Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] real-time clamav support with dazuko/calmuko
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
gr0x0rd
Guru
Guru


Joined: 12 Aug 2006
Posts: 300

PostPosted: Mon Dec 17, 2007 10:02 pm    Post subject: Reply with quote

I also wanted to add a tidbit regarding notification... all of this is great but since clamav has notification disabled by default
Code:
# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
you may not even notice a virus on your system until you manually check your logs! And if you're anything like me, you don't spend a lot of time observing your logs (pr0n is a much more productive use of most people's time). :)

I opted for a different solution than the one above- most users have some sort of system monitor enabled. I (and probably many people here) use conky. A simple adjustment to your .conkyrc
Code:
${color}Antivirus Alerts
${color yourcolor}${tail /var/log/clamav/clamd.log x 20}
will show you the last x lines of your clamd.log once you've set the appropriate permissions.

Of course, you can test this using the eicar example once you've set it up- if it's working, you should see

Sun Dec 16 12:39:20 2007 -> Clamuko: /.../eicar.com.txt: Eicar-Test-Signature FOUND

displayed in conky almost immediately. :)
_________________
~g
emerge -FML...
Back to top
View user's profile Send private message
fice
n00b
n00b


Joined: 22 Jan 2008
Posts: 4

PostPosted: Tue Jan 22, 2008 12:22 pm    Post subject: Reply with quote

Hello.
And what about moving infected files to quarantine dir ?
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Tue Jan 22, 2008 6:36 pm    Post subject: Reply with quote

fice wrote:
Hello.
And what about moving infected files to quarantine dir ?

There is the easy way and the right way to do this. Take a look at your clamd.conf. There should be a line like this:
Code:
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

%v is the virus name, and %f is for the actual filename.

The easy way would be to use this command to move the file to a quarantine dir, BUT it is warned at the following URL (halfway down the page) that this could be dangerous:
http://www.webservertalk.com/archive389-2006-7-1592284.html

They don't give a real reason why this is a security issue, but I will take it at face value.

This is my (untested) recommendation. If it works let me know and I'll add it to the 1st post in this thread.

Step 1: Mark the virus file as read only and flag it:
Code:
VirusEvent /bin/chown nobody:nobody %f ; chmod 0400 %f ; touch "%f_infected"

Basically this command makes the file read-only and owned by nobody, then creates a new file in the same dir that we will use as a marker to denote the file is infected.

Step 2: Remove all the infected files
I don't have the time at the moment to write the script, but basically you will want a script that monitors the clamav scan directories and remove any _infected flag files, as well as the real infected file.
Back to top
View user's profile Send private message
fice
n00b
n00b


Joined: 22 Jan 2008
Posts: 4

PostPosted: Wed Jan 23, 2008 7:30 am    Post subject: Reply with quote

I tried your solution for chown & chmod (step 1), but it not work fine for me. My Gentoo is not respond at all \=. But i found this url: http://lurker.clamav.net/message/20080104.224727.a3d99cc0.en.html , what says that
Quote:
In clamd.conf you can only use %v.

So this way is not match.
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Wed Jan 23, 2008 5:46 pm    Post subject: Reply with quote

fice wrote:
I tried your solution for chown & chmod (step 1), but it not work fine for me. My Gentoo is not respond at all \=. But i found this url: http://lurker.clamav.net/message/20080104.224727.a3d99cc0.en.html , what says that
Quote:
In clamd.conf you can only use %v.

So this way is not match.
Ok... I read on a thread somewhere you could use %f. It does however look like the environment variable $CLAM_VIRUSEVENT_FILENAME is set instead... much better actually.

Call a small script like so (these are all untested):

clamd.conf
Code:
VirusEvent /usr/bin/clam_quarantine.sh



clam_quarantine.sh:
Code:

#!/bin/bash

/bin/chown nobody:nobody ${CLAM_VIRUSEVENT_FILENAME}
/bin/chmod 0400 ${CLAM_VIRUSEVENT_FILENAME}
/usr/bin/touch ${CLAM_VIRUSEVENT_FILENAME}'_infected'



As for the removal you could have a deamon that starts this script on each boot:
Code:

#!/bin/bash

while true; do

        # search for and delete all files tagged with _infected and delete both the _infected file and the actual file
        find /path/to/clamav/scan/dirs -name "*_infected" -print -exec rm {} \; | sed -e 's/_infected//' | xargs rm

        # sleep for 5 mins
        sleep 300
done


Please use caution with the above script, as it deletes files, and hasn't been throughly tested!


If you want to try the find and rm commands separately try these out:

Code:
#deletes _infected files in the current directory  (for example it will remove testvirus_infected)
find . -name "*_infected" -exec rm {} \;

Code:
#deletes the real file in the current directory  (for example it will remove testvirus)
find . -name "*_infected" -print | sed -e 's/_infected//' | xargs rm
Back to top
View user's profile Send private message
fice
n00b
n00b


Joined: 22 Jan 2008
Posts: 4

PostPosted: Mon Jan 28, 2008 5:15 am    Post subject: Reply with quote

thanks for helping, but i don't know what's wrong: after finding virus, where must be "VirusEvent" action, my computer not responding. =( Rebooting saving situation.
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Mon Jan 28, 2008 7:35 pm    Post subject: Reply with quote

fice wrote:
thanks for helping, but i don't know what's wrong: after finding virus, where must be "VirusEvent" action, my computer not responding. =( Rebooting saving situation.
Sounds like the dazuko kernel module crashed and killed your machine.

I'm not sure what to say... Does it crash with any script called by VirusEvent?

What kernel are you using? I think in new kernels dazuko is not even compiling (I saw a thread around here on it). This makes me think that it might be getting phased out. I'm not sure what I good replacement would be, and/or if clamav will support a replacement.
Back to top
View user's profile Send private message
fice
n00b
n00b


Joined: 22 Jan 2008
Posts: 4

PostPosted: Wed Jan 30, 2008 6:09 am    Post subject: Reply with quote

mikegpitt wrote:
Sounds like the dazuko kernel module crashed and killed your machine.

I'm not sure what to say... Does it crash with any script called by VirusEvent?

What kernel are you using? I think in new kernels dazuko is not even compiling (I saw a thread around here on it). This makes me think that it might be getting phased out. I'm not sure what I good replacement would be, and/or if clamav will support a replacement.

Yes, it crashes with any script.
I'm using
2.6.23-gentoo-r3 on x86_64 Intel(R) Core(TM)2 Duo CPU E6550
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Mon Apr 14, 2008 7:13 pm    Post subject: Reply with quote

I updated the first post in this howto to reflect changes in getting dazuko to work with kernels 2.6.23/24.
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Thu Aug 07, 2008 7:05 pm    Post subject: Reply with quote

Since VirusEvent still seems to cause a kernel panic I decided to write a small shell script that will monitor the clamav logs and when it finds a virus, it will pull out the filename and do something with it. Enjoy!

Code:

#!/bin/bash


CLAMLOG=/var/log/clamav/clamd.log
FOUNDPATTERN=FOUND


tail -f ${CLAMLOG} |
while read -r line
do
   [[ "$line" != *${FOUNDPATTERN}* ]] && continue

   # example line to parse
   #Thu Aug 7 14:34:49 2008 -> Clamuko: /home/username/eicar.com.txt: Eicar-Test-Signature FOUND

   file=$(echo $line | sed -e 's/^.*Clamuko:\s//' | sed -e 's/:.*//')
   echo "virus found: $file"

   # do something to the virus here
   # example: rm $file
   # example: mv $file /tmp/quarantine

done


exit 0



EDIT: Script added to main howto in 1st post...
Back to top
View user's profile Send private message
platojones
Veteran
Veteran


Joined: 23 Oct 2002
Posts: 1563
Location: Just over the horizon

PostPosted: Sun Aug 17, 2008 8:25 pm    Post subject: Reply with quote

Bummer, patch doesn't work with gentoo-sources-2.6.25-r7 at this time.
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Mon Aug 18, 2008 4:49 am    Post subject: Reply with quote

platojones wrote:
Bummer, patch doesn't work with gentoo-sources-2.6.25-r7 at this time.
Take a look at this page on the dazuko website:
http://dazuko.dnsalias.org/wiki/index.php/Downloads

It looks like they have a patch for the 2.6.25 & 26 kernels. I haven't had a chance to test it. If it works, post back and let us know :)
Back to top
View user's profile Send private message
platojones
Veteran
Veteran


Joined: 23 Oct 2002
Posts: 1563
Location: Just over the horizon

PostPosted: Thu Aug 21, 2008 1:51 am    Post subject: Reply with quote

Yep, compiled fine and seems to work..not exactly like the howto says...the eicar doesn't log in the file, but it doesn't download either. seems pretty stable thus far.
Back to top
View user's profile Send private message
platojones
Veteran
Veteran


Joined: 23 Oct 2002
Posts: 1563
Location: Just over the horizon

PostPosted: Sat Aug 23, 2008 12:02 am    Post subject: Reply with quote

Ok, I've decided that clamuko is not really running, in spite of all of the positive log messages I see in the clamav log. One thing I've noticed that is different is that the 'default linux capabilities' in the kernel cannot be built as a module in the newest kernels. I get the /dev/dazuko and clamav reports that everything is fine, but I can download the eicar tests without a problem. Clamav does not even notice that they have been downloaded to my /home directory. Anybody else having this problem? I'm running kernel 2.6.25-gentoo-r7 with the dazuko 2.6.25 patch applied and compiled in. It's obvious my kernel does have the patch since as soon as I rebooted, the /dev/dazuko device showed up and I am getting all of the appropriate log messages indicating that dazuko is up and running fine.
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Sat Aug 23, 2008 1:25 am    Post subject: Reply with quote

platojones wrote:
Ok, I've decided that clamuko is not really running, in spite of all of the positive log messages I see in the clamav log. One thing I've noticed that is different is that the 'default linux capabilities' in the kernel cannot be built as a module in the newest kernels. I get the /dev/dazuko and clamav reports that everything is fine, but I can download the eicar tests without a problem. Clamav does not even notice that they have been downloaded to my /home directory. Anybody else having this problem? I'm running kernel 2.6.25-gentoo-r7 with the dazuko 2.6.25 patch applied and compiled in. It's obvious my kernel does have the patch since as soon as I rebooted, the /dev/dazuko device showed up and I am getting all of the appropriate log messages indicating that dazuko is up and running fine.
In the newer kernels capabilities isn't needed because dazuko can be built into the kernel.

I've also noticed that with the current dazuko and clamav, firefox can download eicar. It shouldn't be a problem though, because you shouldn't be able to do anything with it once it's downloaded. On access you will receive permission denied and it will be logged.

With clamav 0.92 I was able to rm eicar without notice. One 0.93.3 rm is blocked, although mv isn't. Any real type of access likr reading, writing, executing the virus is blocked and logged.

As you can see, things seem to change with various versions of clamav/dazuko, but in general it appears to work well.
Back to top
View user's profile Send private message
platojones
Veteran
Veteran


Joined: 23 Oct 2002
Posts: 1563
Location: Just over the horizon

PostPosted: Sat Aug 23, 2008 1:32 am    Post subject: Reply with quote

Thanks for the response mikegpitt. Sadly, no, it not only let's me download the file, but I can do anything I want to with any of the eicar files...read them, move them, copy them or remove them...not only does it not prevent those actions, it doesn't even register in the log file. Something is wrong with this kernel version, I'm afraid. Maybe all of this will be fixed in the next version...it's a very cool concept...I'd love to see it accepted into the offical kernel tree where it can be properly supported.
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Sat Aug 23, 2008 4:37 am    Post subject: Reply with quote

platojones wrote:
Thanks for the response mikegpitt. Sadly, no, it not only let's me download the file, but I can do anything I want to with any of the eicar files...read them, move them, copy them or remove them...not only does it not prevent those actions, it doesn't even register in the log file. Something is wrong with this kernel version, I'm afraid. Maybe all of this will be fixed in the next version...it's a very cool concept...I'd love to see it accepted into the offical kernel tree where it can be properly supported.
Darn, that sucks... If I get a chance in the next few days, I'll try to take a look with a newer kernel, although it sounds like I won't have much luck.

If you don't *need* the 2.6.25 kernel, you could always use 2.6.24. I know it works well there.
Back to top
View user's profile Send private message
platojones
Veteran
Veteran


Joined: 23 Oct 2002
Posts: 1563
Location: Just over the horizon

PostPosted: Sat Aug 23, 2008 12:19 pm    Post subject: Reply with quote

Hi mikegpitt,
Well, here's a strange update. I woke up this morning, and my computer was locked up solid. I think it might be that crash issue that was discussed earlier in this thread (I haven't had my system crash in over a year). I rebooted, and when I did, clamuko came alive. I think at some point, I should have rebooted during this process (though I did when I rebuilt the kernel). In any event, I checked the clamd log file and it was finding stuff in my home directory (mostly old mail messages with viruses). It does look like it works. I need to look into that crash issue more, to see what the actual cause was. I know you've posted a work around for that if it was, as I suspect, dazuko that cause it. Thanks for the help, btw.
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Sat Aug 23, 2008 4:05 pm    Post subject: Reply with quote

platojones wrote:
Hi mikegpitt,
Well, here's a strange update. I woke up this morning, and my computer was locked up solid. I think it might be that crash issue that was discussed earlier in this thread (I haven't had my system crash in over a year). I rebooted, and when I did, clamuko came alive. I think at some point, I should have rebooted during this process (though I did when I rebuilt the kernel). In any event, I checked the clamd log file and it was finding stuff in my home directory (mostly old mail messages with viruses). It does look like it works. I need to look into that crash issue more, to see what the actual cause was. I know you've posted a work around for that if it was, as I suspect, dazuko that cause it. Thanks for the help, btw.
Good stuff! (I meant the part about it working, not the crash). Yeah, you would have needed to reboot the machine to use the new kernel configuration. I'm not sure how /dev/dazuko showed up without a reboot.

Dazuko is still experimental, I'd say, but I never had it lock up my machine if it's just doing nothing in the background. The only hardlock's I've had was related to the VirusEvent option in clamav. I haven't had any luck using it, hence the workaround.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum