linux-malware-detect icon indicating copy to clipboard operation
linux-malware-detect copied to clipboard

Published 20 hours ago verified publisher icon rfxn

Possibility to configure another clamd instance

Open ghost opened this issue 9 years ago • 5 comments

Hello together,

I ran into a problem yesterday while configuring maldet for our server. We are running clamd as mail scanner under clamav user for security reasons. As I still wanted to use clamd daemon because of a better performance and memory consumption I set up a second instance running as root. Unfortunately maldet is always using the first clamav instance running as user clamav and has therefor no access to some files.

When I use the command clamDscan directly with the parameter --config-file= the correct instance is being used. It would be great if that parameter could be configure via the config file so that another instance is used.

I think it might also be an advantage to also use the parameter --fdpass as then only the file descriptor is passed instead of the whole file. Reduces the overhead.

ghost avatar Nov 08 '15 08:11 ghost

I second this as I am encountering the exact same situation.

ovizii avatar Nov 25 '15 09:11 ovizii

I've also encountered this problem.

mlwdofc avatar Dec 18 '15 19:12 mlwdofc

Please try this; https://github.com/rfxn/linux-malware-detect/issues/50#issuecomment-178242592

nanonettr avatar Feb 01 '16 23:02 nanonettr

Tried that but it doesn't make any difference. The clamav user still has no access to the files if you pass them via file descriptor. But it gave me a hint where to start.

Did that with v1.5. So for future versions the line numbers my differ!

  1. add a new line to conf.maldet:

scan_clamdscan_options="--fdpass --config-file=/etc/clamav/clamd-maldet.conf"

Now you can pass any options to clamdscan. The file clamd-maldet.conf is the config for a second clamd instance running as root. There is still the Ubuntu default one running as clamav for my mail stuff. So now clamd can access really all files maldetec passes them.

  1. modifiy internals/functions:

line 959: clamopts="$scan_clamdscan_options"

line 1305: clamopts="$scan_clamdscan_options"

That works at least for me. Maybe someone can convert this into a proper pull request as my knowledge of that is not really existing. ;-)

ghost avatar Feb 02 '16 21:02 ghost

Running on CentOS 7 epel installs clamd as clamd.scan running as user clamscan:

clamscan  5603  0.0  3.0 531176 365628 ?       Ssl  19:31   0:00 clamd.scan -c /etc/clamd.d/scan.conf --pid /var/run/clamd.scan/clamd.pid
root      6948  0.9  0.0   6480   860 pts/0    SN   19:38   0:01 /usr/bin/inotifywait -r --fromfile /usr/local/maldetect/sess/inotify.paths.6850 --exclude (^/var/tmp/mysql.sock$|^/tmp/mysql.sock$|^/var/cache/buagent/md0.cache.data$|^/var/tmp/#sql_.*\.MYD$|^/tmp/#sql_.*\.MYD$|^/var/tmp/clamav-.*) --timefmt %d %b %H:%M:%S --format %w%f %e %T -m -e create,move,modify

Even with changing the reference on Line #726 and Line #1308:

    if [ "$scan_clamscan" == "1" ]; then
        isclamd=`pidof -x clamd.scan 2> /dev/null`
        isclamd_root=`pgrep -x -u clamscan clamd 2> /dev/null`

I get the error warning clamd service not running; force-set monitor mode file scanning to every 120s

Anyone have a proper suggestion how this should work?

magicdude4eva avatar Jul 05 '16 18:07 magicdude4eva