Hello, Hope this clearify it more. I use following curl version: [erirhe1d@gglvboft001 tmp]$ curl -V curl 7.68.0-DEV (x86_64-unknown-linux-gnu) libcurl/7.68.0-DEV OpenSSL/1.0.2k-fips zlib/1.2.7 libssh2/1.8.0 Release-Date: [unreleased] Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS HTTPS-proxy Largefile libz NTLM NTLM_WB SSL UnixSockets
My /etc/clamd.d/scan.conf (comment stripped) LogFile /var/log/clamav/clamd.scan.log LogFileMaxSize 2M LogTime yes LogSyslog yes LogRotate yes ExtendedDetectionInfo yes PidFile /var/run/clamd.scan/clamd.pid TemporaryDirectory /tmp DatabaseDirectory /var/lib/clamav LocalSocket /var/run/clamd.scan/clamd.sock LocalSocketGroup virusgroup LocalSocketMode 660 FixStaleSocket yes ExcludePath ^/proc/ ExcludePath ^/sys/ User clamscan AlertBrokenExecutables yes AlertEncrypted yes AlertEncryptedArchive yes AlertEncryptedDoc yes ScanELF yes ScanHTML yes OnAccessIncludePath /bin OnAccessIncludePath /sbin OnAccessIncludePath /boot OnAccessIncludePath /data OnAccessIncludePath /etc OnAccessIncludePath /lib OnAccessIncludePath /lib64 OnAccessIncludePath /srv OnAccessIncludePath /tmp OnAccessIncludePath /usr OnAccessIncludePath /var OnAccessExcludePath /proc OnAccessExcludePath /sys OnAccessExtraScanning yes OnAccessExcludeRootUID yes OnAccessExcludeUID 994 OnAccessExcludeUname clamav OnAccessExcludeUname clamscan Bytecode yes File: /var/log/messages Jul 7 09:52:14 gglvboft001 systemd: Starting clamd scanner (scan) daemon... Jul 7 09:52:14 gglvboft001 clamd[13246]: Received 0 file descriptor(s) from systemd. Jul 7 09:52:14 gglvboft001 clamd[13246]: clamd daemon 0.102.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Jul 7 09:52:14 gglvboft001 clamd[13246]: Running as user clamscan (UID 994, GID 988) Jul 7 09:52:14 gglvboft001 clamd[13246]: Log file size limited to 2097152 bytes. Jul 7 09:52:14 gglvboft001 clamd[13246]: Reading databases from /var/lib/clamav Jul 7 09:52:14 gglvboft001 clamd[13246]: Not loading PUA signatures. Jul 7 09:52:14 gglvboft001 clamd[13246]: Bytecode: Security mode set to "TrustSigned". Jul 7 09:52:26 gglvboft001 clamd[13246]: Loaded 7752884 signatures. Jul 7 09:52:28 gglvboft001 clamd[13246]: LOCAL: Unix socket file /var/run/clamd.scan/clamd.sock Jul 7 09:52:28 gglvboft001 clamd[13246]: LOCAL: Setting connection queue length to 200 Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: Global time limit set to 120000 milliseconds. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: Global size limit set to 104857600 bytes. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: File size limit set to 26214400 bytes. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: Recursion level limit set to 16. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: Files limit set to 10000. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxEmbeddedPE limit set to 10485760 bytes. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxHTMLNormalize limit set to 10485760 bytes. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxHTMLNoTags limit set to 2097152 bytes. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxScriptNormalize limit set to 5242880 bytes. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxZipTypeRcg limit set to 1048576 bytes. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxPartitions limit set to 50. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxIconsPE limit set to 100. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: MaxRecHWP3 limit set to 16. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: PCREMatchLimit limit set to 100000. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: PCRERecMatchLimit limit set to 2000. Jul 7 09:52:28 gglvboft001 clamd[13259]: Limits: PCREMaxFileSize limit set to 26214400. Jul 7 09:52:28 gglvboft001 clamd[13259]: Archive support enabled. Jul 7 09:52:28 gglvboft001 clamd[13259]: Alerting of encrypted archives _and_ documents enabled. Jul 7 09:52:28 gglvboft001 clamd[13259]: Alerting of encrypted archives _and_ documents enabled. Jul 7 09:52:28 gglvboft001 clamd[13259]: Alerting of encrypted documents enabled. Jul 7 09:52:29 gglvboft001 clamd[13259]: AlertExceedsMax heuristic detection disabled. Jul 7 09:52:29 gglvboft001 clamd[13259]: Heuristic alerts enabled. Jul 7 09:52:29 gglvboft001 clamd[13259]: Portable Executable support enabled. Jul 7 09:52:29 gglvboft001 clamd[13259]: ELF support enabled. Jul 7 09:52:29 gglvboft001 clamd[13259]: Alerting on broken executables enabled. Jul 7 09:52:29 gglvboft001 clamd[13259]: Mail files support enabled. Jul 7 09:52:29 gglvboft001 clamd[13259]: OLE2 support enabled. Jul 7 09:52:29 gglvboft001 clamd[13259]: PDF support enabled. Jul 7 09:52:29 gglvboft001 clamd[13259]: SWF support enabled. Jul 7 09:52:29 gglvboft001 clamd[13259]: HTML support enabled. Jul 7 09:52:29 gglvboft001 clamd[13259]: XMLDOCS support enabled. Jul 7 09:52:29 gglvboft001 clamd[13259]: HWP3 support enabled. Jul 7 09:52:29 gglvboft001 clamd[13259]: Self checking every 600 seconds. Jul 7 09:52:31 gglvboft001 systemd: Started clamd scanner (scan) daemon. Jul 7 09:52:41 gglvboft001 systemd: Started Clam AntiVirus userspace daemon for OnAccess Scanning. Jul 7 09:52:41 gglvboft001 clamonacc: ClamInotif: watching '/bin' (and all sub-directories) Jul 7 09:52:41 gglvboft001 clamonacc: ClamInotif: watching '/sbin' (and all sub-directories) Jul 7 09:52:41 gglvboft001 clamonacc: ClamInotif: watching '/boot' (and all sub-directories) Jul 7 09:52:41 gglvboft001 clamonacc: ClamInotif: watching '/data' (and all sub-directories) Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/etc' (and all sub-directories) Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/lib' (and all sub-directories) Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/lib64' (and all sub-directories) Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/srv' (and all sub-directories) Jul 7 09:52:42 gglvboft001 clamonacc: ClamInotif: watching '/tmp' (and all sub-directories) Jul 7 09:52:43 gglvboft001 clamonacc: ClamInotif: watching '/usr' (and all sub-directories) Jul 7 09:52:43 gglvboft001 clamonacc: ClamInotif: watching '/var' (and all sub-directories) Jul 7 09:55:27 gglvboft001 su: (to root) erirhe1d on pts/0 My test: [erirhe1d@gglvboft001 tmp]$ date Tue Jul 7 09:54:39 CEST 2020 [erirhe1d@gglvboft001 tmp]$ ls -lia eicar.com 118 -rw-r--r--. 1 erirhe1d erirhe1d 68 Jul 3 09:42 eicar.com [erirhe1d@gglvboft001 tmp]$ cp eicar.com eicar1.com [erirhe1d@gglvboft001 tmp]$ cat eicar.com X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*[erirhe1d@gglvboft001 tmp]$ [erirhe1d@gglvboft001 tmp]$ more eicar.com X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* [erirhe1d@gglvboft001 tmp]$ [erirhe1d@gglvboft001 tmp]$ date Tue Jul 7 09:55:20 CEST 2020 [erirhe1d@gglvboft001 tmp]$ No warning in /var/log/messages ????? Now commented out "OnAccessIncludePath" and set "OnAccessMountPath" in /etc/clamd.d/scan.conf. Restarted clamd@scan and clamonacc. OnAccessMountPath /boot OnAccessMountPath / OnAccessMountPath /srv OnAccessMountPath /var OnAccessMountPath /tmp OnAccessMountPath /data OnAccessMountPath /var/log/audit /var/log/messages: Jul 7 10:02:06 gglvboft001 systemd: Starting clamd scanner (scan) daemon... Jul 7 10:02:06 gglvboft001 clamd[13861]: Received 0 file descriptor(s) from systemd. Jul 7 10:02:06 gglvboft001 clamd[13861]: clamd daemon 0.102.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Jul 7 10:02:06 gglvboft001 clamd[13861]: Running as user clamscan (UID 994, GID 988) Jul 7 10:02:06 gglvboft001 clamd[13861]: Log file size limited to 2097152 bytes. Jul 7 10:02:06 gglvboft001 clamd[13861]: Reading databases from /var/lib/clamav Jul 7 10:02:06 gglvboft001 clamd[13861]: Not loading PUA signatures. Jul 7 10:02:06 gglvboft001 clamd[13861]: Bytecode: Security mode set to "TrustSigned". Jul 7 10:02:18 gglvboft001 clamd[13861]: Loaded 7752884 signatures. Jul 7 10:02:21 gglvboft001 clamd[13861]: LOCAL: Unix socket file /var/run/clamd.scan/clamd.sock Jul 7 10:02:21 gglvboft001 clamd[13861]: LOCAL: Setting connection queue length to 200 Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: Global time limit set to 120000 milliseconds. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: Global size limit set to 104857600 bytes. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: File size limit set to 26214400 bytes. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: Recursion level limit set to 16. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: Files limit set to 10000. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxEmbeddedPE limit set to 10485760 bytes. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxHTMLNormalize limit set to 10485760 bytes. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxHTMLNoTags limit set to 2097152 bytes. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxScriptNormalize limit set to 5242880 bytes. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxZipTypeRcg limit set to 1048576 bytes. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxPartitions limit set to 50. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxIconsPE limit set to 100. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: MaxRecHWP3 limit set to 16. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: PCREMatchLimit limit set to 100000. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: PCRERecMatchLimit limit set to 2000. Jul 7 10:02:21 gglvboft001 clamd[13874]: Limits: PCREMaxFileSize limit set to 26214400. Jul 7 10:02:21 gglvboft001 clamd[13874]: Archive support enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: Alerting of encrypted archives _and_ documents enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: Alerting of encrypted archives _and_ documents enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: Alerting of encrypted documents enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: AlertExceedsMax heuristic detection disabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: Heuristic alerts enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: Portable Executable support enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: ELF support enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: Alerting on broken executables enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: Mail files support enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: OLE2 support enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: PDF support enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: SWF support enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: HTML support enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: XMLDOCS support enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: HWP3 support enabled. Jul 7 10:02:21 gglvboft001 clamd[13874]: Self checking every 600 seconds. Jul 7 10:02:23 gglvboft001 systemd: Started clamd scanner (scan) daemon. Jul 7 10:02:33 gglvboft001 systemd: Started Clam AntiVirus userspace daemon for OnAccess Scanning. Jul 7 10:02:59 gglvboft001 clamd[13874]: lstat() failed on: /var/spool/postfix/maildrop/DF960218984 Jul 7 10:02:59 gglvboft001 clamd[13874]: lstat() failed on: /var/spool/postfix/incoming/E5C134E Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13774 vanished before UIDs could be excluded; scanning anyway Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway Jul 7 10:02:59 gglvboft001 clamonacc: ClamMisc: $/proc/13943 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:00 gglvboft001 clamd[13874]: lstat() failed on: /var/spool/postfix/maildrop/DF960218984 Jul 7 10:03:25 gglvboft001 clamd[13874]: /tmp/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND Jul 7 10:03:25 gglvboft001 clamonacc: /tmp/eicar.com: Win.Test.EICAR_HDB-1 FOUND Jul 7 10:03:25 gglvboft001 clamd[13874]: /tmp/eicar2.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f: 68) FOUND Jul 7 10:03:25 gglvboft001 clamonacc: /tmp/eicar2.com: Win.Test.EICAR_HDB-1 FOUND Jul 7 10:03:41 gglvboft001 su: (to root) erirhe1d on pts/0 Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13990 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13992 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13992 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/13998 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14003 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway Jul 7 10:03:41 gglvboft001 clamonacc: ClamMisc: $/proc/14006 vanished before UIDs could be excluded; scanning anyway My test: [erirhe1d@gglvboft001 tmp]$ date Tue Jul 7 10:03:15 CEST 2020 [erirhe1d@gglvboft001 tmp]$ cp eicar.com eicar2.com [erirhe1d@gglvboft001 tmp]$ date Tue Jul 7 10:03:36 CEST 2020 My disks: [root@gglvboft001 ~]# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 20G 0 disk ├─sda1 8:1 0 512M 0 part /boot └─sda2 8:2 0 19.5G 0 part ├─system-lv--root 253:0 0 8G 0 lvm / ├─system-lv--swap 253:1 0 2G 0 lvm [SWAP] ├─system-lv--srv 253:4 0 2G 0 lvm /srv ├─system-lv--var 253:5 0 4G 0 lvm /var └─system-lv--tmp 253:6 0 2G 0 lvm /tmp sdb 8:16 0 100G 0 disk └─sdb1 8:17 0 100G 0 part ├─datavg-lv--data 253:2 0 4G 0 lvm /data └─datavg-lv--audit 253:3 0 1G 0 lvm /var/log/audit [erirhe1d@gglvboft001 tmp]$ Met vriendelijke groet, Eric van Rheenen Linux beheer Raadhuisplein 10, 9751AN Haren E-Mail: eric.van.rhee...@groningen.nl<mailto:eric.van.rhee...@groningen.nl> ericvan.rhee...@ts.fujitsu.com Telefoon: +31 (0)6 1640 2686
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml