man' '--sysconfdir=/etc' '--disable-clamav' '--disable-static' '--with-dbdir=/var/lib/clamav' '--with-user=vscan' '--with-group=vscan' '--enable-milter' '--enable-check' '--enable-clamdtop' '--disable-timestamps' '--disable-yara' 'CXXFLAGS=-fmessage-length=0 -grecord-gcc-switches -fstack-protector -O2 -Wall -D_FORTIFY_SOURCE=2 -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -fstack-protector' 'CFLAGS=-fmessage-length=0 -grecord-gcc-switches -fstack-protector -O2 -Wall -D_FORTIFY_SOURCE=2 -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -fstack-protector -DFP_64BIT' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience sizeof(void*) = 8 Engine flevel: 129, dconf: 129

Attachments

If applicable, add screenshots to help explain your problem.

If the issue is reproducible only when scanning a specific file, attach it to the ticket.

Cisco-Talos / clamav

OnAccessScan not able to detect EICAR.txt file #954

Describe the bug

Logging

clamd socket

User for chroot

Activate ScanOnAccess

Set the mount point to be scanned. The mount point specified, or the mount point

containing the specified directory will be watched. If any directories are specified,

this option will preempt the DDD system. This will notify only. It can be used multiple times.

(On-access scan only)

Default: disabled

Set to Yes to deny access to infected files

With this option you can whitelist specific UIDs. Processes with these UIDs

will be able to access all files.

This option can be used multiple times (one per line).

Default: disabled

How to reproduce the problem

Config file: clamd.conf

Config file: freshclam.conf

Config file: clamav-milter.conf

Software settings

Database information

Platform information

Build information

Attachments