Re: [clamav-users] USB key scan on access

[maiki]

Thank you for your answer. But in that case, I'll have to scan the
entire key. As it could take some time, I prefer the on access approach.
In addition this does not detect when a virus is copied to the key after
the initial scan.

On 29/06/16 01:39, Che wrote:
> On Tue, Jun 28, 2016 at 6:15 AM, john doe  wrote:
> 
>> I'm trying to achieve the following: auto mount USB key and detect if a
>> user uploads or downloads a virus from it.
>> An additional feature I can live without: access prevention upon virus
>> detection.
>>
>> The "OnAccessIncludePath" option in clamd configuration file seems the way
>> to go. The best solution we could come up is:
>>   - auto-mounting key in /run/media/$USER/$KEY using udisks2
>>   - use homemade script (based on inotifywait) to watch the /run/media for
>> new mounted media
>>   - when so, add mount path to "OnAccessIncludePath" and restart clamd
>> service
>>
>> This solution has MANY caveats, namely:
>>  - clamd takes some times (around 10s) to start. During that time the user
>> can {up,down}load viruses.
>>  - requires some kind of supervision, if either the homemade script or the
>> clamd service crash, the solution does not work.
>>  - can't specify mount options with udisks2
>>
>> I've stumbled upon the clamfs project which seems promising. Any advice on
>> it?
>>
>> Do you guys have a better way of achieving my goal?
>>
> 
> 
> Wouldn't running these as a systemd service -- with an explicit 'path'
> service written for mounting USB devices and then clamAV scanning them,
> etc. -- do what you want?
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>>
>> I haven't dove in the clamd source code, but from the documentation I could
>> not find a way to feed the DDD (Dynamic Directory Determination) module new
>> path on the fly.
>>
>> Thank you for your time!
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Frequent PUA.Win.Trojan.EmbeddedPDF-1 false positives

[Alex]

Hi,

It appears lately there are quite a few PUA.Win.Trojan.EmbeddedPDF-1
false positives. Scanning these messages manually shortly after
they're quarantined doesn't find the same virus sig. In fact, many
times it doesn't specifically include a PDF, but instead a docx file.

I was just wondering if there's something I should know about this
particular signature?

Should I be able to scan a quarantined message in its entirety to
determine if it has a virus? Or do I need to split out the individual
doc/pdf components before scanning? I've done both, but was just
curious if it was necessary to save the individual attachments before
scanning.

I can't easily send a sample, but I'd appreciate any help you may have to offer.

Thanks,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml