Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: piran on October 05, 2006, 12:30:31 AM
-
How may I suppress ClamAV's checking of a particular ibay?
For instance would one of the templates
/etc/e-smith/templates/etc/clamd.conf/
achieve this suppression or must I use a new specific template?
[postedit] Summary http://forums.contribs.org/index.php?topic=34047.msg146180#msg146180
-
Hi,
Clamav scan is led by some configuration options, have a look at this[root@sme94 ~]# /sbin/e-smith/db configuration getprop clamav FilesystemScanExclude
/proc,/sys,/usr/share,/var
so you can add any other paths :
[root@sme94 ~]# db configuration setprop clamav FilesystemScanExclude \
/proc,/sys,/usr/share,/var, \
/home/e-smith/files/ibays/iso, \
/home/e-smith/files/ibays/archive
for instance will prevent these ibays to be scanned
G.
-
My thanks, otherwise it takes more than 5 days work from one CPU...;~)
-
Is there someway this can be used to exclude every users junkmail folder ?
-
Not solved after all;~/
Just missed the midnight check so I implemented a ClamAV run manually.
[root@teri /]# clamscan -r /home --quiet
ClamAV was still running in the morning (should take about 10mins?).
[root@teri /]# db configuration getprop clamav FilesystemScanExclude
/proc,/sys,/usr/share,/var,/mnt,/home/e-smith/files/ibays
As the suppress checking of ibays apparently didn't work, cannot guarantee
the suppress checking of /mnt is working either (messes up backups).
Is the manual implementation of ClamAV different from what runs normally?
In case this is needed...
[root@teri /]# config show clamav
clamav=service
ArchiveBlockEncrypted=no
ArchiveBlockMax=no
ArchiveMaxCompressionRatio=300
ArchiveMaxFileSize=15M
ArchiveMaxFiles=1500
ArchiveMaxRecursion=8
Checks=24
DNSDatabaseInfo=current.cvd.clamav.net
DatabaseMirror=db.local.clamav.net
Debug=no
DetectBrokenExecutables=no
FilesystemScan=daily
FilesystemScanExclude=/proc,/sys,/usr/share,/var,/mnt,/home/e-smith/files/ibays
FilesystemScanFilesystems=/
FilesystemScanReportTo=admin
Foreground=yes
HTTPProxyPassword=
HTTPProxyPort=
HTTPProxyServer=
HTTPProxyUsername=
IdleTimeout=60
LeaveTemporaryFiles=no
LogClean=no
LogFileUnlock=yes
LogTime=no
LogVerbose=yes
MaxAttempts=6
MaxConnectionQueueLength=30
MaxDirectoryRecursion=20
MaxThreads=20
Quarantine=disabled
QuarantineDirectory=/var/spool/clamav/quarantine
ReadTimeout=300
ScanArchive=yes
ScanHTML=yes
ScanMail=yes
ScanOLE2=yes
ScanPE=yes
ScanRAR=no
SelfCheck=1800
ShowProxySettings=no
ShowUpdateSettings=no
SignaturesUpdated=unknown
UpdateNonOfficeHrs=disabled
UpdateOfficeHrs=disabled
UpdateWeekend=disabled
status=enabled
[root@teri /]#
-
Did you expand the template after changing the database?
/sbin/e-smith/expand-template /etc/clamd.conf
The contents of /etc/clamd.conf will give you a better idea of what clamd will be doing than the db values.
[root@tiger ~]# more /etc/clamd.conf
#------------------------------------------------------------
# !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://wiki.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
#ArchiveBlockEncrypted
#ArchiveBlockMax
ArchiveMaxCompressionRatio 300
ArchiveMaxFileSize 15M
ArchiveMaxFiles 1500
ArchiveMaxRecursion 8
DatabaseDirectory /var/clamav
#Debug
#DetectBrokenExecutables
FixStaleSocket
Foreground
IdleTimeout 60
#LeaveTemporaryFiles
LocalSocket /var/clamav/clamd.socket
#LogClean
LogFile /dev/stderr
LogFileMaxSize 0
LogFileUnlock
#LogTime
LogVerbose
MaxConnectionQueueLength 30
MaxDirectoryRecursion 20
MaxThreads 20
ReadTimeout 300
ScanArchive
ScanHTML
#ScanMail
ScanOLE2
ScanPE
#ScanRAR
SelfCheck 1800
# Close the connection if this limit is exceeded.
StreamMaxLength 25M
#TCPAddr 127.0.0.1
#TCPSocket 3310
TemporaryDirectory /var/tmp
User clamav
AllowSupplementaryGroups
[root@tiger ~]#
-
No, I ran this afterwards...
signal-event clamav-update
...but it was really only a guess,
I thought this command was the 'new expand'.
Will try over again.
-
I cannot see any suppress directory information in
/etc/clamd.conf
whether this is before or after running either
signal-event clamav-update
/sbin/e-smith/expand-template /etc/clamd.conf
The db get command shows my suppress directory information:
[root@teri etc]# db configuration getprop clamav FilesystemScanExclude
/proc,/sys,/usr/share,/var,/mnt,/home/e-smith/files/ibays
[root@teri etc]#
Unfortunately ClamAV doesn't take a blind bit of notice, running
clamscan -r /home
and viewing the checking live I see ClamAV running through the ibays;~/
-
Hi,
Clamav scan is led by some configuration options, have a look at this[root@sme94 ~]# /sbin/e-smith/db configuration getprop clamav FilesystemScanExclude
/proc,/sys,/usr/share,/var
so you can add any other paths :
[root@sme94 ~]# db configuration setprop clamav FilesystemScanExclude \
/proc,/sys,/usr/share,/var, \
/home/e-smith/files/ibays/iso, \
/home/e-smith/files/ibays/archive
for instance will prevent these ibays to be scanned
G.
Which template fragment uses the property FilesystemScanExclude?
-
well, William,
:oops:
Which template fragment uses the property FilesystemScanExclude?
:oops:
You are definitely right
It does not look like corresponding to any thing. Butwhy is it in the db config parameters :?:
From clamd.conf I retrieve the "ClamukoExcludePath" directive which should be the correct one.
@piran,
could you check the below commands and advice ?# mkdir -p /etc/e-smith/templates-custom/etc/clamd.conf
# cat > /etc/e-smith/templates/etc/clamd.conf/ClamukoExcludePath
{
# Set the exclude paths. All subdirectories are also excluded.
"ClamukoExcludePath /home/e-smith/files/ibays";
}
^D ## this is a Control-D keystroke
# /sbin/e-smith/expand-template /etc/clamd.conf
# /sbin/e-smith/signal-event clamav-update
(check after pasting that you have no control characters in the file ...)
G.[/code]
-
double post
-
Scratching head;~)
Followed instructions (I think).
There is nothing in the mkdir file area.
But the contents of /etc/e-smith/templates/etc/clamd.conf/ClamukoExcludePath
consist only of...
{
# Set the exclude paths. All subdirectories are also excluded.
"ClamukoExcludePath /home/e-smith/files/ibays";
}
...and nothing else.
Template expanded.
Signal evented.
Manual run of ClamAV still goes through the ibays.
-
From clamd.conf I retrieve the "ClamukoExcludePath" directive which should be the correct one.
@piran,
could you check the below commands and advice ?# mkdir -p /etc/e-smith/templates-custom/etc/clamd.conf
# cat > /etc/e-smith/templates/etc/clamd.conf/ClamukoExcludePath
{
# Set the exclude paths. All subdirectories are also excluded.
"ClamukoExcludePath /home/e-smith/files/ibays";
}
^D ## this is a Control-D keystroke
# /sbin/e-smith/expand-template /etc/clamd.conf
# /sbin/e-smith/signal-event clamav-update
(check after pasting that you have no control characters in the file ...)
G.[/code]
Clamuko.. Hmm. Appears to be some sort of 'on access' scanning... not a scheduled file system scan.
I could be wrong.
-
[root@teri etc]# config show clamav
clamav=service
ArchiveBlockEncrypted=no
ArchiveBlockMax=no
ArchiveMaxCompressionRatio=300
ArchiveMaxFileSize=15M
ArchiveMaxFiles=1500
ArchiveMaxRecursion=8
Checks=24
DNSDatabaseInfo=current.cvd.clamav.net
DatabaseMirror=db.local.clamav.net
Debug=no
DetectBrokenExecutables=no
FilesystemScan=daily
FilesystemScanExclude=/proc,/sys,/usr/share,/var,/mnt,/home/e-smith/files/ibays
FilesystemScanFilesystems=/
FilesystemScanReportTo=admin
Foreground=yes
HTTPProxyPassword=
HTTPProxyPort=
HTTPProxyServer=
HTTPProxyUsername=
IdleTimeout=60
LeaveTemporaryFiles=no
LogClean=no
LogFileUnlock=yes
LogTime=no
LogVerbose=yes
MaxAttempts=6
MaxConnectionQueueLength=30
MaxDirectoryRecursion=20
MaxThreads=20
Quarantine=disabled
QuarantineDirectory=/var/spool/clamav/quarantine
ReadTimeout=300
ScanArchive=yes
ScanHTML=yes
ScanMail=yes
ScanOLE2=yes
ScanPE=yes
ScanRAR=no
SelfCheck=1800
ShowProxySettings=no
ShowUpdateSettings=no
SignaturesUpdated=unknown
UpdateNonOfficeHrs=disabled
UpdateOfficeHrs=disabled
UpdateWeekend=disabled
status=enabled
[root@teri etc]# pico clamd.conf
[root@teri etc]#
#------------------------------------------------------------
# !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://wiki.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
#ArchiveBlockEncrypted
#ArchiveBlockMax
ArchiveMaxCompressionRatio 300
ArchiveMaxFileSize 15M
ArchiveMaxFiles 1500
ArchiveMaxRecursion 8
ClamukoExcludePath /home/e-smith/files/ibays
DatabaseDirectory /var/clamav
#Debug
#DetectBrokenExecutables
FixStaleSocket
Foreground
IdleTimeout 60
#LeaveTemporaryFiles
LocalSocket /var/clamav/clamd.socket
#LogClean
LogFile /dev/stderr
LogFileMaxSize 0
LogFileUnlock
#LogTime
LogVerbose
MaxConnectionQueueLength 30
MaxDirectoryRecursion 20
MaxThreads 20
ReadTimeout 300
ScanArchive
ScanHTML
ScanMail
ScanOLE2
ScanPE
#ScanRAR
SelfCheck 1800
# Close the connection if this limit is exceeded.
StreamMaxLength 25M
#TCPAddr 127.0.0.1
#TCPSocket 3310
TemporaryDirectory /var/tmp
User clamav
AllowSupplementaryGroups
-
The two reporting areas seem different.
ie one comments out scans of RAR (#ScanRAR)
the other ScanRAR=no
but last night I saw some warning text about
RAR checking (something about levels or versions).
Config areas not matched or synchronised?
-
Look in /sbin/e-smith/smeserver-clamscan
Is there a difference between
my @exclude = split /,/, ($db->get_prop("clamav", "FilesystemScanExclude") ||
"/proc,/sys,/usr/share/doc");
and
my @exclude = split /,/, ($db->get_prop("clamav", "FilesystemScanExclude") || "/proc,/sys,/usr/share/doc");
-
#!/usr/bin/perl -w
#----------------------------------------------------------------------
# Clam Antivirus virus scanner filesystem scanning.
#
# copyright (C) 2004 Shad L. Lords <slords@mail.com>
# Copyright (C) 2005 Gordon Rowell <gordonr@gormand.com.au>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License or more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#----------------------------------------------------------------------
use strict;
use esmith::ConfigDB;
my $db = esmith::ConfigDB->open_ro or die "Couldn't open ConfigDB";
my $filesystems = $db->get_prop("clamav", "FilesystemScanFilesystems") || '/';
my $MailReport = $db->get_prop("clamav", "FilesystemScanReportTo") || 'admin';
my $clamscan_opts = " --recursive --infected --stdout" .
" --log /var/log/clamd/clamscan.log";
my $quarantine_dir = $db->get_prop("clamav", "QuarantineDirectory") ||
"/var/spool/clamav/quarantine";
my @exclude = split /,/, ($db->get_prop("clamav", "FilesystemScanExclude") ||
"/proc,/sys,/usr/share/doc");
push @exclude, $quarantine_dir;
$clamscan_opts .= " --exclude $_" for (@exclude);
$clamscan_opts .= " --move=$quarantine_dir"
if ($db->get_prop("clamav", "Quarantine") || "disabled") eq "enabled";
open CLAMSCAN, "-|", "nice /usr/bin/clamscan $clamscan_opts $filesystems 2>\&1";
my @report = <CLAMSCAN>;
close CLAMSCAN;
my $hostname = $db->get_value("SystemName") . "." .
$db->get_value("DomainName");
my $date = localtime;
open MAIL, "| /bin/mail " .
"-s \"[$hostname] Clam Antivirus Scan Results - $date\" $MailReport";
print MAIL @report;
close MAIL;
-
I could be wrong.
I only found two places where exclude paths for clamav.
this clamuko one
and the command line one :
clamscan -r /home/e-smith/files/users --exclude /home/e-smith/files/ibays
G.
-
Tried the command line option.
I saw ibay addresses appearing very briefly with : Excluded at the end.
That manually invoked test run finished in realtime (as opposed to 5days).
[root@teri /]# clamscan -r /home --exclude /home/e-smith/files/ibays
----------- SCAN SUMMARY -----------
Known viruses: 71520
Engine version: 0.88.4
Scanned directories: 16020
Scanned files: 2032
Infected files: 0
Data scanned: 30.62 MB
Time: 77.804 sec (1 m 17 s)
[root@teri /]#
How to fix the automatic run at midnight...
-
I could be wrong.
I only found two places where exclude paths for clamav.
this clamuko one
and the command line one :
clamscan -r /home/e-smith/files/users --exclude /home/e-smith/files/ibays
G.
I think the command line one is the one that gets used.
Open two console terminals. In one run htop and in the other run /sbin/e-smith/smeserver-clamscan .
Clamscan should now be at the top of the list and you can see what command line parameters were used.
-
Not solved after all;~/
Just missed the midnight check so I implemented a ClamAV run manually.
[root@teri /]# clamscan -r /home --quiet
Is the manual implementation of ClamAV different from what runs normally?
Yes.
Try
/sbin/e-smith/smeserver-clamscan
-
The htop panel merely reflected whichever command line I used,
or do you mean for me to watch at midnight?
-
Will,
Is there a difference between
my @exclude = split /,/, ($db->get_prop("clamav", "FilesystemScanExclude") ||
"/proc,/sys,/usr/share/doc");
and
my @exclude = split /,/, ($db->get_prop("clamav", "FilesystemScanExclude") || "/proc,/sys,/usr/share/doc");
No
-
Will,
Is there a difference between
my @exclude = split /,/, ($db->get_prop("clamav", "FilesystemScanExclude") ||
"/proc,/sys,/usr/share/doc");
and
my @exclude = split /,/, ($db->get_prop("clamav", "FilesystemScanExclude") || "/proc,/sys,/usr/share/doc");
No
Thats funny. :D
-
@will Missed reading your earlier post...
[root@teri /]# /sbin/e-smith/smeserver-clamscan
...rather than just looking at the contents tried invoking it.
Had to horizontally scroll htop to read the whole line.
VERY LONG (too long?) and shows all the --excludes separately.
Is this the problem because the very last one looks truncated?
(might be htop or my PuTTY settings)
-
The htop panel merely reflected whichever command line I used,
or do you mean for me to watch at midnight?
Use
/sbin/e-smith/smeserver-clamscan
by itself and htop will show your --exclude's as per the database.
-
Piran,
Not solved after all;~/
[root@teri /]# clamscan -r /home --quiet
Is the manual implementation of ClamAV different from what runs normally?
Yes,
the sme clamscan is finally issuing the following command :
nice /usr/bin/clamscan --recursive --infected --stdout \
--log /var/log/clamd/clamscan.log --exclude /proc \
--exclude /sys --exclude /usr/share --exclude /var \
--exclude /var/spool/clamav/quarantine
--exclude /home/e-smith/files/ibays \
/
(with the extra exclusion from the db setprop we talked about)
G.
PS so my first post wath the correct solution, no ?
-
Piran,
Not solved after all;~/
[root@teri /]# clamscan -r /home --quiet
Is the manual implementation of ClamAV different from what runs normally?
Yes,
the sme clamscan is finally issuing the following command :
nice /usr/bin/clamscan --recursive --infected --stdout \
--log /var/log/clamd/clamscan.log --exclude /proc \
--exclude /sys --exclude /usr/share --exclude /var \
--exclude /var/spool/clamav/quarantine
--exclude /home/e-smith/files/ibays \
/
(with the extra exclusion from the db setprop we talked about)
G.
PS so my first post wath the correct solution, no ?
Yes.
Piran's use of clamscan sent me on a Goose chase.. :oops:
edit: Plus I only grep'ed /etc for the db property.
-
/sbin/e-smith/smeserver-clamscan
...is that a good simulation of what occurs at midnight automatically?
-
From man clamscan,
--exclude=PATT, --exclude-dir=PATT
Don't scan file/directory names containing PATT. It may be used multiple times.
Is there a difference between --exclude=PATT and --exclude-dir=PATT ?
Interesting..
http://www.webservertalk.com/archive389-2006-2-1386908.html
-
Summary:
[show the configuration of ClamAV]
# config show clamav
[query EXCLUSION areas for ClamAV]
# db configuration getprop clamav FilesystemScanExclude
[set the default EXCLUSION areas for ClamAV]
# db configuration setprop clamav FilesystemScanExclude /proc,/sys,/usr/share,/var
[set my own EXCLUSION areas for ClamAV]
[mounted network shares used in backups]
[very large ibay-mounted h/w RAID arrays]
# db configuration setprop clamav FilesystemScanExclude \ /proc,/sys,/usr/share,/var,/mnt,/home/e-smith/files/ibays/storage
[set the command line? EXCLUSION areas for ClamAV]
# mkdir -p /etc/e-smith/templates-custom/etc/clamd.conf
# cat > /etc/e-smith/templates/etc/clamd.conf/ClamukoExcludePath
{
# Set the exclude paths. All subdirectories are also excluded.
"ClamukoExcludePath /home/e-smith/files/ibays/storage";
}
### use the key combo of Control-D to exit from the concatenation
# /sbin/e-smith/expand-template /etc/clamd.conf
# /sbin/e-smith/signal-event clamav-update
[command line simulation of the midnight ClamAV run]
[with those pre-set smeserver EXCLUSION areas]
# /sbin/e-smith/smeserver-clamscan
[command line raw use of ClamAV]
[does *NOT* use those pre-set smeserver EXCLUSION areas]
[--quiet switch avoids scrolling screenfulls of reports]
# clamscan -r /home
with thanks to Gaston94 and william_syd
-
Piran,
Does the above work for you ?
Don't do it on a production SME.
As an experiment, at the command line try..
clamscan -r / \
--exclude-dir=proc \
--exclude-dir=sys \
--exclude-dir=share \
--exclude-dir=var \
--exclude-dir=quarantine \
--exclude-dir=mnt \
--exclude-dir=ibays
Then try
clamscan -r / \
--exclude /proc \
--exclude /sys \
--exclude /usr/share \
--exclude /var \
--exclude /var/spool/clamav/quarantine \
--exclude /mnt \
--exclude /home/e-smith/files/ibays
-
Tomorrow... it's after 02:15hrs local;~)
Our works successfully configured the AV scan around disturbing
concurrent backups (ie didn't attempt to scan /mnt/) and avoided
trying to scan the main h/w RAID (which takes it over 5days).
AV scan report now back to 'normal':
LibClamAV Error: cli_untar: only standard TAR files are currently supported
LibClamAV Warning: Multipart MIME message contains no boundaries
----------- SCAN SUMMARY -----------
Known viruses: 71526
Engine version: 0.88.4
Scanned directories: 25314
Scanned files: 105851
Infected files: 0
Data scanned: 5951.30 MB
Time: 2058.589 sec (34 m 18 s)
Must now allow the backups to re-build.
Will try your experiment tomorrow.
-
Tomorrow... it's after 02:15hrs local;~)
Our works successfully configured the AV scan around disturbing
concurrent backups (ie didn't attempt to scan /mnt/) and avoided
trying to scan the main h/w RAID (which takes it over 5days).
AV scan report now back to 'normal':
LibClamAV Error: cli_untar: only standard TAR files are currently supported
LibClamAV Warning: Multipart MIME message contains no boundaries
----------- SCAN SUMMARY -----------
Known viruses: 71526
Engine version: 0.88.4
Scanned directories: 25314
Scanned files: 105851
Infected files: 0
Data scanned: 5951.30 MB
Time: 2058.589 sec (34 m 18 s)
Must now allow the backups to re-build.
Will try your experiment tomorrow.
Ok.
How did you configure it? How did you run clamav?
It's in the bug tracker anyway..
http://bugs.contribs.org/show_bug.cgi?id=1671
-
There is a Bug raised already about some of these issues.
http://bugs.contribs.org/show_bug.cgi?id=1889
and other comments...
http://forums.contribs.org/index.php?topic=33160.0
-
Piran,
Does the above work for you ?
Don't do it on a production SME.
As an experiment, at the command line try..
clamscan -r / \
--exclude-dir=proc \
--exclude-dir=sys \
--exclude-dir=share \
--exclude-dir=var \
--exclude-dir=quarantine \
--exclude-dir=mnt \
--exclude-dir=ibays
Then try
clamscan -r / \
--exclude /proc \
--exclude /sys \
--exclude /usr/share \
--exclude /var \
--exclude /var/spool/clamav/quarantine \
--exclude /mnt \
--exclude /home/e-smith/files/ibays
It's the production box.
-
Yeah.. it locked up my machne at home.
For a time trial, try
clamscan -r --exclude-dir=/home /home
and
clamscan -r --exclude=/home /home
-
[root@teri smeserver-dar2]# clamscan -r --exclude-dir=/home /home
/home: Excluded
----------- SCAN SUMMARY -----------
Known viruses: 71845
Engine version: 0.88.4
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 1.355 sec (0 m 1 s)
[root@teri smeserver-dar2]#
[root@teri smeserver-dar2]# clamscan -r --exclude=/home /home
(...log snipped...)
----------- SCAN SUMMARY -----------
Known viruses: 71845
Engine version: 0.88.4
Scanned directories: 16089
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 65.680 sec (1 m 5 s)
[root@teri smeserver-dar2]#
-
wow, just over a minutes difference.
BTW, /proc is never scanned by clamscan.
I'll leave it in the bug tracker and see what the developers say.
Thanks.