WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: On Access Virus Protection ?  (Read 39016 times)

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14851
Re: On Access Virus Protection ?
« Reply #45 on: December 25, 2011, 02:46:52 AM »
I've seen that "make install" issues the "ldconfig" command with some source packages, but not with others. Perhaps you compiled the source in a different order this time?

Note that once you make extensions out of the source this will be taken care of automatically.

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #46 on: December 27, 2011, 07:14:56 AM »
ClamFS requires the clamav daemon (clamd) to be running in order to do its job.

Each time I start clamfs I get the following error message.
Code: [Select]
21:00:57 (clamav.cxx:61) error: cannot connect to clamd
21:00:57 (clamfs.cxx:1064) cannot start without running clamd, make sure it works

So I check what was running with
Code: [Select]
psAnd clamd was no longer running...

I start clamd with the following command
Code: [Select]
clamdheres outputs from the clamd.log file when I run clamd
Code: [Select]
Tue Dec 27 20:29:43 2011 -> +++ Started at Tue Dec 27 20:29:43 2011
Tue Dec 27 20:29:43 2011 -> clamd daemon 0.97.2 (OS: linux-gnu, ARCH: i386, CPU: i686)
Tue Dec 27 20:29:43 2011 -> Log file size limited to 2097152 bytes.
Tue Dec 27 20:29:43 2011 -> Reading databases from /usr/local/share/clamav
Tue Dec 27 20:29:43 2011 -> Not loading PUA signatures.
Tue Dec 27 20:29:43 2011 -> Bytecode: Security mode set to "TrustSigned".
Tue Dec 27 20:29:55 2011 -> Loaded 1006584 signatures.
Tue Dec 27 20:29:58 2011 -> LOCAL: Removing stale socket file /tmp/clamd.socket
Tue Dec 27 20:29:58 2011 -> LOCAL: Unix socket file /tmp/clamd.socket
Tue Dec 27 20:29:58 2011 -> LOCAL: Setting connection queue length to 200
Tue Dec 27 20:29:58 2011 -> Limits: Global size limit set to 104857600 bytes.
Tue Dec 27 20:29:58 2011 -> Limits: File size limit set to 26214400 bytes.
Tue Dec 27 20:29:58 2011 -> Limits: Recursion level limit set to 16.
Tue Dec 27 20:29:58 2011 -> Limits: Files limit set to 10000.
Tue Dec 27 20:29:58 2011 -> Limits: Core-dump limit is 0.
Tue Dec 27 20:29:58 2011 -> Archive support enabled.
Tue Dec 27 20:29:58 2011 -> Algorithmic detection enabled.
Tue Dec 27 20:29:58 2011 -> Portable Executable support enabled.
Tue Dec 27 20:29:58 2011 -> ELF support enabled.
Tue Dec 27 20:29:58 2011 -> Mail files support enabled.
Tue Dec 27 20:29:58 2011 -> OLE2 support enabled.
Tue Dec 27 20:29:58 2011 -> PDF support enabled.
Tue Dec 27 20:29:58 2011 -> HTML support enabled.
Tue Dec 27 20:29:58 2011 -> Self checking every 600 seconds.
Tue Dec 27 20:29:58 2011 -> Listening daemon: PID: 2999
Tue Dec 27 20:29:58 2011 -> MaxQueue set to: 100

As I learn't how to setup clamd.conf file I did get some errors here and there about file permissions, which I've sorted out.

I've attached the clamd.conf file.
Live long and prosper.

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11704
Re: On Access Virus Protection ?
« Reply #47 on: December 27, 2011, 09:01:06 AM »
Hi remus
After starting  clamfs, check the output of dmesg to see if  clamd  logged any entries there. Also
look for a  clamd.log  file and see what that says.

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #48 on: December 28, 2011, 01:17:27 AM »
Hi Rich,

Code: [Select]
watch "dmesg | tail -20"Gave me an opportunity to observe dmesg as I tested.
The first time I tried it, I got a warning or error message in dmesg putty window stating a low or out of memory problem of some type. Sorry I did not copy and paste from putty :(

So I shutdown my virtual machine, and changed its allocated memory from 256mb to 512mb of ram.
Rebooted, and now once clamd is run it is stable, and does not disappear from view with the top command.

However, I changed allocated ram back to 256mb to see if the problem was reproducable, and it was not... Perhaps this is a problem of VM Workstation.

Anyway, clamfs now starts, however it does NOT detect the eicar test file.
I've tried
:
Code: [Select]
file eicar.com:
Code: [Select]
cat eicar.comAnd no warning is issued.

NO messages are getting to dmesg now.
I've added boot code syslog and I get a bit of info in /var/log/messages when running
 
Code: [Select]
clamfs clamfs.xml
Code: [Select]
Dec 28 15:09:51 (none) user.info clamfs: logs goes to syslog
Dec 28 15:09:51 (none) user.info clamfs: extension ACL size is 47 entries
Dec 28 15:09:51 (none) user.info clamfs: deleting cache
Dec 28 15:09:51 (none) user.info clamfs: --- begin of statistics ---
Dec 28 15:09:51 (none) user.info clamfs: Early cache hit: 0
Dec 28 15:09:51 (none) user.info clamfs: Early cache miss: 0
Dec 28 15:09:51 (none) user.info clamfs: Late cache hit: 0
Dec 28 15:09:51 (none) user.info clamfs: Late cache miss: 0
Dec 28 15:09:51 (none) user.info clamfs: Whitelist hit: 0
Dec 28 15:09:51 (none) user.info clamfs: Blacklist hit: 0
Dec 28 15:09:51 (none) user.info clamfs: Files bigger than maximal-size: 0
Dec 28 15:09:51 (none) user.info clamfs: open() function called 0 times (allowed: 0, denied: 0)
Dec 28 15:09:51 (none) user.info clamfs: Scan failed 0 times
Dec 28 15:09:51 (none) user.info clamfs: --- end of statistics ---
Dec 28 15:09:51 (none) user.info clamfs: deleting stats
Dec 28 15:09:51 (none) user.info clamfs: deleting extensions ACL
Dec 28 15:09:51 (none) user.info clamfs: closing logging targets
Dec 28 15:09:51 (none) user.warn clamfs: exiting
Dec 28 15:10:51 (none) user.info clamfs: logs goes to syslog
Dec 28 15:10:51 (none) user.info clamfs: extension ACL size is 47 entries
Dec 28 15:10:51 (none) user.info clamfs: deleting cache
Dec 28 15:10:51 (none) user.info clamfs: --- begin of statistics ---
Dec 28 15:10:51 (none) user.info clamfs: Early cache hit: 0
Dec 28 15:10:51 (none) user.info clamfs: Early cache miss: 0
Dec 28 15:10:51 (none) user.info clamfs: Late cache hit: 0
Dec 28 15:10:51 (none) user.info clamfs: Late cache miss: 0
Dec 28 15:10:51 (none) user.info clamfs: Whitelist hit: 0
Dec 28 15:10:51 (none) user.info clamfs: Blacklist hit: 0
Dec 28 15:10:51 (none) user.info clamfs: Files bigger than maximal-size: 0
Dec 28 15:10:51 (none) user.info clamfs: open() function called 0 times (allowed: 0, denied: 0)
Dec 28 15:10:51 (none) user.info clamfs: Scan failed 0 times
Dec 28 15:10:51 (none) user.info clamfs: --- end of statistics ---
Dec 28 15:10:51 (none) user.info clamfs: deleting stats
Dec 28 15:10:51 (none) user.info clamfs: deleting extensions ACL
Dec 28 15:10:51 (none) user.info clamfs: closing logging targets
Dec 28 15:10:51 (none) user.warn clamfs: exiting


I can't seem to find out how to stop / restart the clamd so I have to reboot each time I try something new and re install clamfs, i've created a sh script for it, to save my hands, but its taking ages.
« Last Edit: December 28, 2011, 02:06:54 AM by remus »
Live long and prosper.

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14851
Re: On Access Virus Protection ?
« Reply #49 on: December 28, 2011, 01:37:56 AM »
I can't seem to find out how to stop / restart the clamd so I have to reboot each time I try something new and re install clamfs, i've created a sh script for it, to save my hands, but its taking ages.

If you started clamd from a terminal window, then <ctrl-c> should stop it.

If you started clamd from elsewhere, the you can use "ps aux | grep clamd" to find its process ID (pid) and then use "kill pid" to stop it.

Eventually, (if clamd does not install its own init.d script), you could write a /usr/local/etc/init.d/clamd modeled along the lines of those in existing extensions to start/stop/restart clamd

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #50 on: December 28, 2011, 02:30:39 AM »
Documentation http://www.clamav.net/doc/latest/html/node28.html says the clamd supports a shutdown comand, I've tried.
Code: [Select]
shutdown clamdand
Code: [Select]
clamd shutdown
No luck so far.

I tried
Code: [Select]
sudo kill 2270
And that shut it down.

Thanks Juanito.
Live long and prosper.

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #51 on: December 28, 2011, 07:25:07 AM »
Progress made.

Running clamd as tc is ok if:
- make sure tc.staff owns the folder(s) that contains the following files (log file, socket file, pid file)

ClamFS gives bugger all useful error messages, nothing useful turned up in /var/log/messages or /bin/dmesg or the clamd.log file. Heres what got it working
- Run it as root
Code: [Select]
sudo clamfs path.to.clamfs.xml- clamfs.xml needs values for variables to be encased in quotes , example: variable="yes" or variable="no"

If everything is ok there will be a clamfs entry visible if you run the top command, and it stays there until you kill the clamfs pid

Current Status.
Once clamd/clamfs are running, the mounted clamfs folder will not allow the eicar test file to be copied to it from the linux command line.

However I can still copy the eicar test virus to a samba share that is mounted as a clamfs folder.
Live long and prosper.

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #52 on: December 28, 2011, 11:42:28 PM »
setfacl error

I am trying acl modification to the clamfs root folder based on a howto I found here: http://blog.burghardt.pl/2007/11/wine-with-on-access-clamav-scanning/

Heres the command I'm trying
Code: [Select]
$  setfacl -R -b -d -m user:clamav:rx /home/tc/public/Produces the following error
Code: [Select]
setfacl: /home/tc/public/: Operation not supported
suggestions welcome
Live long and prosper.

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #53 on: December 29, 2011, 12:10:11 AM »
Bit of googling gave me the hint to add acl to the appropriate fstab line, heres the website link
http://www.linuxquestions.org/questions/mandriva-30/setfacl-test-operation-not-supported-266804/

I can't see a /home line in my fstab file, so I'm guessing some guru stuff is going on.

Heres my current fstab file
Code: [Select]
# /etc/fstab
proc            /proc        proc    defaults          0       0
sysfs           /sys         sysfs   defaults          0       0
devpts          /dev/pts     devpts  defaults          0       0
tmpfs           /dev/shm     tmpfs   defaults          0       0
/dev/zram0  swap         swap    defaults,noauto   0       0
/dev/fd0        /mnt/fd0        auto     noauto,users,exec    0 0 # Added by TC
/dev/sda1       /mnt/sda1       ext3     noauto,users,exec,relatime 0 0 # Added by TC
/dev/sdb1       /mnt/sdb1       vfat     noauto,users,exec,umask=000 0 0 # Added by TC
/dev/sr0        /mnt/sr0        auto     noauto,users,exec    0 0 # Added by TC

suggestions welcome
Live long and prosper.

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11704
Re: On Access Virus Protection ?
« Reply #54 on: December 29, 2011, 02:52:50 AM »
Hi remus
Quote
However I can still copy the eicar test virus to a samba share that is mounted as a clamfs folder.
I would try to get this resolved before complicating the situation with ACL. If I understand it correctly
(and I'm not sure that I do) what you want to do is something like this:
Code: [Select]
sudo mkdir /mnt/share1
mount /mnt/sda1
I'm assuming  sda1  is the hard drive you are looking to share.
In clamfs.xml   root="/mnt/sda1"   mountpoint="/mnt/share1"
root is what you are trying to protect.  mountpoint is where clamfs mounts its virtual file system.
Code: [Select]
sudo clamfs path.to.clamfs.xmlIn smb.conf
Code: [Select]
[Public]
path = /mnt/share1
Start Samba:
Code: [Select]
sudo /usr/local/etc/init.d/samba startAny client that connects to the server will use the share called Public. Locally you would access it
through /mnt/share1. You can only protect one path in the xml file. If you want to protect more paths,
create another xml file with a different name and start a second copy of clamfs using that xml file.
Hope this helps.

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #55 on: December 29, 2011, 03:48:35 AM »
I made a bit of progress with it.

Its seems to be about finding the right combination of permissions.

The following ownership and permissions get the system working almost perfect.

An explanation.
there is a clamav user and a clamav group, for clamav software.

there is a johns user of the office group, this user and group is for samba access.

Code: [Select]
sudo chown -R clamav.office root.folder
Code: [Select]
sudo chmod -R 775 root.folder
Code: [Select]
sudo chown -R johns.office mount.point
Code: [Select]
sudo chmod -R 775 mount.point
This permissions configuration gives the following results.

Copying the eicar.com test file to a samba share from windows allows the file to be copied :(
Trying to copy the file again and overwriting the original fails :)

Its almost perfect, I'd like to have a crack with acl settings if I can get the info for the fstab file.
Live long and prosper.

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #56 on: December 29, 2011, 11:31:39 PM »
The howto on the following web page is written by the developer of clamfs
http://blog.burghardt.pl/2007/11/wine-with-on-access-clamav-scanning/

In his howto he says
Quote
Set permissions

ClamAV is run as user clamav. Normal user should not be members of this group. Unfortunately ugo+/-rwx is not enough to set permissions to give access to you and clamav user. To accomplish this we will use POSIX ACLs. If you are not familiar with them read article POSIX Access Control Lists on Linux.

Set default ACL for directories (files created in those directories will inherit ACL):

$ setfacl -R -b -d -m user:clamav:rx .wine/root
Now set all files and directories to be readable by clamav:

$ setfacl -R -m user:clamav:rx .wine/root

I've seen references to acl and clamfs on other websites.
I've had no luck with the setfacl command in tinycore linux.

I've added /etc/fstab to my /opt/.filetool.lst file
And then added ,acl to every line in the current fstab file, with no positive result.

I also found this method.
Code: [Select]
sudo /sbin/tune2fs -o +acl /dev/sda1While doing this gives no errors, I still got the "operation not supported" error

I've checked that acl AND acl-dev are installed onboot.
Live long and prosper.

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11704
Re: On Access Virus Protection ?
« Reply #57 on: December 30, 2011, 01:40:08 AM »
Hi remus
This may or may not be causing a problem:
Code: [Select]
tc@box:~$ grep _ACL /usr/src/linux/.config
# CONFIG_JFS_POSIX_ACL is not set
CONFIG_FS_POSIX_ACL=y
# CONFIG_XFS_POSIX_ACL is not set
# CONFIG_TMPFS_POSIX_ACL is not set
# CONFIG_NFS_V3_ACL is not set
# CONFIG_NFSD_V3_ACL is not set
It's the TMPFS one I'm referring to. Running  stat  shows the following:
Code: [Select]
tc@box:~$ stat -f /mnt/sda1/
  File: "/mnt/sda1/"
    ID: 80100000000 Namelen: 260     Type: msdos
Block size: 4096       Fundamental block size: 4096
Blocks: Total: 988944     Free: 743344     Available: 743344
Inodes: Total: 0          Free: 0
tc@box:~$ stat -f /mnt/bb/
  File: "/mnt/bb/"
    ID: 0        Namelen: 4096    Type: cifs
Block size: 4096       Fundamental block size: 4096
Blocks: Total: 73219671   Free: 72545403   Available: 72545403
Inodes: Total: 286208     Free: 250876
tc@box:~$ stat -f /mnt/
  File: "/mnt/"
    ID: 0        Namelen: 255     Type: tmpfs
Block size: 4096       Fundamental block size: 4096
Blocks: Total: 115841     Free: 100664     Available: 100664
Inodes: Total: 64356      Free: 39256
Although sda1 and bb are listed as msdos and cifs, they are located in /mnt which is listed as tmpfs,
as are most directories in Tinycore. Whether this is relevant, I don't know. Maybe one of the smarter
forum members can shed some light.


Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 11050
Re: On Access Virus Protection ?
« Reply #58 on: December 30, 2011, 02:56:09 AM »
Yes, we have ACLs disabled for all fs since so few need them (you're the first in all of TC's life so far).

The only barriers that can stop you are the ones you create yourself.

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #59 on: December 30, 2011, 05:34:17 AM »
Is it possible for me to enable ACLs ?
Live long and prosper.