View previous topic :: View next topic |
Author |
Message |
gr0x0rd Guru
Joined: 12 Aug 2006 Posts: 311
|
Posted: Mon Dec 17, 2007 10:02 pm Post subject: |
|
|
I also wanted to add a tidbit regarding notification... all of this is great but since clamav has notification disabled by default Code: | # Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" | you may not even notice a virus on your system until you manually check your logs! And if you're anything like me, you don't spend a lot of time observing your logs (pr0n is a much more productive use of most people's time).
I opted for a different solution than the one above- most users have some sort of system monitor enabled. I (and probably many people here) use conky. A simple adjustment to your .conkyrc Code: | ${color}Antivirus Alerts
${color yourcolor}${tail /var/log/clamav/clamd.log x 20} | will show you the last x lines of your clamd.log once you've set the appropriate permissions.
Of course, you can test this using the eicar example once you've set it up- if it's working, you should see
Sun Dec 16 12:39:20 2007 -> Clamuko: /.../eicar.com.txt: Eicar-Test-Signature FOUND
displayed in conky almost immediately. _________________ ~g
emerge -FML... |
|
Back to top |
|
|
fice n00b
Joined: 22 Jan 2008 Posts: 4
|
Posted: Tue Jan 22, 2008 12:22 pm Post subject: |
|
|
Hello.
And what about moving infected files to quarantine dir ? |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Tue Jan 22, 2008 6:36 pm Post subject: |
|
|
fice wrote: | Hello.
And what about moving infected files to quarantine dir ? |
There is the easy way and the right way to do this. Take a look at your clamd.conf. There should be a line like this:
Code: | #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" |
%v is the virus name, and %f is for the actual filename.
The easy way would be to use this command to move the file to a quarantine dir, BUT it is warned at the following URL (halfway down the page) that this could be dangerous:
http://www.webservertalk.com/archive389-2006-7-1592284.html
They don't give a real reason why this is a security issue, but I will take it at face value.
This is my (untested) recommendation. If it works let me know and I'll add it to the 1st post in this thread.
Step 1: Mark the virus file as read only and flag it:
Code: | VirusEvent /bin/chown nobody:nobody %f ; chmod 0400 %f ; touch "%f_infected" |
Basically this command makes the file read-only and owned by nobody, then creates a new file in the same dir that we will use as a marker to denote the file is infected.
Step 2: Remove all the infected files
I don't have the time at the moment to write the script, but basically you will want a script that monitors the clamav scan directories and remove any _infected flag files, as well as the real infected file. |
|
Back to top |
|
|
fice n00b
Joined: 22 Jan 2008 Posts: 4
|
Posted: Wed Jan 23, 2008 7:30 am Post subject: |
|
|
I tried your solution for chown & chmod (step 1), but it not work fine for me. My Gentoo is not respond at all \=. But i found this url: http://lurker.clamav.net/message/20080104.224727.a3d99cc0.en.html , what says that
Quote: | In clamd.conf you can only use %v. |
So this way is not match. |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Wed Jan 23, 2008 5:46 pm Post subject: |
|
|
Ok... I read on a thread somewhere you could use %f. It does however look like the environment variable $CLAM_VIRUSEVENT_FILENAME is set instead... much better actually.
Call a small script like so (these are all untested):
clamd.conf
Code: | VirusEvent /usr/bin/clam_quarantine.sh |
clam_quarantine.sh:
Code: |
#!/bin/bash
/bin/chown nobody:nobody ${CLAM_VIRUSEVENT_FILENAME}
/bin/chmod 0400 ${CLAM_VIRUSEVENT_FILENAME}
/usr/bin/touch ${CLAM_VIRUSEVENT_FILENAME}'_infected'
|
As for the removal you could have a deamon that starts this script on each boot:
Code: |
#!/bin/bash
while true; do
# search for and delete all files tagged with _infected and delete both the _infected file and the actual file
find /path/to/clamav/scan/dirs -name "*_infected" -print -exec rm {} \; | sed -e 's/_infected//' | xargs rm
# sleep for 5 mins
sleep 300
done
|
Please use caution with the above script, as it deletes files, and hasn't been throughly tested!
If you want to try the find and rm commands separately try these out:
Code: | #deletes _infected files in the current directory (for example it will remove testvirus_infected)
find . -name "*_infected" -exec rm {} \; |
Code: | #deletes the real file in the current directory (for example it will remove testvirus)
find . -name "*_infected" -print | sed -e 's/_infected//' | xargs rm |
|
|
Back to top |
|
|
fice n00b
Joined: 22 Jan 2008 Posts: 4
|
Posted: Mon Jan 28, 2008 5:15 am Post subject: |
|
|
thanks for helping, but i don't know what's wrong: after finding virus, where must be "VirusEvent" action, my computer not responding. =( Rebooting saving situation. |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Mon Jan 28, 2008 7:35 pm Post subject: |
|
|
fice wrote: | thanks for helping, but i don't know what's wrong: after finding virus, where must be "VirusEvent" action, my computer not responding. =( Rebooting saving situation. | Sounds like the dazuko kernel module crashed and killed your machine.
I'm not sure what to say... Does it crash with any script called by VirusEvent?
What kernel are you using? I think in new kernels dazuko is not even compiling (I saw a thread around here on it). This makes me think that it might be getting phased out. I'm not sure what I good replacement would be, and/or if clamav will support a replacement. |
|
Back to top |
|
|
fice n00b
Joined: 22 Jan 2008 Posts: 4
|
Posted: Wed Jan 30, 2008 6:09 am Post subject: |
|
|
mikegpitt wrote: | Sounds like the dazuko kernel module crashed and killed your machine.
I'm not sure what to say... Does it crash with any script called by VirusEvent?
What kernel are you using? I think in new kernels dazuko is not even compiling (I saw a thread around here on it). This makes me think that it might be getting phased out. I'm not sure what I good replacement would be, and/or if clamav will support a replacement. |
Yes, it crashes with any script.
I'm using
2.6.23-gentoo-r3 on x86_64 Intel(R) Core(TM)2 Duo CPU E6550 |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Mon Apr 14, 2008 7:13 pm Post subject: |
|
|
I updated the first post in this howto to reflect changes in getting dazuko to work with kernels 2.6.23/24. |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Thu Aug 07, 2008 7:05 pm Post subject: |
|
|
Since VirusEvent still seems to cause a kernel panic I decided to write a small shell script that will monitor the clamav logs and when it finds a virus, it will pull out the filename and do something with it. Enjoy!
Code: |
#!/bin/bash
CLAMLOG=/var/log/clamav/clamd.log
FOUNDPATTERN=FOUND
tail -f ${CLAMLOG} |
while read -r line
do
[[ "$line" != *${FOUNDPATTERN}* ]] && continue
# example line to parse
#Thu Aug 7 14:34:49 2008 -> Clamuko: /home/username/eicar.com.txt: Eicar-Test-Signature FOUND
file=$(echo $line | sed -e 's/^.*Clamuko:\s//' | sed -e 's/:.*//')
echo "virus found: $file"
# do something to the virus here
# example: rm $file
# example: mv $file /tmp/quarantine
done
exit 0
|
EDIT: Script added to main howto in 1st post... |
|
Back to top |
|
|
platojones Veteran
Joined: 23 Oct 2002 Posts: 1602 Location: Just over the horizon
|
Posted: Sun Aug 17, 2008 8:25 pm Post subject: |
|
|
Bummer, patch doesn't work with gentoo-sources-2.6.25-r7 at this time. |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Mon Aug 18, 2008 4:49 am Post subject: |
|
|
platojones wrote: | Bummer, patch doesn't work with gentoo-sources-2.6.25-r7 at this time. | Take a look at this page on the dazuko website:
http://dazuko.dnsalias.org/wiki/index.php/Downloads
It looks like they have a patch for the 2.6.25 & 26 kernels. I haven't had a chance to test it. If it works, post back and let us know |
|
Back to top |
|
|
platojones Veteran
Joined: 23 Oct 2002 Posts: 1602 Location: Just over the horizon
|
Posted: Thu Aug 21, 2008 1:51 am Post subject: |
|
|
Yep, compiled fine and seems to work..not exactly like the howto says...the eicar doesn't log in the file, but it doesn't download either. seems pretty stable thus far. |
|
Back to top |
|
|
platojones Veteran
Joined: 23 Oct 2002 Posts: 1602 Location: Just over the horizon
|
Posted: Sat Aug 23, 2008 12:02 am Post subject: |
|
|
Ok, I've decided that clamuko is not really running, in spite of all of the positive log messages I see in the clamav log. One thing I've noticed that is different is that the 'default linux capabilities' in the kernel cannot be built as a module in the newest kernels. I get the /dev/dazuko and clamav reports that everything is fine, but I can download the eicar tests without a problem. Clamav does not even notice that they have been downloaded to my /home directory. Anybody else having this problem? I'm running kernel 2.6.25-gentoo-r7 with the dazuko 2.6.25 patch applied and compiled in. It's obvious my kernel does have the patch since as soon as I rebooted, the /dev/dazuko device showed up and I am getting all of the appropriate log messages indicating that dazuko is up and running fine. |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Sat Aug 23, 2008 1:25 am Post subject: |
|
|
platojones wrote: | Ok, I've decided that clamuko is not really running, in spite of all of the positive log messages I see in the clamav log. One thing I've noticed that is different is that the 'default linux capabilities' in the kernel cannot be built as a module in the newest kernels. I get the /dev/dazuko and clamav reports that everything is fine, but I can download the eicar tests without a problem. Clamav does not even notice that they have been downloaded to my /home directory. Anybody else having this problem? I'm running kernel 2.6.25-gentoo-r7 with the dazuko 2.6.25 patch applied and compiled in. It's obvious my kernel does have the patch since as soon as I rebooted, the /dev/dazuko device showed up and I am getting all of the appropriate log messages indicating that dazuko is up and running fine. | In the newer kernels capabilities isn't needed because dazuko can be built into the kernel.
I've also noticed that with the current dazuko and clamav, firefox can download eicar. It shouldn't be a problem though, because you shouldn't be able to do anything with it once it's downloaded. On access you will receive permission denied and it will be logged.
With clamav 0.92 I was able to rm eicar without notice. One 0.93.3 rm is blocked, although mv isn't. Any real type of access likr reading, writing, executing the virus is blocked and logged.
As you can see, things seem to change with various versions of clamav/dazuko, but in general it appears to work well. |
|
Back to top |
|
|
platojones Veteran
Joined: 23 Oct 2002 Posts: 1602 Location: Just over the horizon
|
Posted: Sat Aug 23, 2008 1:32 am Post subject: |
|
|
Thanks for the response mikegpitt. Sadly, no, it not only let's me download the file, but I can do anything I want to with any of the eicar files...read them, move them, copy them or remove them...not only does it not prevent those actions, it doesn't even register in the log file. Something is wrong with this kernel version, I'm afraid. Maybe all of this will be fixed in the next version...it's a very cool concept...I'd love to see it accepted into the offical kernel tree where it can be properly supported. |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Sat Aug 23, 2008 4:37 am Post subject: |
|
|
platojones wrote: | Thanks for the response mikegpitt. Sadly, no, it not only let's me download the file, but I can do anything I want to with any of the eicar files...read them, move them, copy them or remove them...not only does it not prevent those actions, it doesn't even register in the log file. Something is wrong with this kernel version, I'm afraid. Maybe all of this will be fixed in the next version...it's a very cool concept...I'd love to see it accepted into the offical kernel tree where it can be properly supported. | Darn, that sucks... If I get a chance in the next few days, I'll try to take a look with a newer kernel, although it sounds like I won't have much luck.
If you don't *need* the 2.6.25 kernel, you could always use 2.6.24. I know it works well there. |
|
Back to top |
|
|
platojones Veteran
Joined: 23 Oct 2002 Posts: 1602 Location: Just over the horizon
|
Posted: Sat Aug 23, 2008 12:19 pm Post subject: |
|
|
Hi mikegpitt,
Well, here's a strange update. I woke up this morning, and my computer was locked up solid. I think it might be that crash issue that was discussed earlier in this thread (I haven't had my system crash in over a year). I rebooted, and when I did, clamuko came alive. I think at some point, I should have rebooted during this process (though I did when I rebuilt the kernel). In any event, I checked the clamd log file and it was finding stuff in my home directory (mostly old mail messages with viruses). It does look like it works. I need to look into that crash issue more, to see what the actual cause was. I know you've posted a work around for that if it was, as I suspect, dazuko that cause it. Thanks for the help, btw. |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Sat Aug 23, 2008 4:05 pm Post subject: |
|
|
platojones wrote: | Hi mikegpitt,
Well, here's a strange update. I woke up this morning, and my computer was locked up solid. I think it might be that crash issue that was discussed earlier in this thread (I haven't had my system crash in over a year). I rebooted, and when I did, clamuko came alive. I think at some point, I should have rebooted during this process (though I did when I rebuilt the kernel). In any event, I checked the clamd log file and it was finding stuff in my home directory (mostly old mail messages with viruses). It does look like it works. I need to look into that crash issue more, to see what the actual cause was. I know you've posted a work around for that if it was, as I suspect, dazuko that cause it. Thanks for the help, btw. | Good stuff! (I meant the part about it working, not the crash). Yeah, you would have needed to reboot the machine to use the new kernel configuration. I'm not sure how /dev/dazuko showed up without a reboot.
Dazuko is still experimental, I'd say, but I never had it lock up my machine if it's just doing nothing in the background. The only hardlock's I've had was related to the VirusEvent option in clamav. I haven't had any luck using it, hence the workaround. |
|
Back to top |
|
|
|