According to the ClearOS Antimalware File Scan app documentation symbolic links are by default being followed.
However in my ClearOS Community 7.8.1 install it appears that symlinks are not followed at all.
To further analyze the problem I created (in a clean install) a simple setup:
1. Made the file virustest.txt containing:
2. Placed this file in /home/admin/virustest.txt
3. Running the scan on the custom directory ‘/home/admin’ added in /etc/avscan.conf detects the file with the virus.
4. Made in /home/symdir a symbolic link /home/symdir/admin -> /home/admin
(confirmed ls -l /home/symdir/admin/ results in: virustest.txt)
5. Running the scan on the custom directory ‘/home/symdir’ does however NOT detect the virus file, i.e. the symlink is not followed.
In the Antimalware File Scan App documentation options are given to edit ‘/etc/clearos/file_scan.conf’ to include or not to include symlinks from scanning by including ‘follow-dir-symlinks=’.
Values of 0, 1 and 2 are allowed and 1 is the default if the parameter is missing, the latter being the case in the Antimalware File Scan App.
According to ‘man clamscan’ the value 1 (default) means: only follow directory symlinks, which are passed as direct arguments to clamscan.
I added as a test ‘follow-dir-symlinks=2’ in /etc/clearos/file_scan.conf meaning: always follow directory symlinks. But the scan still did not follow the symlink.
It appears to me that the ‘follow-dir-symlinks’ parameters are not processed at all.
The only way that works is passing the directory symlink as a direct argument in /etc/avscan.conf, in this case being /home/symdir/admin/ (the closing ‘/’ is essential)
The website I am hosting contains several symlinks to data outside the webroot. As it is now one should be aware that scanning the web (var/www) will, contrary to what is suggested, NOT scan these ‘symlinked’ data.
However in my ClearOS Community 7.8.1 install it appears that symlinks are not followed at all.
To further analyze the problem I created (in a clean install) a simple setup:
1. Made the file virustest.txt containing:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*2. Placed this file in /home/admin/virustest.txt
3. Running the scan on the custom directory ‘/home/admin’ added in /etc/avscan.conf detects the file with the virus.
4. Made in /home/symdir a symbolic link /home/symdir/admin -> /home/admin
(confirmed ls -l /home/symdir/admin/ results in: virustest.txt)
5. Running the scan on the custom directory ‘/home/symdir’ does however NOT detect the virus file, i.e. the symlink is not followed.
In the Antimalware File Scan App documentation options are given to edit ‘/etc/clearos/file_scan.conf’ to include or not to include symlinks from scanning by including ‘follow-dir-symlinks=’.
Values of 0, 1 and 2 are allowed and 1 is the default if the parameter is missing, the latter being the case in the Antimalware File Scan App.
According to ‘man clamscan’ the value 1 (default) means: only follow directory symlinks, which are passed as direct arguments to clamscan.
I added as a test ‘follow-dir-symlinks=2’ in /etc/clearos/file_scan.conf meaning: always follow directory symlinks. But the scan still did not follow the symlink.
It appears to me that the ‘follow-dir-symlinks’ parameters are not processed at all.
The only way that works is passing the directory symlink as a direct argument in /etc/avscan.conf, in this case being /home/symdir/admin/ (the closing ‘/’ is essential)
The website I am hosting contains several symlinks to data outside the webroot. As it is now one should be aware that scanning the web (var/www) will, contrary to what is suggested, NOT scan these ‘symlinked’ data.
Share this post:
Responses (7)
-
Accepted Answer
It looks like it works for me. With ‘follow-dir-symlinks=2’ and my symlink from /home/pi to /root in place, I get a nightly Last Scan Result e-mail telling me of the infection and the viruses show in the webconfig. If I run the scan manually, the viruses show in the webconfig and I receive an e-mail. -
Accepted Answer
Did some further testing and found following results with ‘follow-dir-symlinks=2’ parameters in /etc/clearos/file_scan.conf
The scan completes and does not show any Last Scan Results, nothing reported in Quarantine and no e-mail notification.
Only after refreshing the screen the virus file is reported to be in Quarantine with the option to Delete or Whitelist it
Checking at the prompt the file virustest.txt appears to be moved from /home/admin to /var/clearos/file_scan/quarantine
So the scanner follows the symlink and detects the virus file, but nothing is reported and no notification mail.
When omitting ‘follow-dir-symlinks=2’ or setting it to 1 (default) the file is not detected, i.e. in that case the symlink is not followed. -
Accepted Answer
I've tried a similar mockup (cutting down the output), all at the command line:[root@server ~]# /usr/bin/clamscan --stdout -r /root
<snip>
/root/backup-server_howitts_co_uk-07-03-2016-03-50-01.tgz: Sanesecurity.Malware.19493.Web.UNOFFICIAL FOUND
<snip>
/root/eicar.com.txt: winnow.malware.test.eicar.com.UNOFFICIAL FOUND
<snip>
/root/eicar.com: winnow.malware.test.eicar.com.UNOFFICIAL FOUND
<snip>
----------- SCAN SUMMARY -----------
Known viruses: 9112810
Engine version: 0.101.5
Scanned directories: 36
Scanned files: 92
Infected files: 3
Data scanned: 15.21 MB
Data read: 3998.91 MB (ratio 0.00:1)
Time: 21.262 sec (0 m 21 s)
[root@server ~]# /usr/bin/clamscan --stdout -r /home/pi
/home/pi/.bash_logout: OK
/home/pi/.bash_profile: OK
/home/pi/.bashrc: OK
----------- SCAN SUMMARY -----------
Known viruses: 9112810
Engine version: 0.101.5
Scanned directories: 1
Scanned files: 3
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 17.513 sec (0 m 17 s)
Put symlink in place:
[root@server ~]# ls -l /home/pi
total 0
lrwxrwxrwx 1 root root 5 Oct 26 17:25 test -> /root
Scan /home/pi again:
[root@server ~]# /usr/bin/clamscan --stdout --follow-dir-symlinks=2 -r /home/pi
<snip>
/home/pi/test/backup-server_howitts_co_uk-07-03-2016-03-50-01.tgz: Sanesecurity.Malware.19493.Web.UNOFFICIAL FOUND
<snip>
/home/pi/test/eicar.com.txt: winnow.malware.test.eicar.com.UNOFFICIAL FOUND
<snip>
/home/pi/test/eicar.com: winnow.malware.test.eicar.com.UNOFFICIAL FOUND
<snip>
----------- SCAN SUMMARY -----------
Known viruses: 9112810
Engine version: 0.101.5
Scanned directories: 37
Scanned files: 95
Infected files: 3
Data scanned: 15.21 MB
Data read: 3998.91 MB (ratio 0.00:1)
Time: 20.665 sec (0 m 20 s)
Note I've been running the clamscan command manually. -
Accepted Answer
I made the mock setup with the virus file in /home/admin and the symlink in /home/symdir.
[root@mainserver ~]# ls -l /home/admin
total 4
-rw-r--r-- 1 root root 69 Oct 18 11:34 virustest.txt
[root@mainserver ~]# ls -l /home/symdir
total 0
lrwxrwxrwx 1 root root 11 Oct 26 16:31 admin -> /home/admin
And the scan path in /etc/avscan.conf:/home/symdir
No ‘follow-dir-symlinks=’ parameters in /etc/clearos/file_scan.conf (default)
Ran scan:
[root@mainserver ~]# ps aux | grep clamscan
root 31035 0.0 0.0 115344 1256 ? S 16:49 0:00 sh -c /usr/bin/clamscan --stdout -r '/home/symdir' 2>/dev/null
root 31036 100 1.1 286076 192232 ? R 16:49 0:01 /usr/bin/clamscan --stdout -r /home/symdir
root 31038 0.0 0.0 112812 968 pts/2 S+ 16:49 0:00 grep --color=auto clamscan
With ‘follow-dir-symlinks=2’ parameters in /etc/clearos/file_scan.conf
Ran scan:
[root@mainserver ~]# ps aux | grep clamscan
root 31857 0.0 0.0 115344 1260 ? S 17:03 0:00 sh -c /usr/bin/clamscan --stdout --follow-dir-symlinks=2 -r '/home/symdir' 2>/dev/null
root 31858 114 1.3 308604 214140 ? R 17:03 0:01 /usr/bin/clamscan --stdout --follow-dir-symlinks=2 -r /home/symdir
root 31860 0.0 0.0 112812 968 pts/2 S+ 17:03 0:00 grep --color=auto clamscan -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »