Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: [ Apache - mod_clamav ] scan can't be done |
|
| Author |
|
scabarrus
Joined: 03 Jun 2014
Posts: 2
Location: France
|
 Posted: Tue 03 Jun '14 14:53 Post subject: [ Apache - mod_clamav ] scan can't be done |
 |
|
Hi all,
I attempt to configure mod_clamav for apache, but i met some probleme.
To explain you the context :
Apache version
| Code: |
./httpd -v
Server version: Apache/2.2.26 (Unix)
Server built: Feb 27 2014 00:22:22
|
Module embedded in apache :
| Code: |
./httpd -l
Compiled in modules:
core.c
worker.c
http_core.c
mod_so.c
|
mod_clamav version :
| Code: |
rpm -qa | grep clam
clamd-0.98.3-1.el6.rf.x86_64
clamav-db-0.98.3-1.el6.rf.x86_64
clamav-0.98.3-1.el6.rf.x86_64
clamav-devel-0.98.3-1.el6.rf.x86_64
|
I have two users concerned :
apache for apache
clamv for clamav
I'm not sur my understanding is good about clamav, but i attempt to configure apache to communicate with daemon clamd.
I have written in included conf file for apache this lines :
| Code: |
########### CLAMAV ########################
LoadModule clamav_module modules/mod_clamav.so
<IfModule mod_clamav.c>
ClamavMode daemon
ClamavPort 3310
ClamavTmpdir /var/tmp
ClamavDbdir /var/clamav
#ClamavShm /var/tmp/clamav.shm
ClamavExtendedLogging on
LogFormat "%t %!304{clamav:status}n %{clamav:virusname}n request=\"%r\", status=%>s, sent=%!304b, delay=%!304D" clamav_stats
CustomLog /datalog/apache/2.2.26/logs/clamv.log clamav_stats
<Proxy *>
SetOutputFilter CLAMAV
</Proxy>
# define the location for status information
<Location /clamav>
SetHandler clamav
allow from all
</Location>
# safe patterns is much better than ClamavSavetypes
Include conf/safepatterns.conf
# we have a customized message in case we find a virus
ClamavMessage "\
<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0//EN\">\
<html>\
<head>\
<title>%i found virus</title>\
</head>\
<body text=\"#000000\" bgcolor=\"#ffffff\">\
<basefont size=\"4\">\
<h1><center>%i found virus</center></h1>\
<p>The virus <b>%v</b> was found while downloading <i>%u</i>.\
The transfer has been aborted.</p>\
</basefont>\
</body>\
</html>\
"
|
I have deployed an HTML file with eicar code to check if that works fine.
When i restart apache all request are blocked even other page with simple text.
I have see this error in error log file :
| Code: |
[debug] filter.c(712): [client 195.212.29.91] [6199] check pattern bmp
[debug] filter.c(653): [client 195.212.29.91] [6199] 10 bytes written to tmp file /var/tmp/clamh2yq8c
[debug] filter.c(783): [client 195.212.29.91] [6199] data bucket found
[debug] filter.c(697): [client 195.212.29.91] [6199] bucket type: HEAP (uri /test/acc.html)
[debug] filter.c(702): [client 195.212.29.91] [6199] perform pattern checks
[debug] filter.c(653): [client 195.212.29.91] [6199] 198 bytes written to tmp file /var/tmp/clamh2yq8c
[debug] filter.c(783): [client 195.212.29.91] [6199] data bucket found
[debug] filter.c(697): [client 195.212.29.91] [6199] bucket type: POOL (uri /test/acc.html)
[debug] filter.c(702): [client 195.212.29.91] [6199] perform pattern checks
[debug] filter.c(653): [client 195.212.29.91] [6199] 8 bytes written to tmp file /var/tmp/clamh2yq8c
[debug] filter.c(783): [client 195.212.29.91] [6199] data bucket found
[debug] filter.c(697): [client 195.212.29.91] [6199] bucket type: EOS (uri /test/acc.html)
[debug] filter.c(788): [client 195.212.29.91] [6199] bucket of type End of Stream found
[debug] filter.c(445): [client 195.212.29.91] [6199] initiating virus check in file /var/tmp/clamh2yq8c
[debug] filter.c(161): [client 195.212.29.91] [6199] daemon socket created: 15
[debug] filter.c(170): [client 195.212.29.91] [6199] connected to daemon
[debug] filter.c(178): [client 195.212.29.91] [6199] sending scan command SCAN /var/tmp/clamh2yq8c\n
[debug] filter.c(210): [client 195.212.29.91] [6199] got scan reply: /var/tmp/clamh2yq8c: Access denied. ERROR\n
[debug] filter.c(246): [client 195.212.29.91] [6199] reply code: ERROR
[debug] filter.c(462): [client 195.212.29.91] [6199] virus checked /test/acc.html (text/html), 216 bytes, in 1ms
[debug] filter.c(476): [client 195.212.29.91] [6199] statistics: 1385+216 bytes, 7 checked
[error] [client 195.212.29.91] [6199] virus daemon connection problem found in request /test/acc.html
[debug] filter.c(508): [client 195.212.29.91] [6199] trickle bytes sent so far: 0 (< 2GB)
[debug] handler.c(50): [client 195.212.29.91] [6199] setting status message: status=INFECTED, details=client notified, virusname=daemon connection problem
[debug] handler.c(36): [client 195.212.29.91] [6199] clamav:status - INFECTED
[debug] handler.c(36): [client 195.212.29.91] [6199] clamav:details - client notified
[debug] handler.c(36): [client 195.212.29.91] [6199] clamav:virusname - daemon connection problem
[debug] handler.c(36): [client 195.212.29.91] [6199] clamav:longstatus - INFECTED, client notified, found virus: daemon connection problem
[debug] filter.c(513): [client 195.212.29.91] sending virus info to client
[debug] handler.c(170): [client 195.212.29.91] [6199] sending 438 bytes to client
[debug] filter.c(395): [client 195.212.29.91] [6199] sending eos bucket for request /test/acc.html
[debug] mod_headers.c(756): headers: ap_headers_output_filter()
|
This page acc.html contain only a simple form and is considerated as infected file.
When you see the log, you can see that a permission is refused for scan on
/var/tmp/clamh2yq8c: Access denied.
But previously, in the same log it's written that this file is created.
Could you help me ?
Thanks in advance |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 04 Jun '14 15:20 Post subject: |
|
|
| make sure you run clamd as root. |
|
| Back to top |
|
scabarrus
Joined: 03 Jun 2014
Posts: 2
Location: France
|
| Posted: Thu 05 Jun '14 16:42 Post subject: |
|
|
Hi,
The daemon clamd is launched by root as you can see :
ps -eaf | grep clamd
root 17095 1 0 16:33 ? 00:00:00 clamd
The active configuration on file /etc/clamd.conf is :
cat /etc/clamd.conf | grep -v ^#|grep -v ^$
| Code: |
LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/clamav
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket yes
TCPSocket 3310
TCPAddr 127.0.0.1
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User root
AllowSupplementaryGroups yes
ScanPE yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
ScanMail yes
ScanHTML yes
ScanArchive yes
ArchiveBlockEncrypted no |
Thanks for your help. |
|
| Back to top |
|
|
|
|
|
|
