Re: [Clamav-users] eicar Identified But Not Moved

Wed, 17 Oct 2007 06:50:01 -0700 

That's it!!  When I disable clamuko, the scan results indicated an infected 
file was found (which it was not doing) and the file was moved to the 
quarantine directory.

Now, that said, where does that leave me as far as clumuko?  We rely on that 
for on access scanning.  I assume, now that I'm seeing this, that when clamscan 
attempts to scan the file clamuko won't allow it.  Therefore the file is not 
deemed infected, and not moved.

Are we left in a position where if we want to use clamuko we'll just have to 
manually address each infected file as it is discovered, rather than expecting 
it to be moved to a quarantine area?  Where does this leave with our nightly 
full scans of the file system?  It would seem that our nightly scans will only 
result in notifications that a file can't be opened if it discovers an infected 
file.  Will we need to rely on reviewing the clamd.log file to see if an 
infected file is found?

Thank you for pointing me in the right direction, and for any additional input 
(from anyone).


----- Original Message ----
From: Thorolf <[EMAIL PROTECTED]>
To: ClamAV users ML <clamav-users@lists.clamav.net>
Sent: Wednesday, October 17, 2007 9:08:54 AM
Subject: Re: [Clamav-users] eicar Identified But Not Moved

Hey,

I don't know if clamuko should deny access to this file. If you are 
running Clamuko then disable it please ;-) or show us ls -al 
/home/justlgn/test/eicar.com

/rl

Sean McGlynn wrote:
> The following is what appears in the trace that I belive is relevant (it is 
> all that appears relevant to eicar)
> 
> lstat64("/home/justlgn/test/eicar.com", {st_mode=S_IFREG|0644, st_size=69, 
> ...}) = 0
> stat64("/home/justlgn/test/eicar.com", {st_mode=S_IFREG|0644, st_size=69, 
> ...}) = 0
> stat64("/home/justlgn/test/eicar.com", {st_mode=S_IFREG|0644, st_size=69, 
> ...}) = 0
> geteuid32()                            = 0
> open("/home/justlgn/test/eicar.com", O_RDONLY) = -1 EPERM (Operation not 
> permitted)
> write(3, "WARNING: Can\'t open file /home/j"..., 54) = 54
> write(2, "WARNING: Can\'t open file /home/j"..., 54) = 54
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Reply via email to