logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: [ Apache - mod_clamav ] scan can't be done
Author
scabarrus



Joined: 03 Jun 2014
Posts: 2
Location: France

PostPosted: Tue 03 Jun '14 14:53    Post subject: [ Apache - mod_clamav ] scan can't be done Reply with quote

Hi all,

I attempt to configure mod_clamav for apache, but i met some probleme.

To explain you the context :

Apache version
Code:

./httpd -v
Server version: Apache/2.2.26 (Unix)
Server built:   Feb 27 2014 00:22:22


Module embedded in apache :
Code:

./httpd -l
Compiled in modules:
  core.c
  worker.c
  http_core.c
  mod_so.c



mod_clamav version :
Code:

rpm -qa | grep clam
clamd-0.98.3-1.el6.rf.x86_64
clamav-db-0.98.3-1.el6.rf.x86_64
clamav-0.98.3-1.el6.rf.x86_64
clamav-devel-0.98.3-1.el6.rf.x86_64

I have two users concerned :
apache for apache
clamv for clamav

I'm not sur my understanding is good about clamav, but i attempt to configure apache to communicate with daemon clamd.

I have written in included conf file for apache this lines :
Code:

########### CLAMAV ########################
        LoadModule clamav_module      modules/mod_clamav.so

        <IfModule mod_clamav.c>
                ClamavMode daemon
                ClamavPort 3310
                ClamavTmpdir /var/tmp
                ClamavDbdir  /var/clamav
                #ClamavShm    /var/tmp/clamav.shm
                ClamavExtendedLogging on
                LogFormat "%t %!304{clamav:status}n %{clamav:virusname}n request=\"%r\", status=%>s, sent=%!304b, delay=%!304D" clamav_stats
                CustomLog /datalog/apache/2.2.26/logs/clamv.log clamav_stats
                <Proxy *>
                        SetOutputFilter     CLAMAV
                </Proxy>

                # define the location for status information
                <Location /clamav>
                       SetHandler      clamav
                        allow from all
                </Location>

                # safe patterns is much better than ClamavSavetypes
                Include conf/safepatterns.conf

                # we have a customized message in case we find a virus
                ClamavMessage "\
                        <!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0//EN\">\
                        <html>\
                                <head>\
                                        <title>%i found virus</title>\
                                </head>\
                                <body text=\"#000000\" bgcolor=\"#ffffff\">\
                                        <basefont size=\"4\">\
                                                <h1><center>%i found virus</center></h1>\
                                                <p>The virus <b>%v</b> was found while downloading <i>%u</i>.\
                                                The transfer has been aborted.</p>\
                                        </basefont>\
                                </body>\
                        </html>\
                "


I have deployed an HTML file with eicar code to check if that works fine.

When i restart apache all request are blocked even other page with simple text.

I have see this error in error log file :
Code:

[debug] filter.c(712): [client 195.212.29.91] [6199] check pattern bmp
[debug] filter.c(653): [client 195.212.29.91] [6199] 10 bytes written to tmp file /var/tmp/clamh2yq8c
[debug] filter.c(783): [client 195.212.29.91] [6199] data bucket found
[debug] filter.c(697): [client 195.212.29.91] [6199] bucket type: HEAP (uri /test/acc.html)
[debug] filter.c(702): [client 195.212.29.91] [6199] perform pattern checks
[debug] filter.c(653): [client 195.212.29.91] [6199] 198 bytes written to tmp file /var/tmp/clamh2yq8c
[debug] filter.c(783): [client 195.212.29.91] [6199] data bucket found
[debug] filter.c(697): [client 195.212.29.91] [6199] bucket type: POOL (uri /test/acc.html)
[debug] filter.c(702): [client 195.212.29.91] [6199] perform pattern checks
[debug] filter.c(653): [client 195.212.29.91] [6199] 8 bytes written to tmp file /var/tmp/clamh2yq8c
[debug] filter.c(783): [client 195.212.29.91] [6199] data bucket found
[debug] filter.c(697): [client 195.212.29.91] [6199] bucket type: EOS (uri /test/acc.html)
[debug] filter.c(788): [client 195.212.29.91] [6199] bucket of type End of Stream found
[debug] filter.c(445): [client 195.212.29.91] [6199] initiating virus check in file /var/tmp/clamh2yq8c
[debug] filter.c(161): [client 195.212.29.91] [6199] daemon socket created: 15
[debug] filter.c(170): [client 195.212.29.91] [6199] connected to daemon
[debug] filter.c(178): [client 195.212.29.91] [6199] sending scan command SCAN /var/tmp/clamh2yq8c\n
[debug] filter.c(210): [client 195.212.29.91] [6199] got scan reply: /var/tmp/clamh2yq8c: Access denied. ERROR\n
[debug] filter.c(246): [client 195.212.29.91] [6199] reply code: ERROR
[debug] filter.c(462): [client 195.212.29.91] [6199] virus checked /test/acc.html (text/html), 216 bytes, in 1ms
[debug] filter.c(476): [client 195.212.29.91] [6199] statistics: 1385+216 bytes, 7 checked
[error] [client 195.212.29.91] [6199] virus daemon connection problem found in request /test/acc.html
[debug] filter.c(508): [client 195.212.29.91] [6199] trickle bytes sent so far: 0 (< 2GB)
[debug] handler.c(50): [client 195.212.29.91] [6199] setting status message: status=INFECTED, details=client notified, virusname=daemon connection problem
[debug] handler.c(36): [client 195.212.29.91] [6199] clamav:status - INFECTED
[debug] handler.c(36): [client 195.212.29.91] [6199] clamav:details - client notified
[debug] handler.c(36): [client 195.212.29.91] [6199] clamav:virusname - daemon connection problem
[debug] handler.c(36): [client 195.212.29.91] [6199] clamav:longstatus - INFECTED, client notified, found virus: daemon connection problem
[debug] filter.c(513): [client 195.212.29.91] sending virus info to client
[debug] handler.c(170): [client 195.212.29.91] [6199] sending 438 bytes to client
[debug] filter.c(395): [client 195.212.29.91] [6199] sending eos bucket for request /test/acc.html
[debug] mod_headers.c(756): headers: ap_headers_output_filter()


This page acc.html contain only a simple form and is considerated as infected file.

When you see the log, you can see that a permission is refused for scan on
/var/tmp/clamh2yq8c: Access denied.

But previously, in the same log it's written that this file is created.

Could you help me ?

Thanks in advance
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Wed 04 Jun '14 15:20    Post subject: Reply with quote

make sure you run clamd as root.
Back to top
scabarrus



Joined: 03 Jun 2014
Posts: 2
Location: France

PostPosted: Thu 05 Jun '14 16:42    Post subject: Reply with quote

Hi,

The daemon clamd is launched by root as you can see :
ps -eaf | grep clamd
root 17095 1 0 16:33 ? 00:00:00 clamd


The active configuration on file /etc/clamd.conf is :
cat /etc/clamd.conf | grep -v ^#|grep -v ^$
Code:

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/clamav
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket yes
TCPSocket 3310
TCPAddr 127.0.0.1
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User root
AllowSupplementaryGroups yes
ScanPE yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
ScanMail yes
ScanHTML yes
ScanArchive yes
ArchiveBlockEncrypted no


Thanks for your help.
Back to top


Reply to topic   Topic: [ Apache - mod_clamav ] scan can't be done View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules