We have been doing some testing with ClamAV for use in our Linux environment. Compliance requirements are driving our need for On-Access Scanning, and we'd prefer to use ClamAV due to it's level maturity and community support. Everything seems to be working except for clamonacc. It appears to be having issues talking with clamd using an out-of-the-box configuration, though clamdscan works fine. Others seem to be having similar issues recently: https://forum.openmediavault.org/index.php?thread/31574-clamav-connection-timeout-error/
Any insight as to whether this is actually a bug or user error is greatly appreciated, let me know if you need any additional information or if I should try adjusting environment/settings? Below is an excerpt from a currently security locked (by default) bug report I submitted in Bugzilla: Steps to Reproduce -------------------------- With AppArmor: sudo -i apt-get install clamav-daemon systemctl enable clamav-daemon printf "ScanArchive true\nDetectPUA true\nOnAccessPrevention true\nOnAccessExcludeUname clamav\nOnAccessIncludePath /opt" >> /etc/clamav/clamd.conf sed -i 's/LogVerbose false/LogVerbose true/g' sysemctl start clamav-daemon clamonacc --verbose --log=/var/log/clamav/clamonacc.log --fdpass mkdir /opt/testfolder chown ubuntu /opt/testfolder su ubuntu cd /opt/testfolder wget http://www.eicar.org/download/eicar.com echo "test" > testfile.com clamdscan --fdpass --verbose . Without AppArmor: sudo -i systemctl stop apparmor systemctl disable apparmor sed -i 's/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX="apparmor=0 security=\\"\\""/' /etc/default/grub update-grub apt-get remove apparmor reboot (rerun commands from the "With AppArmor" from above) Actual Results ------------------- The wget and echo commands above result in a multi-second pause/delay and eventually complete successfully. Logs show the following: /var/log/clamav/clamav.log: ... Thu May 21 18:12:50 2020 -> Client disconnected (FD 9) Thu May 21 18:13:50 2020 -> Client disconnected (FD 9) /var/log/clamav/clamonacc.log: ... ClamFanotif: attempting to feed consumer queue ClamWorker: performing scanning on file '/opt/testfolder/eicar.com' ERROR: ClamCom: TIMEOUT while waiting on socket (recv) ClamClient: connection could not be established ... return code 12 ClamFanotif: attempting to feed consumer queue ClamWorker: performing scanning on file '/opt/testfolder/testfile.com' ERROR: ClamCom: TIMEOUT while waiting on socket (recv) ClamClient: connection could not be established ... return code 12 $ clamdscan --fdpass --verbose . /opt/testfolder/./eicar.com: Win.Test.EICAR_HDB-1 FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 10.013 sec (0 m 10 s) Start Date: 2020:05:21 19:33:13 End Date: 2020:05:21 19:33:23 Expected Results ----------------------- Minimal I/O latency writing the file testfile.com and blocking access to writing eicar.com. Build Date & Hardware ------------------------------- Hardware: AWS EC2 Instance Type: t3.medium AMI: ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-20200408 (ami-085925f297f89fce1) OS/Kernel: Ubuntu 18.04.4 LTS / 4.15.0-1065-aws ClamAV Versions Tested: 0.102.3+dfsg-0ubuntu0.18.04.1 0.102.2+dfsg-0ubuntu0.18.04.1 ClamAV 0.103.0-devel-20200521/25819/Thu May 21 12:20:55 2020 _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
