Topic: Virus scanning beyond symlinks...

[Jontu Kontar]

Info:

1 Hard Drive:  Contains everything except iBays and User files.
2 Hard Drives (Raid 0):  Contains the iBay and User files.  (soft linked to their normal location).

In it's default configuration, /usr/bin/clamscan ignores all symlinks and thus ignores all the files that need to be scanned.  It appears that there is an option "FollowDirectorySymlinks" and "FollowFileSymlinks" that can be added to /etc/clamd.conf.  Altering that is counter-productive, in that the server scan ignores it and it interferes with the virus scanning of e-mail.  Editing /sbin/e-smith/smeserver-clamscan to add an option to follow the symlinks doesn't seem to be possible because no such switch exists for /usr/bin/clamscan.  Creating a custom configuration also doesn't seem to be possible.

So that leaves me with the possibility of adding or changing the location where /usr/bin/clamscan is directed to check.  Looking at /sbin/e-smith/smeserver-clamscan it appears that a database is selected and then the file systems are populated by querying for "clamav" and "FilesystemScanFilesystems" (which returns /home/e-smith/files).

In the end, I'm looking for a way to scan beyond the symlink that will be preserved if the system is updated or upgraded.  I'm left with two possibilities: edit /sbin/e-smith/smeserver-clamscan to add the additional file system or edit the database that returns the file system.  Which would be the better way to go?  In the case of the database, how to you edit that?

[CharlieBrady]

Don't use symlinks. Mount your extra drive/file system at /home/e-smith/files.

[christian]

While for Jontu I think Charlie's answer is the best, I'm looking at being more selective about which directories go onto my other disks. So I was planning to symlink only selected portions of my hierarchy.

The obvious question beyond finding a solution to this is... are there any other gotchas?

If it gets too whacky then I will likely admit defeat and simply mount the spare drive in place of my most dominant ibay.

Now for clam, I think one way is to start searching from "/" and then exclude a tonne of directories as it doesn't appear clam can take multiple file systems as an argument with the prop "FilesystemScanFilesystems".

The docs (http://wiki.contribs.org/SME_Server:Documentation:FAQ#Virus_Scanning) says you can and the code appears to allow it but I think clam itself won't take it.

Another way may be to create your own version of "smeserver-clamscan" to run on another hierarchy driven by cron.

[Jontu Kontar]

Don't use symlinks. Mount your extra drive/file system at /home/e-smith/files.

I will keep that in mind if I need to do this again.  As it stands now, that isn't a practical possibility.  Unless you know a way to mount a specific folder on a given device?

The docs (http://wiki.contribs.org/SME_Server:Documentation:FAQ#Virus_Scanning) says you can and the code appears to allow it but I think clam itself won't take it.

Thanks for the link.  It might work if the comma isn't returned with the values (as per the link).  Clam takes space delimited directories as paths along which to scan.  Which brings up the question as to whether the comma is required when inputting the information?

Another way may be to create your own version of "smeserver-clamscan" to run on another hierarchy driven by cron.

I could do that, but I know that certain files are replaced when the system is updated.  I wouldn't want my change to disappear when that happens.

[christian]

I could do that, but I know that certain files are replaced when the system is updated.  I wouldn't want my change to disappear when that happens.

I agree with your concern and wasn't suggesting to replace smeserver-clamscan but to create your own script based on it to run driven by cron for the additional drive only.

However, if in fact the FilesystemScanFilesystems variable can work then that should be used. Can you confirm this? I've seen noise in the forums about it not working (supported by my own read of the clamscan man page); but you believe clamscan can so perhaps it is more about correcting usage method. If you can confirm, I'll ensure the FAQ is updated accordingly.

Once we determine this, I can also update the AddExtraDisk How-to point to this as an additional optional stop.

[Jontu Kontar]

However, if in fact the FilesystemScanFilesystems variable can work then that should be used. Can you confirm this? I've seen noise in the forums about it not working (supported by my own read of the clamscan man page); but you believe clamscan can so perhaps it is more about correcting usage method. If you can confirm, I'll ensure the FAQ is updated accordingly.

Changing that property according to the above linked template doesn't work.  That property returns exactly what you type into it (commma and all).

WARNING: Can't access file /home/e-smith/files,/user_files

Changing it to the following seems to work.

config setprop clamav FilesystemScanFilesystems "/home/e-smith/files /user_files"

Well, normally the script is done well within 60 seconds of startup.  However with the update, it is continuing to run.  The results of ps auxc | grep clamscan reveal the following snippets which seem accurate (or at the least they were expected).

sh -c nice /usr/bin/clamscan  --recursive --infected --stdout --log /var/log/clamd/clamscan.log --exclude=/proc --exclude=/sys --exclude=/usr/share --exclude=/var --exclude=/var/spool/clamav/quarantine --move=/var/spool/clamav/quarantine /home/e-smith/files /user_files 2> /var/log/clamd/smeserver-clamscan.log

/usr/bin/clamscan --recursive --infected --stdout --log /var/log/clamd/clamscan.log --exclude=/proc --exclude=/sys --exclude=/usr/share --exclude=/var --exclude=/var/spool/clamav/quarantine --move=/var/spool/clamav/quarantine /home/e-smith/files /user_files

/usr/sbin/lsof -c clamscan reveals the following (which is new but expected behavior):

clamscan 27639 root   16r   REG  253,2 13190862 96944676 /user_files/ibays/it_software/files/Utility/Windows/Patch Management/ctupdate4/5.0/client/wsus/wsusscn2.cab

[Jontu Kontar]

That works! 

----------- SCAN SUMMARY -----------
Known viruses: 915381
Engine version: 0.94.1
Scanned directories: 5223
Scanned files: 108622
Infected files: 0
Data scanned: 64423.45 MB
Time: 14488.970 sec (241 m 28 s)

[christian]

That works! 

Thanks for confirming. I've updated the FAQ and will make reference in AddExtraHardDisk.

Christian

[tviles]

Which command shows what clamav is going to scan?

[christian]

Which command shows what clamav is going to scan?

The opposite to the "config setprop" identified in Jontu's comment above.

Code: [Select]

config getprop clamav FilesystemScanFilesystemsAnd note the excluded directories:

Code: [Select]

config getprop clamav FilesystemScanExclude
To see all attributes:

Code: [Select]

config show clamav
note "config" is short for "db configuration"; either will work.

EDIT: See also http://wiki.contribs.org/DB_Variables_Configuration#Clam_AntiVirus_.28clamav.29 which is part of the wiki page: http://wiki.contribs.org/DB_Variables_Configuration

[tviles]

Thank you.

[tviles]

I got this back this morning after using this.

config setprop clamav FilesystemScanFilesystems "/home/e-smith/files mnt/tracy"

I guess I will try.

config setprop clamav FilesystemScanFilesystems "/home/e-smith/files /mnt/tracy"

Then I do signal-event clamav-update
Question which command makes it do an immediate scan?


WARNING: Can't access file mnt/tracy

----------- SCAN SUMMARY -----------
Known viruses: 922370
Engine version: 0.94.2
Scanned directories: 670
Scanned files: 14334
Infected files: 0
Data scanned: 1285.98 MB
Time: 956.398 sec (15 m 56 s)

[christian]

Question which command makes it do an immediate scan?

Did you try:

Code: [Select]

/sbin/e-smith/smeserver-clamscan
Jontu makes note of this in his first comment in this thread. I believe that will work.

[tviles]

Did you try:

Code: [Select]

/sbin/e-smith/smeserver-clamscan
Jontu makes note of this in his first comment in this thread. I believe that will work.

I tried that but not adviseable on slow VPN connection. I timed out.
I did get this back this morning.


----------- SCAN SUMMARY -----------
Known viruses: 922398
Engine version: 0.94.2
Scanned directories: 1372
Scanned files: 26513
Infected files: 0
Data scanned: 8648.59 MB
Time: 6246.497 sec (104 m 6 s)

This is telling me it is not scanning the mnt/tracy which has about 40 gb of users files on it.

config getprop clamav FilesystemScanFilesystems is showing

[root@shpdserver ~]# config getprop clamav FilesystemScanFilesystems
/home/e-smith/files /mnt/tracy

I have also tried it as /home/e-smith/files mnt/tracy with same results I'm not understanding something.

[root@shpdserver ~]# config getprop clamav FilesystemScanExclude
/proc,/sys,/usr/share,/var

[root@shpdserver ~]# config show clamav
clamav=service
    /opt,=mnt/tracy
    ArchiveBlockEncrypted=no
    ArchiveBlockMax=no
    ArchiveMaxCompressionRatio=300
    Checks=24
    DNSDatabaseInfo=current.cvd.clamav.net
    DatabaseMirror=db.local.clamav.net
    Debug=no
    DetectBrokenExecutables=no
    FilesystemScan=daily
    FilesystemScanExclude=/proc,/sys,/usr/share,/var
    FilesystemScanFilesystems=/home/e-smith/files /mnt/tracy
    FilesystemScanReportTo=admin
    Foreground=yes
    HTTPProxyPassword=
    HTTPProxyPort=
    HTTPProxyServer=
    HTTPProxyUsername=
    IdleTimeout=60
    LeaveTemporaryFiles=no
    LogClean=no
    LogFileUnlock=yes
    LogTime=no
    LogVerbose=yes
    MaxAttempts=6
    MaxConnectionQueueLength=30
    MaxDirectoryRecursion=20
    MaxFileSize=15M
    MaxFiles=1500
    MaxRecursion=8
    MaxThreads=20
    Quarantine=enabled
    QuarantineDirectory=/var/spool/clamav/quarantine
    ReadTimeout=300
    ScanArchive=yes
    ScanHTML=yes
    ScanMail=yes
    ScanOLE2=yes
    ScanPE=yes
    ScanRAR=no
    SelfCheck=1800
    ShowProxySettings=no
    ShowUpdateSettings=no
    SignaturesUpdated=unknown
    UpdateNonOfficeHrs=disabled
    UpdateOfficeHrs=disabled
    UpdateWeekend=disabled
    status=enabled
[root@shpdserver ~]#

[David Harper]

Code: [Select]

FilesystemScanExclude=/proc,/sys,/usr/share,/var
FilesystemScanFilesystems=/home/e-smith/files /mnt/tracy

I note that there are commas (",") between the ScanExcludes values. Perhaps you need commans between the ScanFilesystems values as well.

i.e.

Code: [Select]

db configuration setprop clamav FilesystemScanFilesystems "/home/e-smith/files,/mnt/tracy"