Hello Hanspeter! We chatted about this as a team a bit after you left a question on the topic in IRC. It would absolutely make sense to filter out clamd events using the clamd pid, if the `PidFile` is enabled and/or by using the clamd user name, if the `User` option is enabled). I created an internal task to investigate it, but it's not planned on our roadmap.
You raise a good point Re: https://bugzilla.clamav.net/show_bug.cgi?id=12595 and the use of `--pid` vs the clamd.conf `PidFile`. Come to think of it, freshclam may use the `clamd.conf `PidFile` option as well, if you set `NotifyClamd /path/to/clamd.conf`. These may be both good reasons to keep the `PidFile` config option. I'll make a note of that in the Bugzilla ticket. In an ideal world, ClamAV would be _less_ configurable and would "just work" more than it does. If I had my way, the location of the PID file would be hardcoded into the programs, and the PID file would be always-enabled so that clamonacc could depend on it. Realistically though, such a change would certainly upset a few people. I'll discuss it with the team a bit more. I don't have a good answer for you this very moment. If you're interested in adding the ability to filter clamd events by `PidFile` and/or by `User`, a pull-request submitted to https://github.com/Cisco-Talos/clamav-devel would be welcomed. Additional information in the documentation advocating for and explaining the use of the clamd PidFile and/or User options would also be good: https://github.com/Cisco-Talos/clamav-faq/blob/master/manual/UserManual/OnAccess.md Best regards, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. > -----Original Message----- > From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf Of > Hanspeter Gosteli > Sent: Friday, December 4, 2020 4:53 AM > To: clamav-devel@lists.clamav.net > Subject: [Clamav-devel] Preliminary Feature Question (clamonacc clamd-pid- > filtering) > > Dear Clamav Developers > Is anyone working on a feature for clamonacc to filter out clamd's pid, so > they > don't scan themselves? This feature would allow us to run both > clamd/clamonacc as root without the need > OnAccessExcludeRootUID/UID/Uname. > > Other AM like McAfee and Trend-DS operate as root while also scanning root > events. My customer and I stand at the conclusion that we require root- > execution while scaning other root-process-evets, as to achieve feature parity > with commercial AM. Our deployment would be in the few 1000s of RHEL7+8 > under PCI-DSS. > > I was thinking about having clamonacc watching the clamd.pid-file - But then > discovered https://bugzilla.clamav.net/show_bug.cgi?id=12595 which > discusses removal of PID-Path from config. > > Please let me know if you already see blockers or issue "go for it" to this > idea. > Unless I accomplish this myself, we might be able to raise a bounty. > My background is System Engineering and I am inclined to contributing > opensource. Just FYI, this is my current playground, simply installing the > EPEL > packaged RPMs into a virutalmachine: https://gitlab.com/goshansp/clamav > > > Question Summary: > - Is it feasible to implement clamd-pid-filtering in clamonacc or am I missing > something? > - What is needed to bump clamav v1.0? > - Are there any videocalls / irc sessions scheduled? (I live in UTC and would > be > eager to listen into current discussions) > > I am looking forward to your answer. > > Best regards and much appreciation for clamav, Hanspeter > -- > hanspeter.gost...@gmail.com > +41794010780 > _______________________________________________ > > clamav-devel mailing list > clamav-devel@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-devel > > Please submit your patches to our Github: https://github.com/Cisco- > Talos/clamav-devel/pulls > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
