Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] real-time clamav support with dazuko/calmuko
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Wed Oct 24, 2007 7:10 pm    Post subject: [HOWTO] real-time clamav support with dazuko/calmuko Reply with quote

- Updated 8/7/08 -

Added a script on page 2 of this thread that replaces clamav's VirusEvent. This can be used to quarantine viruses or do whatever else you need with them.

Link to post with script:
https://forums.gentoo.org/viewtopic-p-5176148.html#5176148

Script also added to main howto... look below in this post.


- Howto updated 4/14/08 -

You may have noticed that the old dazuko ebuild doesn't work on newer kernels, and the new dazuko ebuild is hard masked. If you take a look at bugzilla you will see that it is hard masked because it depends on redirfs, and it can cause filesystem corruption (very bad!).
https://bugs.gentoo.org/show_bug.cgi?id=207537

Instead I recommend using the new dazuko kernel patch. It is very easy to get setup, works with kernels 2.6.23/24. Another advantage is that by being in the kernel itself, it doesn't depend on any other modules (e.g. security and capabilities).

Here's the dazuko developers post about the new kernel patch:
http://lists.gnu.org/archive/html/dazuko-devel/2008-03/msg00014.html


How to use -- tested with gentoo-sources-2.6.24-r4 and dazuko kernel ptach 2.3.5-pre1:


1: Download new dazuko kernel patch:
http://www.dazuko.org/files/patch-linux26-dazuko-2.3.5-pre1.tar.gz


2: Patch kernel (directions from their README):
Code:
# cd /linux/src/dir/linux-a.b.c.d
# zcat /proc/config.gz > .config
# patch -p1 < patch-linux26-dazuko-2.3.5-pre1.diff
# make menuconfig
(select Dazuko in the Security section and exit, saving changes)
# make
# make modules_install
# make install
# reboot


P.S. - If you use genkernel, either apply the patch as above and rerun genkernel --menuconfig, or copy the gentoo-sources ebuild to an overlay, and add the dazuko patch to the genpatches-2.6.x-x.extras.tar.bz2 tarball, re-digest the ebuild, and re-emerge the gentoo-sources.


You can now skip ahead to step three in the original howto below. Also in step 6 you can ignore the modprobe stuff, since dazuko must by built into the kernel (not as a module).




- Original howto -- October 2007 -

This process isn't all that hard, but I did have a few stumbling blocks when trying to configure real-time support for clamav. I will outline the basic process here. I haven't done all that much testing yet, so as I find out more information/hiccups I'll post it here, if relevant.

I have tested this with gentoo-sources-2.6.22-r2, dazuko-2.3.4, and clamav-0.91.2.

1. Ensure you have security module support enabled in your kernel:
Kernel options:
SECURITY =y
SECURITY_CAPABILITIES=m (this must be built as a module!)
Code:
 Security options  --->
[*] Enable different security models
<M>   Default Linux Capabilities


Install and reboot to your new kernel if necessary

2. Install dazuko
Code:
emerge sys-fs/dazuko

This may need to be added to your package.keywords, as it was ~x86 masked for me.

3. Emerge clamav
do I really need to write anything here?

4. Enable Clamuko support in your /etc/clamd.conf

Uncomment the lines as I did in the below section of the config file. You can change things to what works for you.
Code:
##
## Clamuko settings
## WARNING: This is experimental software. It is very likely it will hang
##          up your system!!!
##

# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.
# Default: no
ClamukoScanOnAccess yes

# Set access mask for Clamuko.
# Default: no
ClamukoScanOnOpen yes
ClamukoScanOnClose yes
ClamukoScanOnExec yes

# Set the include paths (all files inside them will be scanned). You can have
# multiple ClamukoIncludePath directives but each directory must be added
# in a seperate line.
# Default: disabled
ClamukoIncludePath /home



5. Add appropriate udev rule for clamav access to dazuko
create the file: /etc/udev/rules.d/dazuko.rules
and add this line to it:
Code:
KERNEL=="dazuko",       NAME="%k", GROUP="clamav", MODE="0660"




6. Modprobe in dazuko and start clamav
Code:
modprobe dazuko
modprobe capability
/etc/init.d/clamd start



Everything should be set now. You can verify this in your clamav logfile:
Code:
Wed Oct 24 14:50:35 2007 -> +++ Started at Wed Oct 24 14:50:35 2007
Wed Oct 24 14:50:35 2007 -> clamd daemon 0.91.2 (OS: linux-gnu, ARCH: i386, CPU: i686)
Wed Oct 24 14:50:35 2007 -> Running as user clamav (UID 104, GID 412)
Wed Oct 24 14:50:35 2007 -> Log file size limited to 1048576 bytes.
Wed Oct 24 14:50:35 2007 -> Reading databases from /var/lib/clamav
Wed Oct 24 14:50:35 2007 -> Not loading PUA signatures.
Wed Oct 24 14:50:38 2007 -> Loaded 161172 signatures.
Wed Oct 24 14:50:38 2007 -> Unix socket file /var/run/clamav/clamd.sock
Wed Oct 24 14:50:38 2007 -> Setting connection queue length to 15
Wed Oct 24 14:50:38 2007 -> Archive: Archived file size limit set to 10485760 bytes.
Wed Oct 24 14:50:38 2007 -> Archive: Recursion level limit set to 8.
Wed Oct 24 14:50:38 2007 -> Archive: Files limit set to 1000.
Wed Oct 24 14:50:38 2007 -> Archive: Compression ratio limit set to 250.
Wed Oct 24 14:50:38 2007 -> Archive support enabled.
Wed Oct 24 14:50:38 2007 -> Algorithmic detection enabled.
Wed Oct 24 14:50:38 2007 -> Portable Executable support enabled.
Wed Oct 24 14:50:38 2007 -> ELF support enabled.
Wed Oct 24 14:50:38 2007 -> Mail files support enabled.
Wed Oct 24 14:50:38 2007 -> Mail: Recursion level limit set to 64.
Wed Oct 24 14:50:38 2007 -> OLE2 support enabled.
Wed Oct 24 14:50:38 2007 -> PDF support disabled.
Wed Oct 24 14:50:38 2007 -> HTML support enabled.
Wed Oct 24 14:50:38 2007 -> Self checking every 1800 seconds.
Wed Oct 24 14:50:38 2007 -> Clamuko: Correctly registered with Dazuko.
Wed Oct 24 14:50:38 2007 -> Clamuko: Scan-on-open mode activated.
Wed Oct 24 14:50:38 2007 -> Clamuko: Scan-on-close mode activated.
Wed Oct 24 14:50:38 2007 -> Clamuko: Scan-on-exec mode activated.
Wed Oct 24 14:50:38 2007 -> Clamuko: Included path /home
Wed Oct 24 14:50:38 2007 -> Clamuko: Max file size limited to 5242880 bytes.



If you get the error:
Code:
ERROR: Clamuko: Can't register with Dazuko
you likely didn't add the above udev rule, or there is some problem with the rule you did add.


Now for testing:
You can download the test eicar virus here:
http://www.eicar.org/anti_virus_test_file.htm

Don't worry... this is not a real virus, but a test pattern that works for almost all virus scanners. If clamav is running, you should see messages in your log file like this:
Code:
Clamuko: /home/mikeg/eicar.com.txt: Eicar-Test-Signature FOUND


You will see a message like this everytime you access the virus file (e.g. vi eicar.com.txt) You will also get a permission denied error, so you won't be able to do anything useful with the file.


That's it for now. If I get some time to configure clamav better so I can quarantine infected files and do other useful stuff I'll post back here.





Doing something useful with detected viruses
There is a variable in /etc/clamd.conf called VirusEvent that will execute a command each time a virus is detected.
Code:
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

Unfortunately, I haven't gotten it to work properly. I've tested with a few different kernels and a few different versions of clamav, and when I enable VirusEvent, I always end up with my system hard locking.

Instead I wrote a simple shell script that monitors the clamav logs for "found" viruses. You can customize this to do anything you need to do when a virus is detected, including placing them in quarantine or notification via email.

This script will need to run as root, since it needs access to your syslogs and also access to the directories you want to scan. If you don't want to run it as root, you can probably get away with it, as long as the selected user has read access to /var/log/clamav/clamd.log, and you don't want to do any type of file manipulation of the virus.

clam_detect.sh
Code:

#!/bin/bash


CLAMLOG=/var/log/clamav/clamd.log
FOUNDPATTERN=FOUND


tail -f ${CLAMLOG} |
while read -r line
do
   [[ "$line" != *${FOUNDPATTERN}* ]] && continue

   # example line to parse
   #Thu Aug 7 14:34:49 2008 -> Clamuko: /home/username/eicar.com.txt: Eicar-Test-Signature FOUND

   file=$(echo $line | sed -e 's/^.*Clamuko:\s//' | sed -e 's/:.*//')
   echo "virus found: $file"

   # do something to the virus here
   # example: rm $file
   # example: mv $file /tmp/quarantine

done


exit 0


Last edited by mikegpitt on Mon Aug 11, 2008 10:14 pm; edited 6 times in total
Back to top
View user's profile Send private message
jexxie
Tux's lil' helper
Tux's lil' helper


Joined: 12 Oct 2007
Posts: 82
Location: Vancouver, BC

PostPosted: Thu Oct 25, 2007 7:04 pm    Post subject: Reply with quote

Looks great, cheers.
_________________
Rambling sysadmin
My personal site and blog: Phil Dufault
Back to top
View user's profile Send private message
afb
n00b
n00b


Joined: 13 Oct 2007
Posts: 65

PostPosted: Sat Dec 08, 2007 1:44 am    Post subject: Reply with quote

I have a doubt, i did all as you explain but all the files that try to open appear in the log "file X skipped (too big)", where file X is the file that i try to open.

What can I do?
Back to top
View user's profile Send private message
rev138
l33t
l33t


Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA

PostPosted: Sat Dec 08, 2007 3:10 am    Post subject: Reply with quote

I followed this guide just now, and everything loads properly (note that you MUST modprobe dazuko BEFORE capability), but I can write, read, and delete the eicar files with no problem. No access denied messages. Nothing in the logs.
_________________
Vermont Free PC
http://www.vtfreepc.org
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Sat Dec 08, 2007 6:51 pm    Post subject: Reply with quote

afb wrote:
I have a doubt, i did all as you explain but all the files that try to open appear in the log "file X skipped (too big)", where file X is the file that i try to open.

What can I do?
Not sure. How big are the files you are opening? There appears to be a few settings in /etc/clamv.conf that relate to size, but I'd not sure any are what you would be looking for... you may want to check it out anyways to be sure.

Are you sure that the log is realted to clamav and not another app?
Back to top
View user's profile Send private message
rev138
l33t
l33t


Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA

PostPosted: Sun Dec 09, 2007 2:16 am    Post subject: Reply with quote

Does anyone have any idea why this isn't working for me? I did everything the how-to says, and when I start clamd, the log says:
Code:
Sat Dec  8 21:07:27 2007 -> Clamuko: Correctly registered with Dazuko.
Sat Dec  8 21:07:27 2007 -> Clamuko: Scan-on-open mode activated.
Sat Dec  8 21:07:27 2007 -> Clamuko: Scan-on-close mode activated.
Sat Dec  8 21:07:27 2007 -> Clamuko: Scan-on-exec mode activated.
Sat Dec  8 21:07:27 2007 -> Clamuko: Included path /storage/common
Sat Dec  8 21:07:27 2007 -> Clamuko: Included path /storage/home
Sat Dec  8 21:07:27 2007 -> Clamuko: Max file size limited to 10485760 bytes.


However, if I try to copy an eicar test file to .one of the paths above, via ssh, smb or wget, it succeeds as normal.

I'm using gentoo-sources-2.6.23-r3, clamav-0.91.2, and dazuko-2.3.4 on amd64.
_________________
Vermont Free PC
http://www.vtfreepc.org
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Sun Dec 09, 2007 3:22 am    Post subject: Reply with quote

rev138 wrote:
Does anyone have any idea why this isn't working for me? I did everything the how-to says, and when I start clamd, the log says:
Code:
Sat Dec  8 21:07:27 2007 -> Clamuko: Correctly registered with Dazuko.
Sat Dec  8 21:07:27 2007 -> Clamuko: Scan-on-open mode activated.
Sat Dec  8 21:07:27 2007 -> Clamuko: Scan-on-close mode activated.
Sat Dec  8 21:07:27 2007 -> Clamuko: Scan-on-exec mode activated.
Sat Dec  8 21:07:27 2007 -> Clamuko: Included path /storage/common
Sat Dec  8 21:07:27 2007 -> Clamuko: Included path /storage/home
Sat Dec  8 21:07:27 2007 -> Clamuko: Max file size limited to 10485760 bytes.


However, if I try to copy an eicar test file to .one of the paths above, via ssh, smb or wget, it succeeds as normal.

I'm using gentoo-sources-2.6.23-r3, clamav-0.91.2, and dazuko-2.3.4 on amd64.
It is probably getting through because part of the file is transfering at a time, so it wouldn't have the whole file to scan. Once you have it downloaded, what happens if you try to access the file?
Back to top
View user's profile Send private message
rev138
l33t
l33t


Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA

PostPosted: Sun Dec 09, 2007 3:38 am    Post subject: Reply with quote

I'm allowed to access the file, delete it, whatever. Nothing is reported in the clam log. I even set clam to log ALL results, not just the infected ones. No log output. It doesn't seem to be scanning at all.
_________________
Vermont Free PC
http://www.vtfreepc.org
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Sun Dec 09, 2007 5:07 am    Post subject: Reply with quote

rev138 wrote:
I'm allowed to access the file, delete it, whatever. Nothing is reported in the clam log. I even set clam to log ALL results, not just the infected ones. No log output. It doesn't seem to be scanning at all.
Try to run a regular clamav scan and see if the file is picked up. Maybe the definition isn't on your system for some reason.
Back to top
View user's profile Send private message
afb
n00b
n00b


Joined: 13 Oct 2007
Posts: 65

PostPosted: Sun Dec 09, 2007 2:08 pm    Post subject: Reply with quote

If i scan the file (eicar.com.txt) directly (using klamav - KDE frontend) the virus is detected, but if open with kwrite don't log any thing, just "Clamuko: /home/afb/Desktop/eicar.com.txt skipped (too big)"
Back to top
View user's profile Send private message
rev138
l33t
l33t


Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA

PostPosted: Mon Dec 10, 2007 2:13 am    Post subject: Reply with quote

Odd... I noticed while working on something else that a clamd process had been running for 3+ hours, so I stopped it. When I restarted, clamuko magically began working :P
_________________
Vermont Free PC
http://www.vtfreepc.org
Back to top
View user's profile Send private message
rev138
l33t
l33t


Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA

PostPosted: Mon Dec 10, 2007 2:18 am    Post subject: Reply with quote

Next question:

I can now copy the eicar file to the server successfully but if I try to unzip or delete it, I get "access denied". How do I get rid of infected files? Do I have to shut down clamd to delete them?

Thanks.
_________________
Vermont Free PC
http://www.vtfreepc.org
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Mon Dec 10, 2007 3:31 am    Post subject: Reply with quote

rev138 wrote:
Next question:

I can now copy the eicar file to the server successfully but if I try to unzip or delete it, I get "access denied". How do I get rid of infected files? Do I have to shut down clamd to delete them?

Thanks.

You need to set up a quarentine for them. I actually never had a chance to work on this any farther, so I don't know exactly what is needed, but if I rememer correctly, there is an option in /etc/clamv.conf for a quarentine command. From there you can set up a command to move or delete infected files.

EDIT: Check your config for VirusEvent. This is what you need to set.


Last edited by mikegpitt on Mon Dec 10, 2007 3:36 am; edited 3 times in total
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Mon Dec 10, 2007 3:34 am    Post subject: Reply with quote

afb wrote:
If i scan the file (eicar.com.txt) directly (using klamav - KDE frontend) the virus is detected, but if open with kwrite don't log any thing, just "Clamuko: /home/afb/Desktop/eicar.com.txt skipped (too big)"
When you start up clamuko you should probably see something that says "Clamuko: Max file size limited to 10485760 bytes". I just checked my /etc/clamv.conf and there is an option for ClamukoMaxFileSize. I think this is what you need to set/change.
Back to top
View user's profile Send private message
rev138
l33t
l33t


Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA

PostPosted: Tue Dec 11, 2007 11:02 pm    Post subject: Reply with quote

This is the oddest thing... Sometimes this setup detects viruses and blocks access, and sometimes it just detects the virus but does not block access.

I am getting these results by copying the exact same eicar test file into the exact same location. No configs changed. It only changed behavior when I restart clamd. Since clam seems to be doing its job and detecting the virus, I assume the blame lies with dazuko. I guess that's why it's masked.
_________________
Vermont Free PC
http://www.vtfreepc.org
Back to top
View user's profile Send private message
rev138
l33t
l33t


Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA

PostPosted: Tue Dec 11, 2007 11:12 pm    Post subject: Reply with quote

Ok.. the plot thickens:

I've been doing some more testing. This setup seems to work properly at the console (bash). It detects the infection and prevents access. However, through fish:// (ssh) it detects but does not block access. Through smb:// it does not detect at all.
_________________
Vermont Free PC
http://www.vtfreepc.org
Back to top
View user's profile Send private message
rev138
l33t
l33t


Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA

PostPosted: Tue Dec 11, 2007 11:53 pm    Post subject: Reply with quote

I tried setting this in clamd.conf:

Code:

VirusEvent logger %v


And if I try to access the eicar file, the serve crashes. It's headless, so I'm not positive what's happening, but since nothing shows up in the logs, I assume it's a kernel panic.
_________________
Vermont Free PC
http://www.vtfreepc.org
Back to top
View user's profile Send private message
MaartenZzZ
n00b
n00b


Joined: 28 Oct 2007
Posts: 61
Location: Bergen op Zoom, The Netherlands

PostPosted: Thu Dec 13, 2007 7:17 pm    Post subject: Reply with quote

rev138 wrote:
Odd... I noticed while working on something else that a clamd process had been running for 3+ hours, so I stopped it. When I restarted, clamuko magically began working :P


I have the same problem. Clamuko up and running, but I can do whatever I want with virusses on /home:

Code:
Thu Dec 13 20:13:00 2007 -> Clamuko: Correctly registered with Dazuko.
Thu Dec 13 20:13:00 2007 -> Clamuko: Scan-on-open mode activated.
Thu Dec 13 20:13:00 2007 -> Clamuko: Scan-on-close mode activated.
Thu Dec 13 20:13:00 2007 -> Clamuko: Scan-on-exec mode activated.
Thu Dec 13 20:13:00 2007 -> Clamuko: Included path /home
Thu Dec 13 20:13:00 2007 -> Clamuko: Max file size limited to 5242880 bytes.
/var/log/clamav/clamd.log lines 630-688/688 (END)


Somebody got an idea?
Thnx!
Back to top
View user's profile Send private message
MaartenZzZ
n00b
n00b


Joined: 28 Oct 2007
Posts: 61
Location: Bergen op Zoom, The Netherlands

PostPosted: Thu Dec 13, 2007 7:23 pm    Post subject: Reply with quote

Just fixed it.

Now running clamd as user "root", and added root to the "clamd" group:

Code:
clamav:x:441:root


/etc/init.d/clamd restart and off we go!

Hope it's fixed for other people too now.
Back to top
View user's profile Send private message
gr0x0rd
Guru
Guru


Joined: 12 Aug 2006
Posts: 301

PostPosted: Sun Dec 16, 2007 12:50 am    Post subject: Reply with quote

I followed this guide and had everything working nicely. However after upgrading to the 2.6.23r3 kernel, I finally noticed that the avahi-daemon wasn't starting anymore.

This was caused by enabling the
Code:
 Security options  --->
[*] Enable different security models
<M>   Default Linux Capabilities
in the kernel. Other users have experienced this as well.... https://forums.gentoo.org/viewtopic-p-3361179.html

Anyone know of a way for these kernel settings and avahi-daemon to get along? If I run
Code:
modprobe capability
and then try to start the avahi-daemon, it starts. Is there a way to execute that command in my startup prior to starting the avahi-daemon?
_________________
~g
emerge -FML...
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Sun Dec 16, 2007 4:31 am    Post subject: Reply with quote

gr0x0rd wrote:
I followed this guide and had everything working nicely. However after upgrading to the 2.6.23r3 kernel, I finally noticed that the avahi-daemon wasn't starting anymore.

This was caused by enabling the
Code:
 Security options  --->
[*] Enable different security models
<M>   Default Linux Capabilities
in the kernel. Other users have experienced this as well.... https://forums.gentoo.org/viewtopic-p-3361179.html

Anyone know of a way for these kernel settings and avahi-daemon to get along? If I run
Code:
modprobe capability
and then try to start the avahi-daemon, it starts. Is there a way to execute that command in my startup prior to starting the avahi-daemon?


You could add the modprobe and deamon start in your local.start to ensure they start in the correct order on each boot. It's a hack but it should work until an upstream fix.
Back to top
View user's profile Send private message
gr0x0rd
Guru
Guru


Joined: 12 Aug 2006
Posts: 301

PostPosted: Sun Dec 16, 2007 8:38 pm    Post subject: Reply with quote

Done. :)

Will keep an eye on this thread, looking forward to seeing what you come up with for the quarantine etc!

Cheers
_________________
~g
emerge -FML...
Back to top
View user's profile Send private message
TravisBy
n00b
n00b


Joined: 22 Nov 2007
Posts: 69

PostPosted: Sun Dec 16, 2007 10:45 pm    Post subject: Reply with quote

I've wanted to finally get Clamuko working, after about a year of seeing it and trying it every now and then. This really helped me, thank you. I've wanted Dazuko to work for so long, and just recently built me a Gentoo box. I saw this post, and was overjoyed by it.

Just a quick question though. I use this on my desktop (workstation + a game or two of tremulous), and I was wondering what would be good settings for Clamuko? My system will obviously freeze (and has) when trying to run OnAccess, because when running workstation/games a lot of files are accessed, and that kinda causes me lots of lag =/ Is there any better settings I could use, or should I just keep clamuko off while running X? [just use it when I'm doing commandline stuff, since that won't be a lot of files at once. Didn't mean X causes a lot of scans, just that I use a lot of files when X is run].
Back to top
View user's profile Send private message
gr0x0rd
Guru
Guru


Joined: 12 Aug 2006
Posts: 301

PostPosted: Mon Dec 17, 2007 2:22 am    Post subject: Reply with quote

in your /etc/clamd.conf:
Code:
# Set the exclude paths. All subdirectories are also excluded.
# Default: disabled
ClamukoExcludePath /gamedir/mygame
ClamukoExcludePath /home/myacct/.gamedir
:)

Perhaps not the best solution, but it's still better than shutting down clamd entirely before you start gaming. I'm sure you could also set read-only permissions and user security groups on your gaming folders to make them even more secure. Maybe someone else has a better solution...

note for wine users!

Every time I have tried to run wine with clamuko running, my system has locked up entirely. So if you are planning on running wine with clamuko, be sure to add
Code:
ClamukoExcludePath /home/myacct/.wine
ClamukoExcludePath /../mywineprog
to your clamd.conf!
_________________
~g
emerge -FML...


Last edited by gr0x0rd on Tue Dec 18, 2007 10:33 pm; edited 1 time in total
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Mon Dec 17, 2007 4:17 pm    Post subject: Reply with quote

TravisBy wrote:
I've wanted to finally get Clamuko working, after about a year of seeing it and trying it every now and then. This really helped me, thank you. I've wanted Dazuko to work for so long, and just recently built me a Gentoo box. I saw this post, and was overjoyed by it.

Just a quick question though. I use this on my desktop (workstation + a game or two of tremulous), and I was wondering what would be good settings for Clamuko? My system will obviously freeze (and has) when trying to run OnAccess, because when running workstation/games a lot of files are accessed, and that kinda causes me lots of lag =/ Is there any better settings I could use, or should I just keep clamuko off while running X? [just use it when I'm doing commandline stuff, since that won't be a lot of files at once. Didn't mean X causes a lot of scans, just that I use a lot of files when X is run].
I think gr0x0rd's suggestion is great if you have a game that is often writing to your home dir. I think the best advice is to run Clamuko in only the directories that are necessary. I personally haven't experienced any X lag while using this on a Pentium M 1.6 Ghz w/ 1 gig of ram, although I don't usually run any 3d games.

The most important places to run Clamuko monitoring is /home and /tmp. If virii can access anywhere else, your system is probably already compromised.

Glad to hear you like the howto... It was a bit of a pain to initially figure out the set up, and it seemed that no where on the internet did it seem to say that ClamAV can work in realtime... hence the howto to promote such ideas. :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum