On 7/6/2010 3:07 PM, Russ Tyndall wrote:
On Jul 6, 2010, at 3:12 PM, Török Edwin wrote:
Interesting, I made my VirusEvent line look like this in clamd.conf:
VirusEvent /bin/cp /Library/mytestfile.txt /Library/mytestfile2.txt
Does the 'clamav' user have the right to create files in /Library?
Note that even if you run clamd as root, a 'User clamav' directive in
clamd.conf it will drop privileges.
Try copying a file to /tmp, or even simpler just 'touch /tmp/foo'.
The "run as another user" directive in my clamd.conf file looks like this:
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
#User clamav
So, I am interpreting this to mean that clamd will retain its privileges (i.e.,
run as root). Is that a correct interpretation?
In Activity Monitor, the User "owning" clamd is described as root.
Sounds as if clamd is running as root.
I have tried both of these commands on the VirusEvent line:
VirusEvent /bin/cp /tmp/mytestfile.txt /tmp/mytestfile2.txt
and
VirusEvent touch /tmp/mytestfile.txt
Unfortunately, it does not seem that either event fires, even though the scan
does find EICAR.
I just tried VirsuEvent touch /tmp/foo and verified that it works.
What is the most sensible way to verify that clamd is looking at the correct
config file? This is the one that I am updating:
/usr/local/ClamXav/etc/clamd.conf
clamconf
find / -name clamd.conf -ls
Make sure you restart clamd after editing clamd.conf.
-- Noel Jones
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
