Hi, That makes sense. Thanks. Thomas. On Fri, 14 Nov 2025, 20:40 clamav.mbourne--- via clamav-users, < [email protected]> wrote:
> That sounds like shell variable substitution, where a dollar followed by > the name of a variable is replaced with the value of that variable (or > nothing if a value hasn't been set). If you use single quotes instead > of double quotes around the eicar test string, that will probably > suppress substitutions. > > Mark. > > > THOMAS JORDAN via clamav-users wrote: > > FWIW, it seems that what happened was the Docker build process stripped > > out some characters from the eincar string (not shown in here but hard > > coded in the Dockerfile and represented by eincar_test_string) when > > executing the instruction > > > > RUN echo "eincar_test_string" > > > /home/Ubuntu/clam_test/clam_test_subdir/eincar.txt > > > > in the Dockerfile I used to build the image for running clamonacc. > > > > Not sure why that is. > > > > On Thu, 13 Nov 2025, 15:31 THOMAS JORDAN, <[email protected] > > <mailto:[email protected]>> wrote: > > > > Operator error. I had managed somehow to drop a dollar sign from the > > middle of the eicar string I was writing to a file in the clamonacc > > Docker build. I went back and compared the md5sum against the one > > I'd originally copied from the web (my eyesight is not what it once > > was). Now both the clamonacc and clamd logs report that eicar > > signature was found and the file is moved to quarantine directory. > > So it looks like it is working fine after all. Thanks all for your > > help and apologies for being a biff in this instance. > > > > On Thu, 13 Nov 2025, 15:19 Newcomer01 via clamav-users, > > <[email protected] > > <mailto:[email protected]>> wrote: > > > > __ > > okay please check > https://docs.clamav.net/manual/Usage/Scanning.html > > > > Von / From: Thomas Jordan <mailto:[email protected]> > > An / To: Newcomer01 <mailto:[email protected]> > > Gesendet / Sent: Mittwoch, November 13, 2025 um 15:25 (at > 03:25 > > PM) +0100 > > Betreff / Subject: Re: [clamav-users] clamonacc detects file > > and says scanning of file has started but then nothing happens > > > >> I have now downloaded and installed the latest 1.5.1 deb > >> package and still get exactly the same result. > >> Is there nothing I can look at to see where it is getting > >> stuck? Any configuration option that I might be unaware of? > >> The log output is just not helpful. > >> > >> On Thu, 13 Nov 2025, 13:05 Newcomer01 via clamav-users, > >> <[email protected] > >> <mailto:[email protected]>> wrote: > >> > >> with classical i mean the non LTS version > >> > >> Von / From: Thomas Jordan <mailto: > [email protected]> > >> An / To: Newcomer01 <mailto:[email protected]> > >> Gesendet / Sent: Mittwoch, November 13, 2025 um > 13:23 (at > >> 01:23 PM) +0100 > >> Betreff / Subject: Re: [clamav-users] clamonacc > detects > >> file and says scanning of file has started but then > >> nothing happens > >> > >>> clamd –version - ClamAV 1.4.3/27818/Mon Nov 10 10:44:43 > 2025 > >>> > >>> Ubuntu version (cat /etc/release) - VERSION="24.04.3 LTS > >>> (Noble Numbat)" > >>> > >>> What do you mean by 'classical' 24.04? > >>> > >>> On Thu, 13 Nov 2025, 02:57 Newcomer01 via clamav-users, > >>> <[email protected] > >>> <mailto:[email protected]>> wrote: > >>> > >>> on Ubuntu 24.04 LTS it should be 1.4.3, on classical > >>> 24.04 maybe a newer one > >>> > >>> Von / From: Thomas Jordan > >>> <mailto:[email protected]> > >>> An / To: Newcomer01 <mailto:[email protected]> > >>> Gesendet / Sent: Mittwoch, November 13, 2025 um > >>> 00:08 (at 12:08 AM) +0100 > >>> Betreff / Subject: Re: [clamav-users] clamonacc > >>> detects file and says scanning of file has started > >>> but then nothing happens > >>> > >>>> Ubuntu 24.04 and whatever version of ClamAV got > >>>> installed by apt today, I'll confirm exact version > >>>> when I get back into work tomorrow. > >>>> > >>>> On Wed, 12 Nov 2025, 21:30 Newcomer01 via > >>>> clamav-users, <[email protected] > >>>> <mailto:[email protected]>> wrote: > >>>> > >>>> which Ubuntu Version is running and which ClamAV > >>>> Version? > >>>> > >>>> Von / From: Tom Jordan Via Clamav-Users > >>>> <mailto:[email protected]> > >>>> An / To: Newcomer01 <mailto: > [email protected]> > >>>> CC / CC: Tom Jordan > >>>> <mailto:[email protected]> > >>>> Gesendet / Sent: Dienstag, November 12, > 2025 um > >>>> 21:46 (at 09:46 PM) +0100 > >>>> Betreff / Subject: [clamav-users] clamonacc > >>>> detects file and says scanning of file has > >>>> started but then nothing happens > >>>> > >>>>> Hi, > >>>>> > >>>>> So I couldn't get the clamonacc scanner running > >>>>> on the host VM to detect files in the Docker > >>>>> container by watching the overlay file system > >>>>> where the Docker filesystems are mounted on the > >>>>> host. It seemsa like that is not possible with > >>>>> clam tools, so I am trying a different > >>>>> configuration now (a helpful suggestion from > >>>>> Andrew Aitchison). I have clamonacc running in > >>>>> the Docker container (clamonacc > >>>>> --move=/infected --foreground > >>>>> --log=/tmp/clamonacc.log --verbose), and clamd > >>>>> server running in the host VM (clamd > >>>>> --foreground --debug), with communication > >>>>> between the two via a TCP port/IP address > >>>>> configured in clamd.conf, which container and > >>>>> host each have a copy of same. > >>>>> > >>>>> Now the clamonacc running in the container can > >>>>> ping the clamd: > >>>>> > >>>>> tpj@tpj-VirtualBox: clamonacc --ping 10 > >>>>> > >>>>> PONG > >>>>> > >>>>> which suggests the TCP address/port > >>>>> configuration is correct between the two. Also, > >>>>> when I shell into the clamonacc container and > >>>>> access an eincar.txt test malware file that I > >>>>> installed when building the container, the > >>>>> clamonacc detects me touching the file and > >>>>> indicates scanning has begun, as seen from its > >>>>> log output: > >>>>> > >>>>> ClamFanotif: attempting to feed consumer queue > >>>>> > >>>>> ClamWorker: performing scanning on file > >>>>> > '/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt' > >>>>> > >>>>> But then nothing else happens, there is no > >>>>> notification about einvar.txt being a malware > >>>>> file and it is not moved to the quarantine > >>>>> folder. There is nothing further in the > >>>>> clamonacc log and nothing appears in the clamd > >>>>> log indicating that scanning has taken place at > >>>>> that end. The logging is not particularly > >>>>> verbose and I can't see how to get any further > >>>>> information out about what has happened. > >>>>> > >>>>> If I just create an innocuous file such as > >>>>> > >>>>> echo "hello" > test.txt > >>>>> > >>>>> in the same directory > >>>>> /home/ubuntu/clam_test/clam_test_sub_dir/, I > >>>>> see the following log messages from clamonacc: > >>>>> > >>>>> ClamFanotif: attempting to feed consumer queue > >>>>> > >>>>> ClamWorker: performing scanning on file > >>>>> > '/home/ubuntu/clam_test/clam_test_sub_dir/test.txt' > >>>>> > >>>>> but test.txt is an benign file, this just shows > >>>>> that clamonacc sees all files on the watched > path. > >>>>> > >>>>> Why is this not working? It feels like I'm > >>>>> nearly there but it doesn't work. Is there > >>>>> anything else I can do to get more information > out? > >>>>> > >>>>> I'm using the following in clamd.conf: > >>>>> > >>>>> OnAccessIncludePath /home/ubuntu > >>>>> > >>>>> OnAccessExcludeUname clamav > >>>>> > >>>>> #OnAccessPrevention yes > >>>>> > >>>>> and here is the complete log output from > clamonacc: > >>>>> > >>>>> root@7b58bc699d7b:/# clamonacc --move=/infected > >>>>> --foreground --log=/tmp/clamonacc.log --verbose > >>>>> > >>>>> -------------------------------------- > >>>>> > >>>>> ClamClient: client setup to scan via streaming > >>>>> > >>>>> Clamonacc: daemon is remote > >>>>> > >>>>> ClamFanotif: kernel-level blocking feature > >>>>> disabled ... > >>>>> > >>>>> ClamFanotif: max file size limited to 5242880 > bytes > >>>>> > >>>>> ClamScanQueue: initializing event queue > >>>>> consumer ... (5) threads in thread pool > >>>>> > >>>>> Clamonacc: beginning event loops > >>>>> > >>>>> ClamFanotif: starting fanotify event loop with > >>>>> process id (67) ... > >>>>> > >>>>> ClamInotif: starting inotify event loop ... > >>>>> > >>>>> ClamInotif: dynamically determining directory > >>>>> hierarchy... > >>>>> > >>>>> ClamInotif: watching '/home/ubuntu' (and all > >>>>> sub-directories) > >>>>> > >>>>> Excluding temp directory: /tmp > >>>>> > >>>>> ClamScanQueue: waiting to consume events ... > >>>>> > >>>>> ClamInotif: NVM, didn't actually need to > >>>>> exclude '/tmp' > >>>>> > >>>>> ClamFanotif: attempting to feed consumer queue > >>>>> > >>>>> ClamFanotif: attempting to feed consumer queue > >>>>> > >>>>> ClamMisc: $/proc/76 vanished before UIDs could > >>>>> be excluded; scanning anyway > >>>>> > >>>>> ClamFanotif: attempting to feed consumer queue > >>>>> > >>>>> ClamWorker: performing scanning on file > >>>>> > '/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt.copy' > >>>>> > >>>>> ClamWorker: performing scanning on file > >>>>> > '/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt' > >>>>> > >>>>> ClamWorker: performing scanning on file > >>>>> > '/home/ubuntu/clam_test/clam_test_sub_dir/eincar.txt' > >>>>> > >>>>> and from clamd: > >>>>> > >>>>> tpj@ubuntu_box:/# clamd --foreground --debug > >>>>> > >>>>> Limits: Global time limit set to 120000 > >>>>> milliseconds. > >>>>> > >>>>> Limits: Global size limit set to 419430400 bytes. > >>>>> > >>>>> Limits: File size limit set to 104857600 bytes. > >>>>> > >>>>> Limits: Recursion level limit set to 17. > >>>>> > >>>>> Limits: Files limit set to 10000. > >>>>> > >>>>> Limits: Core-dump limit is 18446744073709551615. > >>>>> > >>>>> Limits: MaxEmbeddedPE limit set to 41943040 > bytes. > >>>>> > >>>>> Limits: MaxHTMLNormalize limit set to 41943040 > >>>>> bytes. > >>>>> > >>>>> Limits: MaxHTMLNoTags limit set to 8388608 bytes. > >>>>> > >>>>> Limits: MaxScriptNormalize limit set to > >>>>> 20971520 bytes. > >>>>> > >>>>> Limits: MaxZipTypeRcg limit set to 1048576 bytes. > >>>>> > >>>>> Limits: MaxPartitions limit set to 50. > >>>>> > >>>>> Limits: MaxIconsPE limit set to 100. > >>>>> > >>>>> Limits: MaxRecHWP3 limit set to 16. > >>>>> > >>>>> Limits: PCREMatchLimit limit set to 100000. > >>>>> > >>>>> Limits: PCRERecMatchLimit limit set to 2000. > >>>>> > >>>>> Limits: PCREMaxFileSize limit set to 104857600. > >>>>> > >>>>> Archive support enabled. > >>>>> > >>>>> Image (graphics) scanning support enabled. > >>>>> > >>>>> Detection using image fuzzy hash enabled. > >>>>> > >>>>> AlertExceedsMax heuristic detection disabled. > >>>>> > >>>>> Heuristic alerts enabled. > >>>>> > >>>>> Portable Executable support enabled. > >>>>> > >>>>> ELF support enabled. > >>>>> > >>>>> Mail files support enabled. > >>>>> > >>>>> OLE2 support enabled. > >>>>> > >>>>> PDF support enabled. > >>>>> > >>>>> SWF support enabled. > >>>>> > >>>>> HTML support enabled. > >>>>> > >>>>> XMLDOCS support enabled. > >>>>> > >>>>> HWP3 support enabled. > >>>>> > >>>>> OneNote support enabled. > >>>>> > >>>>> Self checking every 600 seconds. > >>>>> > >>>>> Listening daemon: PID: 14 > >>>>> > >>>>> MaxQueue set to: 100 > >>>>> > >>>>> SelfCheck: Database status OK. > >>>>> > >>>>> SelfCheck: Database status OK. > >>>>> > >>>>> SelfCheck: Database status OK. > >>>>> > >>>>> Any help as always much appreciated. > >>>>> > >>>>> Thomas > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> > >>>>> Manage your clamav-users mailing list > subscription / unsubscribe: > >>>>> > https://lists.clamav.net/mailman/listinfo/clamav-users > >>>>> > >>>>> > >>>>> Help us build a comprehensive ClamAV guide: > >>>>> > https://github.com/Cisco-Talos/clamav-documentation > >>>>> > >>>>> https://docs.clamav.net/#mailing-lists-and-chat > >>>> > >>>> _______________________________________________ > >>>> > >>>> Manage your clamav-users mailing list > >>>> subscription / unsubscribe: > >>>> > https://lists.clamav.net/mailman/listinfo/clamav-users > >>>> > >>>> > >>>> Help us build a comprehensive ClamAV guide: > >>>> > https://github.com/Cisco-Talos/clamav-documentation > >>>> > >>>> https://docs.clamav.net/#mailing-lists-and-chat > >>>> > >>> > >>> _______________________________________________ > >>> > >>> Manage your clamav-users mailing list subscription / > >>> unsubscribe: > >>> https://lists.clamav.net/mailman/listinfo/clamav-users > >>> > >>> > >>> Help us build a comprehensive ClamAV guide: > >>> https://github.com/Cisco-Talos/clamav-documentation > >>> > >>> https://docs.clamav.net/#mailing-lists-and-chat > >>> > >> > >> _______________________________________________ > >> > >> Manage your clamav-users mailing list subscription / > >> unsubscribe: > >> https://lists.clamav.net/mailman/listinfo/clamav-users > >> > >> > >> Help us build a comprehensive ClamAV guide: > >> https://github.com/Cisco-Talos/clamav-documentation > >> > >> https://docs.clamav.net/#mailing-lists-and-chat > >> > > > > _______________________________________________ > > > > Manage your clamav-users mailing list subscription / unsubscribe: > > https://lists.clamav.net/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/Cisco-Talos/clamav-documentation > > > > https://docs.clamav.net/#mailing-lists-and-chat > > > > > > _______________________________________________ > > > > Manage your clamav-users mailing list subscription / unsubscribe: > > https://lists.clamav.net/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/Cisco-Talos/clamav-documentation > > > > https://docs.clamav.net/#mailing-lists-and-chat > > > > _______________________________________________ > > Manage your clamav-users mailing list subscription / unsubscribe: > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/Cisco-Talos/clamav-documentation > > https://docs.clamav.net/#mailing-lists-and-chat >
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
