ClamAV - LogFile - File Information cryptic or useless

Hello,

I have a question for those of you how uses the CLAMAV Plugin.

My log /var/log/clamav/clamav.log looks all like this:

Tue Apr 21 21:10:28 2020 -> fd[10]: OK

Tue Apr 21 21:10:28 2020 -> fd[10]: OK

Tue Apr 21 21:10:28 2020 -> fd[10]: OK

Tue Apr 21 21:10:28 2020 -> fd[10]: OK

Tue Apr 21 21:10:28 2020 -> fd[10]: OK

Tue Apr 21 21:10:28 2020 -> fd[10]: OK

Tue Apr 21 21:10:28 2020 -> fd[10]: OK

Tue Apr 21 21:10:28 2020 -> fd[10]: OK

Tue Apr 21 21:10:28 2020 -> fd[10]: OK

Tue Apr 21 21:10:28 2020 -> fd[10]: OK

Tue Apr 21 21:10:28 2020 -> fd[10]: OK

If have tested the EICAR Testfile ( see: https://easyengine.io/tutorial…server/testing/antivirus/ ) and put the file to /tmp.

Now I scanned using this command: sudo clamdscan /tmp/ --fdpass

This is how the log looks.

Tue Apr 21 21:17:40 2020 -> fd[10]: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND

I do not now why or how I can get to see the filename. I mean, its nice to see a warning that a virus is detected, but with a log like this I dont know with file caused the alert.

Has someone a hint on how I can see the filename.


My environment:

OMV 5.39.x
CLAMAV Plugin: openmediavault-clamav 5.0.9-1

HardDisk are 2 SSDs in Raid1 (SoftRaid by OMV) and formated in EXT4


Here my conf file

root@MYNAS:/tmp# cat /etc/clamav/clamd.conf

# This file is auto-generated by openmediavault (https://www.openmediavault.org)

# WARNING: Do not edit this file, your changes will get lost.

LocalSocket /run/clamav/clamd.ctl

FixStaleSocket true

LocalSocketGroup clamav

LocalSocketMode 666

AlertEncrypted false

AlertEncryptedArchive false

AlertEncryptedDoc false

MaxDirectoryRecursion 15

FollowDirectorySymlinks False

FollowFileSymlinks False

ReadTimeout 120

MaxThreads 3

MaxConnectionQueueLength 15

LogSyslog false

LogRotate false

LogFacility LOG_LOCAL6

LogClean false

LogVerbose false

DatabaseDirectory /var/lib/clamav

SelfCheck 3600

Foreground false

Debug false

ScanPE True

MaxEmbeddedPE 10M

ScanOLE2 True

ScanPDF False

ScanHTML True

MaxHTMLNormalize 10M

MaxHTMLNoTags 2M

MaxScriptNormalize 5M

MaxZipTypeRcg 1M

ScanSWF true

ScanELF True

ScanArchive False

ScanMail false

AlertBrokenExecutables False

ExitOnOOM false

LeaveTemporaryFiles false

HeuristicAlerts True

IdleTimeout 30

PhishingSignatures true

PhishingScanURLs false

AlertPhishingSSLMismatch false

AlertPhishingCloak false

AlertPartitionIntersection false

DetectPUA False

ScanPartialMessages false

HeuristicScanPrecedence false

StructuredDataDetection false

CommandReadTimeout 30

SendBufTimeout 500

MaxQueue 100

ExtendedDetectionInfo true

AlertOLE2Macros false

AllowAllMatchScan true

ForceToDisk false

DisableCertCheck false

DisableCache false

MaxScanSize 100M

MaxFileSize 25M

MaxRecursion 16

MaxFiles 10000

MaxPartitions 50

MaxIconsPE 100

PCREMatchLimit 10000

PCRERecMatchLimit 5000

PCREMaxFileSize 25M

ScanXMLDOCS true

ScanHWP3 true

MaxRecHWP3 16

StreamMaxLength 25M

LogFile /var/log/clamav/clamav.log

LogTime true

LogFileUnlock false

LogFileMaxSize 0

Bytecode true

BytecodeSecurity TrustSigned

BytecodeTimeout 60000

OfficialDatabaseOnly false

CrossFilesystems true

VirusEvent /bin/run-parts --lsbsysinit -- /etc/clamav/virusevent.d/

User clamav

OnAccessMaxFileSize 100M

OnAccessMaxThreads 5

OnAccessDisableDDD false

OnAccessPrevention true

OnAccessExtraScanning true

OnAccessExcludeUname clamav

OnAccessRetryAttempts 3

Any help is welcome.

oem111

Hello and thanks for this first hint.


So I what I was seeing, If I start a "scheduled job" from the "Antivirus" Section in the WebGUI, the /var/log/clamav/clamav.log does not look different.

The scan summary is not listed in the calmav.log either.

The result of the running scheduled task, if I am logging into the web console, is show in popup and it contains a readable filename. See attachment
And according to Firefox the output is read from a file in /tmp.

See screenshot tmp_bgstatus.


The section "system logs" only read the calmav.log as it is the FD syntax only.

Whoever, these scheduled task will run unattended at night so I will never see this result.


It seems to me that the stdout of the scheduled task will be dropped.

So I was searching deeper in the system and found the cronfile that is performing the jobs and votdev said, it is also performed with --fdpass.

in Example: /var/lib/openmediavault/cron.d/clamdscan-19f590cd-4404-4ea2-8a8f-5743c44869e4

Just for testing I modified the cronfile, knowning that zThese changes will be overwritten by OMV.
However I was able to add --log=/tmp/test1 to the command and received a log file in /tmp

omv_log "Please wait, scanning shared folder <Docker> ...\n"

clamdscan --fdpass --stdout --multiscan --verbose "/srv/dev-disk-by-label-SSDRaid/Docker/" --log=/tmp/test1 & wait $!

omv_log "\nThe scan has completed successfully."

The output of the WebGUI poup is still working.

So if the developer of the plugin could add the possibilty to define an additional logfile, adding the --log parameter to the cron-file I would my issues would be solved.

For now I will add the --log to all my clamav cronjobs till they get overwritten.

Hi,

thanks for the advice with the mail.
I may test this aswell.

So my Investigation took a Little while but I found the SALT scripts that were generating the cron files.

For now I added the log paramter into the file
/var/cache/salt/minion/files/base/omv/deploy/clamav/files/cron-clamdscan-script.j2



old Line 22:
{{ separator }}"{{ salt['omv_conf.get_sharedfolder_path'](job.sharedfolderref) }}" & wait $!

new Line 22:

{{ separator }}"{{ salt['omv_conf.get_sharedfolder_path'](job.sharedfolderref) }}" --log="/tmp/scan_{{ salt['omv_conf.get_sharedfolder_name'](job.sharedfolderref) }}.log" & wait $!

Now the scheduled Tasks are generated with the Log Parameter as well.

I also changed /tmp with my actual samba share, so I can read them directly in Windows.

Thanks.

oem111