Configure clamdscan to scan all files on a system on Ubuntu 12.04

Asked 22/8, 2014 at 0:28 Answered 25/5 at 21:33

I did the following to install clamscan:

sudo aptitude install clamav 
sudo aptitude install clamav-daemon

and verified:

sudo ps -eal | grep clam
1 S 116 4788 1 2 80 0 - 4004 pause ? 00:00:13 freshclam
1 S 116 5930 1 0 80 0 - 69984 poll_s ? 00:00:00 clamd

however when I try to scan all the files on the the system by running

#sudo clamdscan /

I keep getting the following error message:

lstat() failed: Permission denied. ERROR

However if I run

sudo clamscan /

it works, but this process is much longer and not a good option.

From my understanding clamd uses the user 'clamav' and is listed in the /etc/clamav/clamd.conf file. I've added the user clamav to the following groups : root, adm, sudo but it still doesn't work.

I've also tried disabling Apparmor as I read that could be the issue but no success.

Dys answered 22/8, 2014 at 0:28 Comment(0)

sudo clamdscan /path/to/some_file.txt will pass the request along to the clamd daemon. That daemun runs under a different user, which may not have access to /path/to/some_file.txt

However, the user invoking the command, may very well have access to that file. In order to pass your permissions along to the daemon, use the --fdpass flag:

--fdpass
    Pass the file descriptor permissions to clamd. This is useful if clamd is running as a different user as it is faster than streaming the file to clamd. Only available if connected to clamd via local(unix) socket.

In your case sudo clamdscan --fdpass / should do the trick.

Eleventh answered 1/4, 2015 at 13:18 Comment(0)

May be too late answer..., but I could not find any useful solution anywhere.

In cases of you can not use '--fdpass' with clamdscan or you use aother scan request method such as samba's vfs_virusfilter, check your linux securty system such as SELinux or AppArmor.

My workarould of the Ubuntu 20.04 host is add path to AppArmor config file.

/etc/apparmor.d/usr.sbin.clamd

/path-to-allow-scan/** r,

Wrung answered 24/6, 2023 at 10:7 Comment(0)

In my case, my system (a Fedora 39 XFCE virtual machine) was using SELinux rather than AppArmor. To solve my issues, I used a combination of this approach and the --stream approach mentioned on this page.

To find the relevant log messages, I ran:

sudo journalctl --grep denied

and scrolled to the end by pressing the End key.

Then, to add an SELinux rule to allow the file access operation in question, I ran:

sudo audit2allow -M local << _EOF_
(pasted here log message starting with AVC avc:)
_EOF_

Next, to apply the SELinux rule I just created, I ran:

sudo semodule -i /etc/selinux/targeted/local.pp

I also needed to edit /etc/clamd.d/scan.conf (using sudoedit /etc/clamd.c/scan.conf) and comment out the LocalSocketMode 660 line that I had uncommented previously. Next, I reloaded the clamd service using sudo systemctl reload clamd\@scan . (Not sure if this was necessary or not.) And finally, I reran the scan using:

clamdscan --multiscan --stream ~

Shiff answered 25/5 at 21:33 Comment(0)

Recommended topics

Hot tags