Dear, all
I tried ScanOnAccess at CentOS7's fanotify.
clamd scanner daemon was running, and no error logs,
////////////////////////////////////////////
# systemctl status clamd@scan
clamd@scan.service - clamd scanner (scan) daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@.service; static)
Active: active (running) since 木 2015-06-18 13:06:26 JST; 2min 34s ago
Main PID: 6378 (clamd)
CGroup: /system.slice/system-clamd.slice/clamd@scan.service
mq6378 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --nofork=yes
6月 18 13:06:49 localhost.localdomain clamd[6378]: SWF support enabled.
6月 18 13:06:49 localhost.localdomain clamd[6378]: HTML support enabled.
6月 18 13:06:49 localhost.localdomain clamd[6378]: Self checking every 600 seconds.
6月 18 13:06:49 localhost.localdomain clamd[6378]: ScanOnAccess: Protecting directory '/'
6月 18 13:06:49 localhost.localdomain clamd[6378]: ScanOnAccess: Protecting directory '/boot'
6月 18 13:06:49 localhost.localdomain clamd[6378]: ScanOnAccess: Protecting directory '/root'
6月 18 13:06:49 localhost.localdomain clamd[6378]: ScanOnAccess: Protecting directory '/home/clamav'
6月 18 13:06:49 localhost.localdomain clamd[6378]: ScanOnAccess: Protecting directory '/tmp'
6月 18 13:06:49 localhost.localdomain clamd[6378]: ScanOnAccess: Protecting directory '/var/tmp'
6月 18 13:06:49 localhost.localdomain clamd[6378]: ScanOnAccess: Max file size limited to 5242880 bytes
////////////////////////////////////////////
I put eicar.com on /tmp, and tryed scanning.
////////////////////////////////////////////
# ls -lt /tmp/eicar.com
-rw-r--r-- 1 root root 68 9月 5 2006 /tmp/eicar.com
////////////////////////////////////////////
But, clamdscan was not found eicar.
////////////////////////////////////////////
# clamdscan -c /etc/clamd.d/scan.conf
/tmp: OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.007 sec (0 m 0 s)
////////////////////////////////////////////
So, clamscan was found same eicer.
////////////////////////////////////////////
# clamscan
/tmp/ks-script-5NZh_H: OK
/tmp/storage.log: Empty file
/tmp/program.log: Empty file
/tmp/packaging.log: Empty file
/tmp/tmpE4xhLc: Empty file
/tmp/eicar.com: Eicar-Test-Signature FOUND
/tmp/.X0-lock: OK
/tmp/.X10-lock: OK
----------- SCAN SUMMARY -----------
Known viruses: 3845554
Engine version: 0.98.7
Scanned directories: 1
Scanned files: 4
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 30.388 sec (0 m 30 s)
////////////////////////////////////////////
How about wrong ?
[Environment]
# cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core)
# uname -r
3.10.0-123.el7.x86_64
(SELinux was disabled)
# getenforce
Disabled
(from epel repo:
yum --enablerepo=epel install clamav clamav-server clamav-scanner clamav-milter
yum --enablerepo=epel install https://bitbucket.org/dave_theunsub/cla ... noarch.rpm)
# rpm -aq | grep clam
clamav-data-0.98.7-1.el7.noarch
clamav-update-0.98.7-1.el7.x86_64
clamav-0.98.7-1.el7.x86_64
clamav-server-0.98.7-1.el7.x86_64
clamav-scanner-0.98.7-1.el7.noarch
clamav-filesystem-0.98.7-1.el7.noarch
clamav-server-sysvinit-0.98.7-1.el7.noarch
clamav-scanner-sysvinit-0.98.7-1.el7.noarch
clamav-milter-0.98.7-1.el7.x86_64
clamav-server-systemd-0.98.7-1.el7.noarch
clamav-milter-sysvinit-0.98.7-1.el7.noarch
clamav-lib-0.98.7-1.el7.x86_64
clamtk-5.18-1.el7.noarch
(And, Attached "cat /etc/clamd.d/scan.conf" : cat_scan.conf.zip)
thanks,
omnix-mm
ClamAV clamdscan wasn't found eicar, but clamscan was found
ClamAV clamdscan wasn't found eicar, but clamscan was found
- Attachments
-
- cat_scan.conf.zip
- (6.56 KiB) Downloaded 137 times
Re: ClamAV clamdscan wasn't found eicar, but clamscan was fo
I tried another environment, [Environment(2)]
So, clamdscan was able to found eicar !!
////////////////////////////////////////////
[root@062915f0d9f5 tmp]# clamdscan -c /etc/clamd.d/scan.conf
/tmp/eicar.com: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.012 sec (0 m 0 s)
[root@062915f0d9f5 tmp]#
////////////////////////////////////////////
On this time of "systemctl status clamd" result.
////////////////////////////////////////////
# systemctl status clamd.scan
clamd.scan.service - SYSV: The clamd server running for scan
Loaded: loaded (/etc/rc.d/init.d/clamd.scan)
Active: active (running) since Sat 2015-06-20 14:01:27 UTC; 11s ago
Process: 788 ExecStop=/etc/rc.d/init.d/clamd.scan stop (code=exited, status=0/SUCCESS)
Process: 795 ExecStart=/etc/rc.d/init.d/clamd.scan start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/clamd.scan.service
mq797 clamd.scan -c /etc/clamd.d/scan.conf --pid /var/run/clamd.scan/clamd.pid
Jun 20 14:01:26 062915f0d9f5 clamd[797]: Mail files support enabled.
Jun 20 14:01:26 062915f0d9f5 clamd[797]: OLE2 support enabled.
Jun 20 14:01:26 062915f0d9f5 clamd[797]: PDF support enabled.
Jun 20 14:01:26 062915f0d9f5 clamd[797]: SWF support enabled.
Jun 20 14:01:26 062915f0d9f5 clamd[797]: HTML support enabled.
Jun 20 14:01:26 062915f0d9f5 clamd[797]: Self checking every 600 seconds.
Jun 20 14:01:26 062915f0d9f5 clamd[797]: ScanOnAccess: Protecting directory '/tmp'
Jun 20 14:01:26 062915f0d9f5 clamd[797]: ScanOnAccess: Max file size limited to 5242880 bytes
Jun 20 14:01:27 062915f0d9f5 clamd.scan[795]: [ OK ]
Jun 20 14:01:27 062915f0d9f5 systemd[1]: Started SYSV: The clamd server running for scan.
////////////////////////////////////////////
I can see difference of two.
* Service name difference, from "clamd@scan" to "clamd.scan".
("clamd@scan" was not found.)
* New logging messeage of "clamd.scan[PID]: [ OK ]"
Next step, I do reinstall or upgrade CentOS at the 1st Test Environment.
[Environment(2)]
# uname -r
3.16.0-41-generic
# cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
(CentOS is on Docker, Host is Ubuntu 14.10)
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.10
DISTRIB_CODENAME=utopic
DISTRIB_DESCRIPTION="Ubuntu 14.10"
$ uname -r
3.16.0-41-generic
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
062915f0d9f5 centos:centos7 "/sbin/init" 36 minutes ago Up 36 minutes 0.0.0.0:80->80/tcp centos
$ docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
centos centos7 7322fbe74aa5 44 hours ago 172.2 MB
jpetazzo/nsenter latest 5b5e2a9ac1ed 4 weeks ago 368.2 MB
thanks,
So, clamdscan was able to found eicar !!
////////////////////////////////////////////
[root@062915f0d9f5 tmp]# clamdscan -c /etc/clamd.d/scan.conf
/tmp/eicar.com: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.012 sec (0 m 0 s)
[root@062915f0d9f5 tmp]#
////////////////////////////////////////////
On this time of "systemctl status clamd" result.
////////////////////////////////////////////
# systemctl status clamd.scan
clamd.scan.service - SYSV: The clamd server running for scan
Loaded: loaded (/etc/rc.d/init.d/clamd.scan)
Active: active (running) since Sat 2015-06-20 14:01:27 UTC; 11s ago
Process: 788 ExecStop=/etc/rc.d/init.d/clamd.scan stop (code=exited, status=0/SUCCESS)
Process: 795 ExecStart=/etc/rc.d/init.d/clamd.scan start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/clamd.scan.service
mq797 clamd.scan -c /etc/clamd.d/scan.conf --pid /var/run/clamd.scan/clamd.pid
Jun 20 14:01:26 062915f0d9f5 clamd[797]: Mail files support enabled.
Jun 20 14:01:26 062915f0d9f5 clamd[797]: OLE2 support enabled.
Jun 20 14:01:26 062915f0d9f5 clamd[797]: PDF support enabled.
Jun 20 14:01:26 062915f0d9f5 clamd[797]: SWF support enabled.
Jun 20 14:01:26 062915f0d9f5 clamd[797]: HTML support enabled.
Jun 20 14:01:26 062915f0d9f5 clamd[797]: Self checking every 600 seconds.
Jun 20 14:01:26 062915f0d9f5 clamd[797]: ScanOnAccess: Protecting directory '/tmp'
Jun 20 14:01:26 062915f0d9f5 clamd[797]: ScanOnAccess: Max file size limited to 5242880 bytes
Jun 20 14:01:27 062915f0d9f5 clamd.scan[795]: [ OK ]
Jun 20 14:01:27 062915f0d9f5 systemd[1]: Started SYSV: The clamd server running for scan.
////////////////////////////////////////////
I can see difference of two.
* Service name difference, from "clamd@scan" to "clamd.scan".
("clamd@scan" was not found.)
* New logging messeage of "clamd.scan[PID]: [ OK ]"
Next step, I do reinstall or upgrade CentOS at the 1st Test Environment.
[Environment(2)]
# uname -r
3.16.0-41-generic
# cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
(CentOS is on Docker, Host is Ubuntu 14.10)
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.10
DISTRIB_CODENAME=utopic
DISTRIB_DESCRIPTION="Ubuntu 14.10"
$ uname -r
3.16.0-41-generic
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
062915f0d9f5 centos:centos7 "/sbin/init" 36 minutes ago Up 36 minutes 0.0.0.0:80->80/tcp centos
$ docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
centos centos7 7322fbe74aa5 44 hours ago 172.2 MB
jpetazzo/nsenter latest 5b5e2a9ac1ed 4 weeks ago 368.2 MB
thanks,
Re: ClamAV clamdscan wasn't found eicar, but clamscan was fo
Thank you, all.
I can did it !
I'm just only changed from "clamd@scan" to "clamd.scan" lol
(please this post be in solved.)
# uname -r
3.10.0-123.el7.x86_64
# cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core)
////////////////////////////////////////////
# ls -lth /usr/lib/systemd/system/clamd@.service
-rw-r--r-- 1 root root 231 4月 30 03:38 /usr/lib/systemd/system/clamd@.service
# ls -lth /etc/rc.d/init.d/clamd.scan
-rwxr-xr-x 1 root root 138 4月 30 03:46 /etc/rc.d/init.d/clamd.scan
////////////////////////////////////////////
--> Oh, another permissions, "clamd@.service" and "clamd.scan".
////////////////////////////////////////////
# systemctl stop clamd@scan
# systemctl start clamd.scan
# systemctl status clamd.scan
clamd.scan.service - SYSV: The clamd server running for scan
Loaded: loaded (/etc/rc.d/init.d/clamd.scan)
Active: active (running) since 月 2015-06-22 18:55:27 JST; 42s ago
Process: 3110 ExecStart=/etc/rc.d/init.d/clamd.scan start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/clamd.scan.service
mq3121 clamd.scan -c /etc/clamd.d/scan.conf --pid /var/run/clamd.scan/clamd.pid
6月 22 18:54:58 localhost.localdomain clamd[3121]: Self checking every 600 seconds.
6月 22 18:54:58 localhost.localdomain clamd[3121]: ScanOnAccess: Protecting directory '/'
6月 22 18:54:58 localhost.localdomain clamd[3121]: ScanOnAccess: Protecting directory '/boot'
6月 22 18:54:58 localhost.localdomain clamd[3121]: ScanOnAccess: Protecting directory '/root'
6月 22 18:54:58 localhost.localdomain clamd[3121]: ScanOnAccess: Protecting directory '/home/clamav'
6月 22 18:54:58 localhost.localdomain clamd[3121]: ScanOnAccess: Protecting directory '/tmp'
6月 22 18:54:58 localhost.localdomain clamd[3121]: ScanOnAccess: Protecting directory '/var/tmp'
6月 22 18:54:58 localhost.localdomain clamd[3121]: ScanOnAccess: Max file size limited to 5242880 bytes
6月 22 18:55:27 localhost.localdomain clamd.scan[3110]: Starting clamd.scan: [ OK ]
6月 22 18:55:27 localhost.localdomain systemd[1]: Started SYSV: The clamd server running for scan.
////////////////////////////////////////////
--> I can see "Starting clamd.scan: [ OK ]".
////////////////////////////////////////////
# ls -lth eicar.com
-rw-r--r-- 1 root root 68 9月 5 2006 eicar.com
# clamdscan -c /etc/clamd.d/scan.conf
/tmp/eicar.com: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 27.225 sec (0 m 27 s)
////////////////////////////////////////////
By the way, What is it difference "clamd@.service" and "clamd.scan" ?
(I did same question to post clamav-users ML.)
http://lists.clamav.net/pipermail/clama ... 01618.html
I can did it !
I'm just only changed from "clamd@scan" to "clamd.scan" lol
(please this post be in solved.)
# uname -r
3.10.0-123.el7.x86_64
# cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core)
////////////////////////////////////////////
# ls -lth /usr/lib/systemd/system/clamd@.service
-rw-r--r-- 1 root root 231 4月 30 03:38 /usr/lib/systemd/system/clamd@.service
# ls -lth /etc/rc.d/init.d/clamd.scan
-rwxr-xr-x 1 root root 138 4月 30 03:46 /etc/rc.d/init.d/clamd.scan
////////////////////////////////////////////
--> Oh, another permissions, "clamd@.service" and "clamd.scan".
////////////////////////////////////////////
# systemctl stop clamd@scan
# systemctl start clamd.scan
# systemctl status clamd.scan
clamd.scan.service - SYSV: The clamd server running for scan
Loaded: loaded (/etc/rc.d/init.d/clamd.scan)
Active: active (running) since 月 2015-06-22 18:55:27 JST; 42s ago
Process: 3110 ExecStart=/etc/rc.d/init.d/clamd.scan start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/clamd.scan.service
mq3121 clamd.scan -c /etc/clamd.d/scan.conf --pid /var/run/clamd.scan/clamd.pid
6月 22 18:54:58 localhost.localdomain clamd[3121]: Self checking every 600 seconds.
6月 22 18:54:58 localhost.localdomain clamd[3121]: ScanOnAccess: Protecting directory '/'
6月 22 18:54:58 localhost.localdomain clamd[3121]: ScanOnAccess: Protecting directory '/boot'
6月 22 18:54:58 localhost.localdomain clamd[3121]: ScanOnAccess: Protecting directory '/root'
6月 22 18:54:58 localhost.localdomain clamd[3121]: ScanOnAccess: Protecting directory '/home/clamav'
6月 22 18:54:58 localhost.localdomain clamd[3121]: ScanOnAccess: Protecting directory '/tmp'
6月 22 18:54:58 localhost.localdomain clamd[3121]: ScanOnAccess: Protecting directory '/var/tmp'
6月 22 18:54:58 localhost.localdomain clamd[3121]: ScanOnAccess: Max file size limited to 5242880 bytes
6月 22 18:55:27 localhost.localdomain clamd.scan[3110]: Starting clamd.scan: [ OK ]
6月 22 18:55:27 localhost.localdomain systemd[1]: Started SYSV: The clamd server running for scan.
////////////////////////////////////////////
--> I can see "Starting clamd.scan: [ OK ]".
////////////////////////////////////////////
# ls -lth eicar.com
-rw-r--r-- 1 root root 68 9月 5 2006 eicar.com
# clamdscan -c /etc/clamd.d/scan.conf
/tmp/eicar.com: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 27.225 sec (0 m 27 s)
////////////////////////////////////////////
By the way, What is it difference "clamd@.service" and "clamd.scan" ?
(I did same question to post clamav-users ML.)
http://lists.clamav.net/pipermail/clama ... 01618.html