View previous topic :: View next topic |
Author |
Message |
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Wed Oct 24, 2007 7:10 pm Post subject: [HOWTO] real-time clamav support with dazuko/calmuko |
|
|
- Updated 8/7/08 -
Added a script on page 2 of this thread that replaces clamav's VirusEvent. This can be used to quarantine viruses or do whatever else you need with them.
Link to post with script:
https://forums.gentoo.org/viewtopic-p-5176148.html#5176148
Script also added to main howto... look below in this post.
- Howto updated 4/14/08 -
You may have noticed that the old dazuko ebuild doesn't work on newer kernels, and the new dazuko ebuild is hard masked. If you take a look at bugzilla you will see that it is hard masked because it depends on redirfs, and it can cause filesystem corruption (very bad!).
https://bugs.gentoo.org/show_bug.cgi?id=207537
Instead I recommend using the new dazuko kernel patch. It is very easy to get setup, works with kernels 2.6.23/24. Another advantage is that by being in the kernel itself, it doesn't depend on any other modules (e.g. security and capabilities).
Here's the dazuko developers post about the new kernel patch:
http://lists.gnu.org/archive/html/dazuko-devel/2008-03/msg00014.html
How to use -- tested with gentoo-sources-2.6.24-r4 and dazuko kernel ptach 2.3.5-pre1:
1: Download new dazuko kernel patch:
http://www.dazuko.org/files/patch-linux26-dazuko-2.3.5-pre1.tar.gz
2: Patch kernel (directions from their README):
Code: | # cd /linux/src/dir/linux-a.b.c.d
# zcat /proc/config.gz > .config
# patch -p1 < patch-linux26-dazuko-2.3.5-pre1.diff
# make menuconfig
(select Dazuko in the Security section and exit, saving changes)
# make
# make modules_install
# make install
# reboot |
P.S. - If you use genkernel, either apply the patch as above and rerun genkernel --menuconfig, or copy the gentoo-sources ebuild to an overlay, and add the dazuko patch to the genpatches-2.6.x-x.extras.tar.bz2 tarball, re-digest the ebuild, and re-emerge the gentoo-sources.
You can now skip ahead to step three in the original howto below. Also in step 6 you can ignore the modprobe stuff, since dazuko must by built into the kernel (not as a module).
- Original howto -- October 2007 -
This process isn't all that hard, but I did have a few stumbling blocks when trying to configure real-time support for clamav. I will outline the basic process here. I haven't done all that much testing yet, so as I find out more information/hiccups I'll post it here, if relevant.
I have tested this with gentoo-sources-2.6.22-r2, dazuko-2.3.4, and clamav-0.91.2.
1. Ensure you have security module support enabled in your kernel:
Kernel options:
SECURITY =y
SECURITY_CAPABILITIES=m (this must be built as a module!)
Code: | Security options --->
[*] Enable different security models
<M> Default Linux Capabilities
|
Install and reboot to your new kernel if necessary
2. Install dazuko
Code: | emerge sys-fs/dazuko |
This may need to be added to your package.keywords, as it was ~x86 masked for me.
3. Emerge clamav
do I really need to write anything here?
4. Enable Clamuko support in your /etc/clamd.conf
Uncomment the lines as I did in the below section of the config file. You can change things to what works for you.
Code: | ##
## Clamuko settings
## WARNING: This is experimental software. It is very likely it will hang
## up your system!!!
##
# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.
# Default: no
ClamukoScanOnAccess yes
# Set access mask for Clamuko.
# Default: no
ClamukoScanOnOpen yes
ClamukoScanOnClose yes
ClamukoScanOnExec yes
# Set the include paths (all files inside them will be scanned). You can have
# multiple ClamukoIncludePath directives but each directory must be added
# in a seperate line.
# Default: disabled
ClamukoIncludePath /home
|
5. Add appropriate udev rule for clamav access to dazuko
create the file: /etc/udev/rules.d/dazuko.rules
and add this line to it:
Code: | KERNEL=="dazuko", NAME="%k", GROUP="clamav", MODE="0660" |
6. Modprobe in dazuko and start clamav
Code: | modprobe dazuko
modprobe capability
/etc/init.d/clamd start |
Everything should be set now. You can verify this in your clamav logfile:
Code: | Wed Oct 24 14:50:35 2007 -> +++ Started at Wed Oct 24 14:50:35 2007
Wed Oct 24 14:50:35 2007 -> clamd daemon 0.91.2 (OS: linux-gnu, ARCH: i386, CPU: i686)
Wed Oct 24 14:50:35 2007 -> Running as user clamav (UID 104, GID 412)
Wed Oct 24 14:50:35 2007 -> Log file size limited to 1048576 bytes.
Wed Oct 24 14:50:35 2007 -> Reading databases from /var/lib/clamav
Wed Oct 24 14:50:35 2007 -> Not loading PUA signatures.
Wed Oct 24 14:50:38 2007 -> Loaded 161172 signatures.
Wed Oct 24 14:50:38 2007 -> Unix socket file /var/run/clamav/clamd.sock
Wed Oct 24 14:50:38 2007 -> Setting connection queue length to 15
Wed Oct 24 14:50:38 2007 -> Archive: Archived file size limit set to 10485760 bytes.
Wed Oct 24 14:50:38 2007 -> Archive: Recursion level limit set to 8.
Wed Oct 24 14:50:38 2007 -> Archive: Files limit set to 1000.
Wed Oct 24 14:50:38 2007 -> Archive: Compression ratio limit set to 250.
Wed Oct 24 14:50:38 2007 -> Archive support enabled.
Wed Oct 24 14:50:38 2007 -> Algorithmic detection enabled.
Wed Oct 24 14:50:38 2007 -> Portable Executable support enabled.
Wed Oct 24 14:50:38 2007 -> ELF support enabled.
Wed Oct 24 14:50:38 2007 -> Mail files support enabled.
Wed Oct 24 14:50:38 2007 -> Mail: Recursion level limit set to 64.
Wed Oct 24 14:50:38 2007 -> OLE2 support enabled.
Wed Oct 24 14:50:38 2007 -> PDF support disabled.
Wed Oct 24 14:50:38 2007 -> HTML support enabled.
Wed Oct 24 14:50:38 2007 -> Self checking every 1800 seconds.
Wed Oct 24 14:50:38 2007 -> Clamuko: Correctly registered with Dazuko.
Wed Oct 24 14:50:38 2007 -> Clamuko: Scan-on-open mode activated.
Wed Oct 24 14:50:38 2007 -> Clamuko: Scan-on-close mode activated.
Wed Oct 24 14:50:38 2007 -> Clamuko: Scan-on-exec mode activated.
Wed Oct 24 14:50:38 2007 -> Clamuko: Included path /home
Wed Oct 24 14:50:38 2007 -> Clamuko: Max file size limited to 5242880 bytes.
|
If you get the error:
Code: | ERROR: Clamuko: Can't register with Dazuko | you likely didn't add the above udev rule, or there is some problem with the rule you did add.
Now for testing:
You can download the test eicar virus here:
http://www.eicar.org/anti_virus_test_file.htm
Don't worry... this is not a real virus, but a test pattern that works for almost all virus scanners. If clamav is running, you should see messages in your log file like this:
Code: | Clamuko: /home/mikeg/eicar.com.txt: Eicar-Test-Signature FOUND |
You will see a message like this everytime you access the virus file (e.g. vi eicar.com.txt) You will also get a permission denied error, so you won't be able to do anything useful with the file.
That's it for now. If I get some time to configure clamav better so I can quarantine infected files and do other useful stuff I'll post back here.
Doing something useful with detected viruses
There is a variable in /etc/clamd.conf called VirusEvent that will execute a command each time a virus is detected.
Code: | #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" |
Unfortunately, I haven't gotten it to work properly. I've tested with a few different kernels and a few different versions of clamav, and when I enable VirusEvent, I always end up with my system hard locking.
Instead I wrote a simple shell script that monitors the clamav logs for "found" viruses. You can customize this to do anything you need to do when a virus is detected, including placing them in quarantine or notification via email.
This script will need to run as root, since it needs access to your syslogs and also access to the directories you want to scan. If you don't want to run it as root, you can probably get away with it, as long as the selected user has read access to /var/log/clamav/clamd.log, and you don't want to do any type of file manipulation of the virus.
clam_detect.sh
Code: |
#!/bin/bash
CLAMLOG=/var/log/clamav/clamd.log
FOUNDPATTERN=FOUND
tail -f ${CLAMLOG} |
while read -r line
do
[[ "$line" != *${FOUNDPATTERN}* ]] && continue
# example line to parse
#Thu Aug 7 14:34:49 2008 -> Clamuko: /home/username/eicar.com.txt: Eicar-Test-Signature FOUND
file=$(echo $line | sed -e 's/^.*Clamuko:\s//' | sed -e 's/:.*//')
echo "virus found: $file"
# do something to the virus here
# example: rm $file
# example: mv $file /tmp/quarantine
done
exit 0 |
Last edited by mikegpitt on Mon Aug 11, 2008 10:14 pm; edited 6 times in total |
|
Back to top |
|
|
jexxie Tux's lil' helper
Joined: 12 Oct 2007 Posts: 82 Location: Vancouver, BC
|
Posted: Thu Oct 25, 2007 7:04 pm Post subject: |
|
|
Looks great, cheers. _________________ Rambling sysadmin
My personal site and blog: Phil Dufault |
|
Back to top |
|
|
afb n00b
Joined: 13 Oct 2007 Posts: 66
|
Posted: Sat Dec 08, 2007 1:44 am Post subject: |
|
|
I have a doubt, i did all as you explain but all the files that try to open appear in the log "file X skipped (too big)", where file X is the file that i try to open.
What can I do? |
|
Back to top |
|
|
rev138 l33t
Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA
|
Posted: Sat Dec 08, 2007 3:10 am Post subject: |
|
|
I followed this guide just now, and everything loads properly (note that you MUST modprobe dazuko BEFORE capability), but I can write, read, and delete the eicar files with no problem. No access denied messages. Nothing in the logs. _________________ Vermont Free PC
http://www.vtfreepc.org |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Sat Dec 08, 2007 6:51 pm Post subject: |
|
|
afb wrote: | I have a doubt, i did all as you explain but all the files that try to open appear in the log "file X skipped (too big)", where file X is the file that i try to open.
What can I do? | Not sure. How big are the files you are opening? There appears to be a few settings in /etc/clamv.conf that relate to size, but I'd not sure any are what you would be looking for... you may want to check it out anyways to be sure.
Are you sure that the log is realted to clamav and not another app? |
|
Back to top |
|
|
rev138 l33t
Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA
|
Posted: Sun Dec 09, 2007 2:16 am Post subject: |
|
|
Does anyone have any idea why this isn't working for me? I did everything the how-to says, and when I start clamd, the log says:
Code: | Sat Dec 8 21:07:27 2007 -> Clamuko: Correctly registered with Dazuko.
Sat Dec 8 21:07:27 2007 -> Clamuko: Scan-on-open mode activated.
Sat Dec 8 21:07:27 2007 -> Clamuko: Scan-on-close mode activated.
Sat Dec 8 21:07:27 2007 -> Clamuko: Scan-on-exec mode activated.
Sat Dec 8 21:07:27 2007 -> Clamuko: Included path /storage/common
Sat Dec 8 21:07:27 2007 -> Clamuko: Included path /storage/home
Sat Dec 8 21:07:27 2007 -> Clamuko: Max file size limited to 10485760 bytes.
|
However, if I try to copy an eicar test file to .one of the paths above, via ssh, smb or wget, it succeeds as normal.
I'm using gentoo-sources-2.6.23-r3, clamav-0.91.2, and dazuko-2.3.4 on amd64. _________________ Vermont Free PC
http://www.vtfreepc.org |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Sun Dec 09, 2007 3:22 am Post subject: |
|
|
rev138 wrote: | Does anyone have any idea why this isn't working for me? I did everything the how-to says, and when I start clamd, the log says:
Code: | Sat Dec 8 21:07:27 2007 -> Clamuko: Correctly registered with Dazuko.
Sat Dec 8 21:07:27 2007 -> Clamuko: Scan-on-open mode activated.
Sat Dec 8 21:07:27 2007 -> Clamuko: Scan-on-close mode activated.
Sat Dec 8 21:07:27 2007 -> Clamuko: Scan-on-exec mode activated.
Sat Dec 8 21:07:27 2007 -> Clamuko: Included path /storage/common
Sat Dec 8 21:07:27 2007 -> Clamuko: Included path /storage/home
Sat Dec 8 21:07:27 2007 -> Clamuko: Max file size limited to 10485760 bytes.
|
However, if I try to copy an eicar test file to .one of the paths above, via ssh, smb or wget, it succeeds as normal.
I'm using gentoo-sources-2.6.23-r3, clamav-0.91.2, and dazuko-2.3.4 on amd64. | It is probably getting through because part of the file is transfering at a time, so it wouldn't have the whole file to scan. Once you have it downloaded, what happens if you try to access the file? |
|
Back to top |
|
|
rev138 l33t
Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA
|
Posted: Sun Dec 09, 2007 3:38 am Post subject: |
|
|
I'm allowed to access the file, delete it, whatever. Nothing is reported in the clam log. I even set clam to log ALL results, not just the infected ones. No log output. It doesn't seem to be scanning at all. _________________ Vermont Free PC
http://www.vtfreepc.org |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Sun Dec 09, 2007 5:07 am Post subject: |
|
|
rev138 wrote: | I'm allowed to access the file, delete it, whatever. Nothing is reported in the clam log. I even set clam to log ALL results, not just the infected ones. No log output. It doesn't seem to be scanning at all. | Try to run a regular clamav scan and see if the file is picked up. Maybe the definition isn't on your system for some reason. |
|
Back to top |
|
|
afb n00b
Joined: 13 Oct 2007 Posts: 66
|
Posted: Sun Dec 09, 2007 2:08 pm Post subject: |
|
|
If i scan the file (eicar.com.txt) directly (using klamav - KDE frontend) the virus is detected, but if open with kwrite don't log any thing, just "Clamuko: /home/afb/Desktop/eicar.com.txt skipped (too big)" |
|
Back to top |
|
|
rev138 l33t
Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA
|
Posted: Mon Dec 10, 2007 2:13 am Post subject: |
|
|
Odd... I noticed while working on something else that a clamd process had been running for 3+ hours, so I stopped it. When I restarted, clamuko magically began working _________________ Vermont Free PC
http://www.vtfreepc.org |
|
Back to top |
|
|
rev138 l33t
Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA
|
Posted: Mon Dec 10, 2007 2:18 am Post subject: |
|
|
Next question:
I can now copy the eicar file to the server successfully but if I try to unzip or delete it, I get "access denied". How do I get rid of infected files? Do I have to shut down clamd to delete them?
Thanks. _________________ Vermont Free PC
http://www.vtfreepc.org |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Mon Dec 10, 2007 3:31 am Post subject: |
|
|
rev138 wrote: | Next question:
I can now copy the eicar file to the server successfully but if I try to unzip or delete it, I get "access denied". How do I get rid of infected files? Do I have to shut down clamd to delete them?
Thanks. |
You need to set up a quarentine for them. I actually never had a chance to work on this any farther, so I don't know exactly what is needed, but if I rememer correctly, there is an option in /etc/clamv.conf for a quarentine command. From there you can set up a command to move or delete infected files.
EDIT: Check your config for VirusEvent. This is what you need to set.
Last edited by mikegpitt on Mon Dec 10, 2007 3:36 am; edited 3 times in total |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Mon Dec 10, 2007 3:34 am Post subject: |
|
|
afb wrote: | If i scan the file (eicar.com.txt) directly (using klamav - KDE frontend) the virus is detected, but if open with kwrite don't log any thing, just "Clamuko: /home/afb/Desktop/eicar.com.txt skipped (too big)" | When you start up clamuko you should probably see something that says "Clamuko: Max file size limited to 10485760 bytes". I just checked my /etc/clamv.conf and there is an option for ClamukoMaxFileSize. I think this is what you need to set/change. |
|
Back to top |
|
|
rev138 l33t
Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA
|
Posted: Tue Dec 11, 2007 11:02 pm Post subject: |
|
|
This is the oddest thing... Sometimes this setup detects viruses and blocks access, and sometimes it just detects the virus but does not block access.
I am getting these results by copying the exact same eicar test file into the exact same location. No configs changed. It only changed behavior when I restart clamd. Since clam seems to be doing its job and detecting the virus, I assume the blame lies with dazuko. I guess that's why it's masked. _________________ Vermont Free PC
http://www.vtfreepc.org |
|
Back to top |
|
|
rev138 l33t
Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA
|
Posted: Tue Dec 11, 2007 11:12 pm Post subject: |
|
|
Ok.. the plot thickens:
I've been doing some more testing. This setup seems to work properly at the console (bash). It detects the infection and prevents access. However, through fish:// (ssh) it detects but does not block access. Through smb:// it does not detect at all. _________________ Vermont Free PC
http://www.vtfreepc.org |
|
Back to top |
|
|
rev138 l33t
Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA
|
Posted: Tue Dec 11, 2007 11:53 pm Post subject: |
|
|
I tried setting this in clamd.conf:
Code: |
VirusEvent logger %v
|
And if I try to access the eicar file, the serve crashes. It's headless, so I'm not positive what's happening, but since nothing shows up in the logs, I assume it's a kernel panic. _________________ Vermont Free PC
http://www.vtfreepc.org |
|
Back to top |
|
|
MaartenZzZ n00b
Joined: 28 Oct 2007 Posts: 61 Location: Bergen op Zoom, The Netherlands
|
Posted: Thu Dec 13, 2007 7:17 pm Post subject: |
|
|
rev138 wrote: | Odd... I noticed while working on something else that a clamd process had been running for 3+ hours, so I stopped it. When I restarted, clamuko magically began working |
I have the same problem. Clamuko up and running, but I can do whatever I want with virusses on /home:
Code: | Thu Dec 13 20:13:00 2007 -> Clamuko: Correctly registered with Dazuko.
Thu Dec 13 20:13:00 2007 -> Clamuko: Scan-on-open mode activated.
Thu Dec 13 20:13:00 2007 -> Clamuko: Scan-on-close mode activated.
Thu Dec 13 20:13:00 2007 -> Clamuko: Scan-on-exec mode activated.
Thu Dec 13 20:13:00 2007 -> Clamuko: Included path /home
Thu Dec 13 20:13:00 2007 -> Clamuko: Max file size limited to 5242880 bytes.
/var/log/clamav/clamd.log lines 630-688/688 (END)
|
Somebody got an idea?
Thnx! |
|
Back to top |
|
|
MaartenZzZ n00b
Joined: 28 Oct 2007 Posts: 61 Location: Bergen op Zoom, The Netherlands
|
Posted: Thu Dec 13, 2007 7:23 pm Post subject: |
|
|
Just fixed it.
Now running clamd as user "root", and added root to the "clamd" group:
/etc/init.d/clamd restart and off we go!
Hope it's fixed for other people too now. |
|
Back to top |
|
|
gr0x0rd Guru
Joined: 12 Aug 2006 Posts: 311
|
Posted: Sun Dec 16, 2007 12:50 am Post subject: |
|
|
I followed this guide and had everything working nicely. However after upgrading to the 2.6.23r3 kernel, I finally noticed that the avahi-daemon wasn't starting anymore.
This was caused by enabling the Code: | Security options --->
[*] Enable different security models
<M> Default Linux Capabilities | in the kernel. Other users have experienced this as well.... https://forums.gentoo.org/viewtopic-p-3361179.html
Anyone know of a way for these kernel settings and avahi-daemon to get along? If I run Code: | modprobe capability | and then try to start the avahi-daemon, it starts. Is there a way to execute that command in my startup prior to starting the avahi-daemon? _________________ ~g
emerge -FML... |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Sun Dec 16, 2007 4:31 am Post subject: |
|
|
gr0x0rd wrote: | I followed this guide and had everything working nicely. However after upgrading to the 2.6.23r3 kernel, I finally noticed that the avahi-daemon wasn't starting anymore.
This was caused by enabling the Code: | Security options --->
[*] Enable different security models
<M> Default Linux Capabilities | in the kernel. Other users have experienced this as well.... https://forums.gentoo.org/viewtopic-p-3361179.html
Anyone know of a way for these kernel settings and avahi-daemon to get along? If I run Code: | modprobe capability | and then try to start the avahi-daemon, it starts. Is there a way to execute that command in my startup prior to starting the avahi-daemon? |
You could add the modprobe and deamon start in your local.start to ensure they start in the correct order on each boot. It's a hack but it should work until an upstream fix. |
|
Back to top |
|
|
gr0x0rd Guru
Joined: 12 Aug 2006 Posts: 311
|
Posted: Sun Dec 16, 2007 8:38 pm Post subject: |
|
|
Done.
Will keep an eye on this thread, looking forward to seeing what you come up with for the quarantine etc!
Cheers _________________ ~g
emerge -FML... |
|
Back to top |
|
|
TravisBy n00b
Joined: 22 Nov 2007 Posts: 69
|
Posted: Sun Dec 16, 2007 10:45 pm Post subject: |
|
|
I've wanted to finally get Clamuko working, after about a year of seeing it and trying it every now and then. This really helped me, thank you. I've wanted Dazuko to work for so long, and just recently built me a Gentoo box. I saw this post, and was overjoyed by it.
Just a quick question though. I use this on my desktop (workstation + a game or two of tremulous), and I was wondering what would be good settings for Clamuko? My system will obviously freeze (and has) when trying to run OnAccess, because when running workstation/games a lot of files are accessed, and that kinda causes me lots of lag =/ Is there any better settings I could use, or should I just keep clamuko off while running X? [just use it when I'm doing commandline stuff, since that won't be a lot of files at once. Didn't mean X causes a lot of scans, just that I use a lot of files when X is run]. |
|
Back to top |
|
|
gr0x0rd Guru
Joined: 12 Aug 2006 Posts: 311
|
Posted: Mon Dec 17, 2007 2:22 am Post subject: |
|
|
in your /etc/clamd.conf:
Code: | # Set the exclude paths. All subdirectories are also excluded.
# Default: disabled
ClamukoExcludePath /gamedir/mygame
ClamukoExcludePath /home/myacct/.gamedir |
Perhaps not the best solution, but it's still better than shutting down clamd entirely before you start gaming. I'm sure you could also set read-only permissions and user security groups on your gaming folders to make them even more secure. Maybe someone else has a better solution...
note for wine users!
Every time I have tried to run wine with clamuko running, my system has locked up entirely. So if you are planning on running wine with clamuko, be sure to add Code: | ClamukoExcludePath /home/myacct/.wine
ClamukoExcludePath /../mywineprog | to your clamd.conf! _________________ ~g
emerge -FML...
Last edited by gr0x0rd on Tue Dec 18, 2007 10:33 pm; edited 1 time in total |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Mon Dec 17, 2007 4:17 pm Post subject: |
|
|
TravisBy wrote: | I've wanted to finally get Clamuko working, after about a year of seeing it and trying it every now and then. This really helped me, thank you. I've wanted Dazuko to work for so long, and just recently built me a Gentoo box. I saw this post, and was overjoyed by it.
Just a quick question though. I use this on my desktop (workstation + a game or two of tremulous), and I was wondering what would be good settings for Clamuko? My system will obviously freeze (and has) when trying to run OnAccess, because when running workstation/games a lot of files are accessed, and that kinda causes me lots of lag =/ Is there any better settings I could use, or should I just keep clamuko off while running X? [just use it when I'm doing commandline stuff, since that won't be a lot of files at once. Didn't mean X causes a lot of scans, just that I use a lot of files when X is run]. | I think gr0x0rd's suggestion is great if you have a game that is often writing to your home dir. I think the best advice is to run Clamuko in only the directories that are necessary. I personally haven't experienced any X lag while using this on a Pentium M 1.6 Ghz w/ 1 gig of ram, although I don't usually run any 3d games.
The most important places to run Clamuko monitoring is /home and /tmp. If virii can access anywhere else, your system is probably already compromised.
Glad to hear you like the howto... It was a bit of a pain to initially figure out the set up, and it seemed that no where on the internet did it seem to say that ClamAV can work in realtime... hence the howto to promote such ideas. |
|
Back to top |
|
|
|