11-08-2018, 05:34 PM
HowTo install clamav with on-access scan.
The last stable version of Clamav, clamav-0.100.2, comes with a disactivated on-access scan capability.
The only on-access ability is to block the execution of a known virus and send a message to the clamav.log.
After an installation of clamav-daemon this can be done for example by inserting the following in the clamd.conf file:
--------------------------------------------------
User root
ScanOnAccess True
OnAccessIncludePath /"a_path_of_your_choise"
OnAccessPrevention true
--------------------------------------------------
The feature "VirusEvent" of clamd.conf that would permit to trigger an executable script that could delete a virus,
move it to a quarantine or send a message to the screen or to a log file, is not working.
The reason is found in the file "onaccess_fan.c" of the source (clamav-0.100.2.tar.gz).
(see https://bbs.archlinux.org/viewtopic.php?id=237489)
After extracting the source and opening "onaccess_fan.c" with an editor you can find at the line 81:
if (scan) {
if (onas_scan(fname, fmd->fd, &virname, tharg->engine, tharg->options, extinfo) == CL_VIRUS) {
/* TODO : FIXME? virusaction forks. This could be extraordinarily problematic, lead to deadlocks,
* or at the very least lead to extreme memory consumption. Leaving disabled for now.*/
//virusaction(fname, virname, tharg->opts);
res.response = FAN_DENY;
}
"virusaction" is commented out with two slashes // [ //virusaction(fname, virname, tharg->opts); ]
As the developer advises removing the two slashes can be problematic.
Taking a risk, I uncommented it and installed clamav on a Linux Lite 2.8 distribution based on Ubuntu 14.04 trusty, using a 3.19.0-80-generic kernel and it worked for me well as like with others (see link above).
It can now move viruses to a quarantine, delete them, send a message all ON-ACCESS.
Probably in the future the bug will be fixed but when and still for free? Who can be sure.
So for those interested and accept the risk, I offer a brief step by step installation guide, without taking any responsibility if any smoke arises from your machine.
1) Uninstall completely clamav and clamav-daemon if it was previously installed.
on my debian distribution:
dpkg purge clamav clamav-daemon (I prefer using the Synaptic Package Manager because it is more detailed)
2) Download the source.
https://www.clamav.net/downloads/product...0.2.tar.gz
3) Unpack it in a directory of your choise.
$ tar -xvf clamav-0.100.2.tar.gz
4) Download and install the following 3 packages if they are missing: check libxml2-dev libssl-dev (I did it through Synaptic)
5) Uncomment the "onaccess_fan.c" file.
- Enter the clamav-0.100.2 directory.
- Open the file clamd/onaccess_fan.c with an editor. (I use vim: $vim clamd/onaccess_fan.c)
- Remove the two slashes (//) in the line "//virusaction(fname, virname, tharg->opts);"
so it becomes: "virusaction(fname, virname, tharg->opts);"
- Save and exit the editor.
6) Install clamav from the source.
(see https://www.clamav.net/documents/installing-clamav)
I did the following:
- Enter the clamav-0.100.2 directory with the line command.
- Change to root (sudo su) and execute the following:
- ./configure
- ./make
- ./make check
- ./make install
7) Configure clamd. I give the following example (see the clamd.conf manual).
- Open the clamd.conf file with an editor and put or change the following features:
User root
ScanOnAccess true
OnAccessIncludePath /path_to_directory_to_protect
OnAccessExcludeUID 0
OnAccessPrevention true
OnAccessExtraScanning false
VirusEvent /opt/clamav-utils/clamd-response
- save and exit
8) Write the clamd-response script.
In this example it will give a virus notification to a log file, move the virus to a quarantine and a notification appears on the screen.
- make a directory /opt/clamav-utils/
- write with an editor the following in a file named "clamd-response" in the directory /opt/clamav-utils/ and save it.
----------------------------------
#!/bin/sh
echo "$(date) - $CLAM_VIRUSEVENT_VIRUSNAME > $CLAM_VIRUSEVENT_FILENAME" >> /var/log/clamav/infected.log
mv $CLAM_VIRUSEVENT_FILENAME /opt/clamav-utils/clamd_quarantine/
sudo -u MyUserName DISPLAY=:0.0 notify-send "Virus Found $CLAM_VIRUSEVENT_VIRUSNAME" "$CLAM_VIRUSEVENT_FILENAME has been moved to quarantine"
----------------------------------
ATTENTION: "MyUserName" must be changed to your user name!
9) make an empty file /var/log/clamav/infected.log
10) start the clamd daemon: # clamd start.
It is done!
But there is still a bug. The OnAccessScan does not scan the sub-directories.
The feature "OnAccessExtraScanning", even if set "true" doesn't work.
The following message appears in the clamav.log:
----------------------------------
ScanOnAccess: OnAccessExtraScanning was requested, but has been disabled due to a known issue with thread resource cleanup.
The OnAccessExtraScanning feature will be re-enabled in a future release when the issue is resolved.
For details, see: https://bugzilla.clamav.net/show_bug.cgi?id=12048
----------------------------------
So we hope it will soon be resolved.
The last stable version of Clamav, clamav-0.100.2, comes with a disactivated on-access scan capability.
The only on-access ability is to block the execution of a known virus and send a message to the clamav.log.
After an installation of clamav-daemon this can be done for example by inserting the following in the clamd.conf file:
--------------------------------------------------
User root
ScanOnAccess True
OnAccessIncludePath /"a_path_of_your_choise"
OnAccessPrevention true
--------------------------------------------------
The feature "VirusEvent" of clamd.conf that would permit to trigger an executable script that could delete a virus,
move it to a quarantine or send a message to the screen or to a log file, is not working.
The reason is found in the file "onaccess_fan.c" of the source (clamav-0.100.2.tar.gz).
(see https://bbs.archlinux.org/viewtopic.php?id=237489)
After extracting the source and opening "onaccess_fan.c" with an editor you can find at the line 81:
if (scan) {
if (onas_scan(fname, fmd->fd, &virname, tharg->engine, tharg->options, extinfo) == CL_VIRUS) {
/* TODO : FIXME? virusaction forks. This could be extraordinarily problematic, lead to deadlocks,
* or at the very least lead to extreme memory consumption. Leaving disabled for now.*/
//virusaction(fname, virname, tharg->opts);
res.response = FAN_DENY;
}
"virusaction" is commented out with two slashes // [ //virusaction(fname, virname, tharg->opts); ]
As the developer advises removing the two slashes can be problematic.
Taking a risk, I uncommented it and installed clamav on a Linux Lite 2.8 distribution based on Ubuntu 14.04 trusty, using a 3.19.0-80-generic kernel and it worked for me well as like with others (see link above).
It can now move viruses to a quarantine, delete them, send a message all ON-ACCESS.
Probably in the future the bug will be fixed but when and still for free? Who can be sure.
So for those interested and accept the risk, I offer a brief step by step installation guide, without taking any responsibility if any smoke arises from your machine.
1) Uninstall completely clamav and clamav-daemon if it was previously installed.
on my debian distribution:
dpkg purge clamav clamav-daemon (I prefer using the Synaptic Package Manager because it is more detailed)
2) Download the source.
https://www.clamav.net/downloads/product...0.2.tar.gz
3) Unpack it in a directory of your choise.
$ tar -xvf clamav-0.100.2.tar.gz
4) Download and install the following 3 packages if they are missing: check libxml2-dev libssl-dev (I did it through Synaptic)
5) Uncomment the "onaccess_fan.c" file.
- Enter the clamav-0.100.2 directory.
- Open the file clamd/onaccess_fan.c with an editor. (I use vim: $vim clamd/onaccess_fan.c)
- Remove the two slashes (//) in the line "//virusaction(fname, virname, tharg->opts);"
so it becomes: "virusaction(fname, virname, tharg->opts);"
- Save and exit the editor.
6) Install clamav from the source.
(see https://www.clamav.net/documents/installing-clamav)
I did the following:
- Enter the clamav-0.100.2 directory with the line command.
- Change to root (sudo su) and execute the following:
- ./configure
- ./make
- ./make check
- ./make install
7) Configure clamd. I give the following example (see the clamd.conf manual).
- Open the clamd.conf file with an editor and put or change the following features:
User root
ScanOnAccess true
OnAccessIncludePath /path_to_directory_to_protect
OnAccessExcludeUID 0
OnAccessPrevention true
OnAccessExtraScanning false
VirusEvent /opt/clamav-utils/clamd-response
- save and exit
8) Write the clamd-response script.
In this example it will give a virus notification to a log file, move the virus to a quarantine and a notification appears on the screen.
- make a directory /opt/clamav-utils/
- write with an editor the following in a file named "clamd-response" in the directory /opt/clamav-utils/ and save it.
----------------------------------
#!/bin/sh
echo "$(date) - $CLAM_VIRUSEVENT_VIRUSNAME > $CLAM_VIRUSEVENT_FILENAME" >> /var/log/clamav/infected.log
mv $CLAM_VIRUSEVENT_FILENAME /opt/clamav-utils/clamd_quarantine/
sudo -u MyUserName DISPLAY=:0.0 notify-send "Virus Found $CLAM_VIRUSEVENT_VIRUSNAME" "$CLAM_VIRUSEVENT_FILENAME has been moved to quarantine"
----------------------------------
ATTENTION: "MyUserName" must be changed to your user name!
9) make an empty file /var/log/clamav/infected.log
10) start the clamd daemon: # clamd start.
It is done!
But there is still a bug. The OnAccessScan does not scan the sub-directories.
The feature "OnAccessExtraScanning", even if set "true" doesn't work.
The following message appears in the clamav.log:
----------------------------------
ScanOnAccess: OnAccessExtraScanning was requested, but has been disabled due to a known issue with thread resource cleanup.
The OnAccessExtraScanning feature will be re-enabled in a future release when the issue is resolved.
For details, see: https://bugzilla.clamav.net/show_bug.cgi?id=12048
----------------------------------
So we hope it will soon be resolved.