Ubuntu 24.04 and whatever version of ClamAV got installed by apt today, I'll confirm exact version when I get back into work tomorrow.
On Wed, 12 Nov 2025, 21:30 Newcomer01 via clamav-users, < [email protected]> wrote: > which Ubuntu Version is running and which ClamAV Version? > > Von / From: Tom Jordan Via Clamav-Users <[email protected]> > An / To: Newcomer01 <[email protected]> > CC / CC: Tom Jordan <[email protected]> > Gesendet / Sent: Dienstag, November 12, 2025 um 21:46 (at 09:46 PM) +0100 > Betreff / Subject: [clamav-users] clamonacc detects file and says > scanning of file has started but then nothing happens > > Hi, > > So I couldn't get the clamonacc scanner running on the host VM to detect > files in the Docker container by watching the overlay file system where the > Docker filesystems are mounted on the host. It seemsa like that is not > possible with clam tools, so I am trying a different configuration now (a > helpful suggestion from Andrew Aitchison). I have clamonacc running in the > Docker container (clamonacc --move=/infected --foreground > --log=/tmp/clamonacc.log --verbose), and clamd server running in the host > VM (clamd --foreground --debug), with communication between the two via a > TCP port/IP address configured in clamd.conf, which container and host each > have a copy of same. > > Now the clamonacc running in the container can ping the clamd: > > > > tpj@tpj-VirtualBox: clamonacc --ping 10 > > PONG > > > > which suggests the TCP address/port configuration is correct between the > two. Also, when I shell into the clamonacc container and access an > eincar.txt test malware file that I installed when building the container, > the clamonacc detects me touching the file and indicates scanning has > begun, as seen from its log output: > > > > ClamFanotif: attempting to feed consumer queue > > ClamWorker: performing scanning on file > '/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt' > > > > But then nothing else happens, there is no notification about einvar.txt > being a malware file and it is not moved to the quarantine folder. There is > nothing further in the clamonacc log and nothing appears in the clamd log > indicating that scanning has taken place at that end. The logging is not > particularly verbose and I can't see how to get any further information out > about what has happened. > > > > If I just create an innocuous file such as > > > > echo "hello" > test.txt > > > > in the same directory /home/ubuntu/clam_test/clam_test_sub_dir/, I see the > following log messages from clamonacc: > > > > ClamFanotif: attempting to feed consumer queue > > ClamWorker: performing scanning on file > '/home/ubuntu/clam_test/clam_test_sub_dir/test.txt' > > > > but test.txt is an benign file, this just shows that clamonacc sees all > files on the watched path. > > > > Why is this not working? It feels like I'm nearly there but it doesn't > work. Is there anything else I can do to get more information out? > > > > I'm using the following in clamd.conf: > > > > OnAccessIncludePath /home/ubuntu > > OnAccessExcludeUname clamav > > #OnAccessPrevention yes > > > > and here is the complete log output from clamonacc: > > > > root@7b58bc699d7b:/# clamonacc --move=/infected --foreground > --log=/tmp/clamonacc.log --verbose > > -------------------------------------- > > ClamClient: client setup to scan via streaming > > Clamonacc: daemon is remote > > ClamFanotif: kernel-level blocking feature disabled ... > > ClamFanotif: max file size limited to 5242880 bytes > > ClamScanQueue: initializing event queue consumer ... (5) threads in thread > pool > > Clamonacc: beginning event loops > > ClamFanotif: starting fanotify event loop with process id (67) ... > > ClamInotif: starting inotify event loop ... > > ClamInotif: dynamically determining directory hierarchy... > > ClamInotif: watching '/home/ubuntu' (and all sub-directories) > > Excluding temp directory: /tmp > > ClamScanQueue: waiting to consume events ... > > ClamInotif: NVM, didn't actually need to exclude '/tmp' > > ClamFanotif: attempting to feed consumer queue > > ClamFanotif: attempting to feed consumer queue > > ClamMisc: $/proc/76 vanished before UIDs could be excluded; scanning anyway > > ClamFanotif: attempting to feed consumer queue > > ClamWorker: performing scanning on file > '/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt.copy' > > ClamWorker: performing scanning on file > '/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt' > > ClamWorker: performing scanning on file > '/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt' > > > > > > and from clamd: > > > > tpj@ubuntu_box:/# clamd --foreground --debug > > Limits: Global time limit set to 120000 milliseconds. > > Limits: Global size limit set to 419430400 bytes. > > Limits: File size limit set to 104857600 bytes. > > Limits: Recursion level limit set to 17. > > Limits: Files limit set to 10000. > > Limits: Core-dump limit is 18446744073709551615. > > Limits: MaxEmbeddedPE limit set to 41943040 bytes. > > Limits: MaxHTMLNormalize limit set to 41943040 bytes. > > Limits: MaxHTMLNoTags limit set to 8388608 bytes. > > Limits: MaxScriptNormalize limit set to 20971520 bytes. > > Limits: MaxZipTypeRcg limit set to 1048576 bytes. > > Limits: MaxPartitions limit set to 50. > > Limits: MaxIconsPE limit set to 100. > > Limits: MaxRecHWP3 limit set to 16. > > Limits: PCREMatchLimit limit set to 100000. > > Limits: PCRERecMatchLimit limit set to 2000. > > Limits: PCREMaxFileSize limit set to 104857600. > > Archive support enabled. > > Image (graphics) scanning support enabled. > > Detection using image fuzzy hash enabled. > > AlertExceedsMax heuristic detection disabled. > > Heuristic alerts enabled. > > Portable Executable support enabled. > > ELF support enabled. > > Mail files support enabled. > > OLE2 support enabled. > > PDF support enabled. > > SWF support enabled. > > HTML support enabled. > > XMLDOCS support enabled. > > HWP3 support enabled. > > OneNote support enabled. > > Self checking every 600 seconds. > > Listening daemon: PID: 14 > > MaxQueue set to: 100 > > SelfCheck: Database status OK. > > SelfCheck: Database status OK. > > SelfCheck: Database status OK. > > > > > > Any help as always much appreciated. > > > > Thomas > > > > _______________________________________________ > > Manage your clamav-users mailing list subscription / > unsubscribe:https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV > guide:https://github.com/Cisco-Talos/clamav-documentation > https://docs.clamav.net/#mailing-lists-and-chat > > > _______________________________________________ > > Manage your clamav-users mailing list subscription / unsubscribe: > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/Cisco-Talos/clamav-documentation > > https://docs.clamav.net/#mailing-lists-and-chat >
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
