Hello,
I'm very new to clearOS, but I know a bit about networking. I looked through my log file and checked that ClamAV is updated but I can't seem to get it working. I keep trying to download EICAR test virus from their official site and it keeps letting me, suggesting that the anti-virus is actually not working. If you could help me trouble shoot this problem I would be thankful.
Ali T.
I'm very new to clearOS, but I know a bit about networking. I looked through my log file and checked that ClamAV is updated but I can't seem to get it working. I keep trying to download EICAR test virus from their official site and it keeps letting me, suggesting that the anti-virus is actually not working. If you could help me trouble shoot this problem I would be thankful.
Ali T.
Share this post:
Responses (14)
-
Accepted Answer
Nick Howitt wrote:
Shaoxin Peng wrote:
Download to what? It should protect LAN machines if they are running the content filter and, perhaps the proxy on its own in non-transparent mode. In transparent mode the proxy cannot intercept https so clamav cannot protect you.
I am also having the same problem. I can download EICAR test files freely.
I am not sure there is any protection when downloading to the server. I'll have to ask - and I've just missed my Friday call to ask.
Thanks for the hint, Nick! I realized it's because I did not install the content filter. After installing it, antivirus works for LAN machine. -
Accepted Answer
Shaoxin Peng wrote:
Download to what? It should protect LAN machines if they are running the content filter and, perhaps the proxy on its own in non-transparent mode. In transparent mode the proxy cannot intercept https so clamav cannot protect you.
I am also having the same problem. I can download EICAR test files freely.
I am not sure there is any protection when downloading to the server. I'll have to ask - and I've just missed my Friday call to ask. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Marcel van Leeuwen wrote:
So I have to set the proxy to detect the virus when downloading the test file on my MacBook.
I don't know about that. If you download without the proxy to your MacBook with https, there is no way ClamAV can inspect the traffic. If you use http, it may or may not download. I have a feeling it does download as the Eicar test file tripped my PC's scanner (so I assume got through ClearOS) and I can find nothing in the ClearOS logs. I am pretty certain the proxy does scan, but I have no idea if you need the content filter as well as I don't use either. Have a play and post back. -
Accepted Answer
First thank you Ben for clarifying. Also thank you Nick. I think I was a bit inpatient.
Going to test and experiment with ClamAV this weekend.
I did a fast check. I downloaded this test file to my tmp directory on my server and with "clamscan" it detects the file. It also found a virus in a plugin of Plex. Not sure if this is false positive, but his is something else to investigate. So I have to set the proxy to detect the virus when downloading the test file on my MacBook. Interesting. I think I have to do some home work this weekend. -
Accepted Answer
I was going to chip in but was having my dinner. As far as I am aware ClamAV is a background service, but it hooks onto the proxy, e-mails and, somehow, downloads without the proxy. It can also be invoked when you request an on-demand scan then clamscan is called (like on the nightly scan).
It is not the most effective scanner in the world and takes ages to scan. For an on-demand scan I had to hack the clamscan script to exclude the images created by my security camera in order to get the scan to take a sensible time. (There is a feature request for this)
I would also never rely on it for full protection of the network. Any PC downloading using https without a non-transparent proxy will bypass the scanner.
Anyone is welcome to chip in as my first paragraph may be wide of the mark. -
Accepted Answer
You can try this simple test:
# wget www.eicar.org/download/eicar.com.txt" target="_blank">http://www.eicar.org/download/eicar.com.txt
--2018-06-28 13:59:54-- www.eicar.org/download/eicar.com.txt" target="_blank">http://www.eicar.org/download/eicar.com.txt
Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [application/octet-stream]
Saving to: ‘eicar.com.txt’
100%[====================================================================================================>] 68 --.-K/s in 0s
2018-06-28 13:59:54 (11.7 MB/s) - ‘eicar.com.txt’ saved [68/68]
# clamscan eicar.com.txt
eicar.com.txt: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6849330
Engine version: 0.99.3
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 24.197 sec (0 m 24 s)
If this works for you (which I'm almost positive it will), you should focus on your setup...
Is your proxy in active or passive mode
Are you downloading from http or https
Do you have antmalware scanning enabled
Content filter policy group of the client
Bypass/whitelist rules
etc.
-
Accepted Answer
-
Accepted Answer
Here the documentation of Gateway antivirus.
https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_antivirus
I read the documentation but I didn't found anything interesting. -
Accepted Answer
-
Accepted Answer
ah, found it.
The module name is "ClamAV" and on my system it's running.
[root@voyager ~]# systemctl status clamd
● clamd.service - ClamAV daemon
Loaded: loaded (/usr/lib/systemd/system/clamd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-06-27 18:15:48 CEST; 2h 4min ago
Process: 748 ExecStart=/usr/sbin/clamd (code=exited, status=0/SUCCESS)
Main PID: 2318 (clamd)
CGroup: /system.slice/clamd.service
└─2318 /usr/sbin/clamd
Jun 27 18:15:34 voyager.xxxxxxxx.xx systemd[1]: Starting ClamAV daemon...
Jun 27 18:15:48 voyager.xxxxxxxx.xx systemd[1]: Started ClamAV daemon.
Why has this service no start and stop button and why I don't see it in the "Services" tab? -
Accepted Answer
-
Accepted Answer
I'm still looking for troubleshooting process. I need a permanent fixation for it, I cannot use K7 Antivirus forever as an alternative option.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »