# [HOWTO] real-time clamav support with dazuko/calmuko

## mikegpitt

- Updated 8/7/08 -

Added a script on page 2 of this thread that replaces clamav's VirusEvent.  This can be used to quarantine viruses or do whatever else you need with them.

Link to post with script:

https://forums.gentoo.org/viewtopic-p-5176148.html#5176148

Script also added to main howto... look below in this post.

- Howto updated 4/14/08 -

You may have noticed that the old dazuko ebuild doesn't work on newer kernels, and the new dazuko ebuild is hard masked.  If you take a look at bugzilla you will see that it is hard masked because it depends on redirfs, and it can cause filesystem corruption (very bad!).

https://bugs.gentoo.org/show_bug.cgi?id=207537

Instead I recommend using the new dazuko kernel patch.  It is very easy to get setup, works with kernels 2.6.23/24.  Another advantage is that by being in the kernel itself, it doesn't depend on any other modules (e.g. security and capabilities).

Here's the dazuko developers post about the new kernel patch:

http://lists.gnu.org/archive/html/dazuko-devel/2008-03/msg00014.html

How to use -- tested with gentoo-sources-2.6.24-r4 and dazuko kernel ptach 2.3.5-pre1:

1: Download new dazuko kernel patch:

http://www.dazuko.org/files/patch-linux26-dazuko-2.3.5-pre1.tar.gz

2: Patch kernel (directions from their README):

```
# cd /linux/src/dir/linux-a.b.c.d

# zcat /proc/config.gz > .config

# patch -p1 < patch-linux26-dazuko-2.3.5-pre1.diff

# make menuconfig

(select Dazuko in the Security section and exit, saving changes)

# make

# make modules_install

# make install

# reboot
```

P.S. - If you use genkernel, either apply the patch as above and rerun genkernel --menuconfig, or copy the gentoo-sources ebuild to an overlay, and add the dazuko patch to the genpatches-2.6.x-x.extras.tar.bz2 tarball, re-digest the ebuild, and re-emerge the gentoo-sources.

You can now skip ahead to step three in the original howto below.  Also in step 6 you can ignore the modprobe stuff, since dazuko must by built into the kernel (not as a module).

- Original howto -- October 2007 -

This process isn't all that hard, but I did have a few stumbling blocks when trying to configure real-time support for clamav.  I will outline the basic process here.  I haven't done all that much testing yet, so as I find out more information/hiccups I'll post it here, if relevant.

I have tested this with gentoo-sources-2.6.22-r2, dazuko-2.3.4, and clamav-0.91.2.

1. Ensure you have security module support enabled in your kernel:

Kernel options:

SECURITY =y

SECURITY_CAPABILITIES=m  (this must be built as a module!)

```
 Security options  ---> 

[*] Enable different security models

<M>   Default Linux Capabilities

```

Install and reboot to your new kernel if necessary

2. Install dazuko

```
emerge sys-fs/dazuko
```

This may need to be added to your package.keywords, as it was ~x86 masked for me.

3. Emerge clamav

do I really need to write anything here?

4. Enable Clamuko support in your /etc/clamd.conf

Uncomment the lines as I did in the below section of the config file.  You can change things to what works for you.

```
##

## Clamuko settings

## WARNING: This is experimental software. It is very likely it will hang

##          up your system!!!

##

# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.

# Default: no

ClamukoScanOnAccess yes

# Set access mask for Clamuko.

# Default: no

ClamukoScanOnOpen yes

ClamukoScanOnClose yes

ClamukoScanOnExec yes

# Set the include paths (all files inside them will be scanned). You can have

# multiple ClamukoIncludePath directives but each directory must be added

# in a seperate line.

# Default: disabled

ClamukoIncludePath /home

```

5.  Add appropriate udev rule for clamav access to dazuko

create the file:  /etc/udev/rules.d/dazuko.rules

and add this line to it:

```
KERNEL=="dazuko",       NAME="%k", GROUP="clamav", MODE="0660"
```

6. Modprobe in dazuko and start clamav

```
modprobe dazuko

modprobe capability

/etc/init.d/clamd start
```

Everything should be set now.  You can verify this in your clamav logfile:

```
Wed Oct 24 14:50:35 2007 -> +++ Started at Wed Oct 24 14:50:35 2007

Wed Oct 24 14:50:35 2007 -> clamd daemon 0.91.2 (OS: linux-gnu, ARCH: i386, CPU: i686)

Wed Oct 24 14:50:35 2007 -> Running as user clamav (UID 104, GID 412)

Wed Oct 24 14:50:35 2007 -> Log file size limited to 1048576 bytes.

Wed Oct 24 14:50:35 2007 -> Reading databases from /var/lib/clamav

Wed Oct 24 14:50:35 2007 -> Not loading PUA signatures.

Wed Oct 24 14:50:38 2007 -> Loaded 161172 signatures.

Wed Oct 24 14:50:38 2007 -> Unix socket file /var/run/clamav/clamd.sock

Wed Oct 24 14:50:38 2007 -> Setting connection queue length to 15

Wed Oct 24 14:50:38 2007 -> Archive: Archived file size limit set to 10485760 bytes.

Wed Oct 24 14:50:38 2007 -> Archive: Recursion level limit set to 8.

Wed Oct 24 14:50:38 2007 -> Archive: Files limit set to 1000.

Wed Oct 24 14:50:38 2007 -> Archive: Compression ratio limit set to 250.

Wed Oct 24 14:50:38 2007 -> Archive support enabled.

Wed Oct 24 14:50:38 2007 -> Algorithmic detection enabled.

Wed Oct 24 14:50:38 2007 -> Portable Executable support enabled.

Wed Oct 24 14:50:38 2007 -> ELF support enabled.

Wed Oct 24 14:50:38 2007 -> Mail files support enabled.

Wed Oct 24 14:50:38 2007 -> Mail: Recursion level limit set to 64.

Wed Oct 24 14:50:38 2007 -> OLE2 support enabled.

Wed Oct 24 14:50:38 2007 -> PDF support disabled.

Wed Oct 24 14:50:38 2007 -> HTML support enabled.

Wed Oct 24 14:50:38 2007 -> Self checking every 1800 seconds.

Wed Oct 24 14:50:38 2007 -> Clamuko: Correctly registered with Dazuko.

Wed Oct 24 14:50:38 2007 -> Clamuko: Scan-on-open mode activated.

Wed Oct 24 14:50:38 2007 -> Clamuko: Scan-on-close mode activated.

Wed Oct 24 14:50:38 2007 -> Clamuko: Scan-on-exec mode activated.

Wed Oct 24 14:50:38 2007 -> Clamuko: Included path /home

Wed Oct 24 14:50:38 2007 -> Clamuko: Max file size limited to 5242880 bytes.

```

If you get the error:

```
ERROR: Clamuko: Can't register with Dazuko
```

 you likely didn't add the above udev rule, or there is some problem with the rule you did add.

Now for testing:

You can download the test eicar virus here:

http://www.eicar.org/anti_virus_test_file.htm

Don't worry... this is not a real virus, but a test pattern that works for almost all virus scanners.  If clamav is running, you should see messages in your log file like this:

```
Clamuko: /home/mikeg/eicar.com.txt: Eicar-Test-Signature FOUND
```

You will see a message like this everytime you access the virus file (e.g.  vi eicar.com.txt)  You will also get a permission denied error, so you won't be able to do anything useful with the file.

That's it for now.  If I get some time to configure clamav better so I can quarantine infected files and do other useful stuff I'll post back here.

Doing something useful with detected viruses

There is a variable in /etc/clamd.conf called VirusEvent that will execute a command each time a virus is detected.

```
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
```

Unfortunately, I haven't gotten it to work properly.  I've tested with a few different kernels and a few different versions of clamav, and when I enable VirusEvent, I always end up with my system hard locking.

Instead I wrote a simple shell script that monitors the clamav logs for "found" viruses.  You can customize this to do anything you need to do when a virus is detected, including placing them in quarantine or notification via email.

This script will need to run as root, since it needs access to your syslogs and also access to the directories you want to scan.  If you don't want to run it as root, you can probably get away with it, as long as the selected user has read access to /var/log/clamav/clamd.log, and you don't want to do any type of file manipulation of the virus.

clam_detect.sh

```

#!/bin/bash

CLAMLOG=/var/log/clamav/clamd.log

FOUNDPATTERN=FOUND

tail -f ${CLAMLOG} |

while read -r line

do

   [[ "$line" != *${FOUNDPATTERN}* ]] && continue

   # example line to parse

   #Thu Aug 7 14:34:49 2008 -> Clamuko: /home/username/eicar.com.txt: Eicar-Test-Signature FOUND

   file=$(echo $line | sed -e 's/^.*Clamuko:\s//' | sed -e 's/:.*//')

   echo "virus found: $file"

   # do something to the virus here

   # example: rm $file

   # example: mv $file /tmp/quarantine

done

exit 0
```

Last edited by mikegpitt on Mon Aug 11, 2008 10:14 pm; edited 6 times in total

----------

## jexxie

Looks great, cheers.

----------

## afb

I have a  doubt, i did all as you explain but all the files that try to open appear in the log "file X  skipped (too big)", where file X is the file that i try to open.

What can I do?

----------

## rev138

I followed this guide just now, and everything loads properly (note that you MUST modprobe dazuko BEFORE capability), but I can write, read, and delete the eicar files with no problem. No access denied messages. Nothing in the logs.

----------

## mikegpitt

 *afb wrote:*   

> I have a  doubt, i did all as you explain but all the files that try to open appear in the log "file X  skipped (too big)", where file X is the file that i try to open.
> 
> What can I do?

 Not sure.  How big are the files you are opening?  There appears to be a few settings in /etc/clamv.conf that relate to size, but I'd not sure any are what you would be looking for...  you may want to check it out anyways to be sure.

Are you sure that the log is realted to clamav and not another app?

----------

## rev138

Does anyone have any idea why this isn't working for me? I did everything the how-to says, and when I start clamd, the log says:

```
Sat Dec  8 21:07:27 2007 -> Clamuko: Correctly registered with Dazuko.

Sat Dec  8 21:07:27 2007 -> Clamuko: Scan-on-open mode activated.

Sat Dec  8 21:07:27 2007 -> Clamuko: Scan-on-close mode activated.

Sat Dec  8 21:07:27 2007 -> Clamuko: Scan-on-exec mode activated.

Sat Dec  8 21:07:27 2007 -> Clamuko: Included path /storage/common

Sat Dec  8 21:07:27 2007 -> Clamuko: Included path /storage/home

Sat Dec  8 21:07:27 2007 -> Clamuko: Max file size limited to 10485760 bytes.

```

However, if I try to copy an eicar test file to .one of the paths above, via ssh, smb or wget, it succeeds as normal.

I'm using gentoo-sources-2.6.23-r3, clamav-0.91.2, and dazuko-2.3.4 on amd64.

----------

## mikegpitt

 *rev138 wrote:*   

> Does anyone have any idea why this isn't working for me? I did everything the how-to says, and when I start clamd, the log says:
> 
> ```
> Sat Dec  8 21:07:27 2007 -> Clamuko: Correctly registered with Dazuko.
> 
> ...

 It is probably getting through because part of the file is transfering at a time, so it wouldn't have the whole file to scan.  Once you have it downloaded, what happens if you try to access the file?

----------

## rev138

I'm allowed to access the file, delete it, whatever. Nothing is reported in the clam log. I even set clam to log ALL results, not just the infected ones. No log output. It doesn't seem to be scanning at all.

----------

## mikegpitt

 *rev138 wrote:*   

> I'm allowed to access the file, delete it, whatever. Nothing is reported in the clam log. I even set clam to log ALL results, not just the infected ones. No log output. It doesn't seem to be scanning at all.

 Try to run a regular clamav scan and see if the file is picked up.  Maybe the definition isn't on your system for some reason.

----------

## afb

If i scan the file (eicar.com.txt) directly (using klamav - KDE frontend) the virus is detected, but if open with kwrite  don't log any thing, just "Clamuko: /home/afb/Desktop/eicar.com.txt skipped (too big)"

----------

## rev138

Odd... I noticed while working on something else that a clamd process had been running for 3+ hours, so I stopped it. When I restarted, clamuko magically began working  :Razz: 

----------

## rev138

Next question:

I can now copy the eicar file to the server successfully but if I try to unzip or delete it, I get "access denied". How do I get rid of infected files? Do I have to shut down clamd to delete them?

Thanks.

----------

## mikegpitt

 *rev138 wrote:*   

> Next question:
> 
> I can now copy the eicar file to the server successfully but if I try to unzip or delete it, I get "access denied". How do I get rid of infected files? Do I have to shut down clamd to delete them?
> 
> Thanks.

 

You need to set up a quarentine for them.  I actually never had a chance to work on this any farther, so I don't know exactly what is needed, but if I rememer correctly, there is an option in /etc/clamv.conf for a quarentine command.  From there you can set up a command to move or delete infected files.

EDIT:  Check your config for VirusEvent.  This is what you need to set.Last edited by mikegpitt on Mon Dec 10, 2007 3:36 am; edited 3 times in total

----------

## mikegpitt

 *afb wrote:*   

> If i scan the file (eicar.com.txt) directly (using klamav - KDE frontend) the virus is detected, but if open with kwrite  don't log any thing, just "Clamuko: /home/afb/Desktop/eicar.com.txt skipped (too big)"

 When you start up clamuko you should probably see something that says "Clamuko: Max file size limited to 10485760 bytes".  I just checked my /etc/clamv.conf and there is an option for ClamukoMaxFileSize.  I think this is what you need to set/change.

----------

## rev138

This is the oddest thing... Sometimes this setup detects viruses and blocks access, and sometimes it just detects the virus but does not block access.

I am getting these results by copying the exact same eicar test file into the exact same location. No configs changed. It only changed behavior when I restart clamd. Since clam seems to be doing its job and detecting the virus,  I assume the blame lies with dazuko. I guess that's why it's masked.

----------

## rev138

Ok.. the plot thickens:

I've been doing some more testing. This setup seems to work properly at the console (bash). It detects the infection and prevents access. However, through fish:// (ssh) it detects but does not block access. Through smb:// it does not detect at all.

----------

## rev138

I tried setting this in clamd.conf:

```

VirusEvent logger %v

```

And if I try to access the eicar file, the serve crashes. It's headless, so I'm not positive what's happening, but since nothing shows up in the logs, I assume it's a kernel panic.

----------

## MaartenZzZ

 *rev138 wrote:*   

> Odd... I noticed while working on something else that a clamd process had been running for 3+ hours, so I stopped it. When I restarted, clamuko magically began working 

 

I have the same problem. Clamuko up and running, but I can do whatever I want with virusses on /home:

```
Thu Dec 13 20:13:00 2007 -> Clamuko: Correctly registered with Dazuko.

Thu Dec 13 20:13:00 2007 -> Clamuko: Scan-on-open mode activated.

Thu Dec 13 20:13:00 2007 -> Clamuko: Scan-on-close mode activated.

Thu Dec 13 20:13:00 2007 -> Clamuko: Scan-on-exec mode activated.

Thu Dec 13 20:13:00 2007 -> Clamuko: Included path /home

Thu Dec 13 20:13:00 2007 -> Clamuko: Max file size limited to 5242880 bytes.

/var/log/clamav/clamd.log lines 630-688/688 (END)

```

Somebody got an idea?

Thnx!

----------

## MaartenZzZ

Just fixed it.

Now running clamd as user "root", and added root to the "clamd" group:

```
clamav:x:441:root
```

/etc/init.d/clamd restart and off we go!

Hope it's fixed for other people too now.

----------

## gr0x0rd

I followed this guide and had everything working nicely. However after upgrading to the 2.6.23r3 kernel, I finally noticed that the avahi-daemon wasn't starting anymore.

This was caused by enabling the 

```
 Security options  --->

[*] Enable different security models

<M>   Default Linux Capabilities 
```

in the kernel. Other users have experienced this as well.... https://forums.gentoo.org/viewtopic-p-3361179.html

Anyone know of a way for these kernel settings and avahi-daemon to get along? If I run 

```
modprobe capability
```

 and then try to start the avahi-daemon, it starts. Is there a way to execute that command in my startup prior to starting the avahi-daemon?

----------

## mikegpitt

 *gr0x0rd wrote:*   

> I followed this guide and had everything working nicely. However after upgrading to the 2.6.23r3 kernel, I finally noticed that the avahi-daemon wasn't starting anymore.
> 
> This was caused by enabling the 
> 
> ```
> ...

 

You could add the modprobe and deamon start in your local.start to ensure they start in the correct order on each boot.  It's a hack but it should work until an upstream fix.

----------

## gr0x0rd

Done.  :Smile: 

Will keep an eye on this thread, looking forward to seeing what you come up with for the quarantine etc! 

Cheers

----------

## TravisBy

I've wanted to finally get Clamuko working, after about a year of seeing it and trying it every now and then.  This really helped me, thank you.   I've wanted Dazuko to work for so long, and just recently built me a Gentoo box.  I saw this post, and was overjoyed by it.

Just a quick question though.  I use this on my desktop (workstation + a game or two of tremulous), and I was wondering what would be good settings for Clamuko?  My system will obviously freeze (and has) when trying to run OnAccess, because when running workstation/games a lot of files are accessed, and that kinda causes me lots of lag =/  Is there any better settings I could use, or should I just keep clamuko off while running X? [just use it when I'm doing commandline stuff, since that won't be a lot of files at once.  Didn't mean X causes a lot of scans, just that I use a lot of files when X is run].

----------

## gr0x0rd

in your /etc/clamd.conf:

```
# Set the exclude paths. All subdirectories are also excluded.

# Default: disabled

ClamukoExcludePath /gamedir/mygame

ClamukoExcludePath /home/myacct/.gamedir
```

 :Smile: 

Perhaps not the best solution, but it's still better than shutting down clamd entirely before you start gaming. I'm sure you could also set read-only permissions and user security groups on your gaming folders to make them even more secure. Maybe someone else has a better solution...

note for wine users!

Every time I have tried to run wine with clamuko running, my system has locked up entirely. So if you are planning on running wine with clamuko, be sure to add

```
ClamukoExcludePath /home/myacct/.wine

ClamukoExcludePath /../mywineprog
```

to your clamd.conf!

----------

## mikegpitt

 *TravisBy wrote:*   

> I've wanted to finally get Clamuko working, after about a year of seeing it and trying it every now and then.  This really helped me, thank you.   I've wanted Dazuko to work for so long, and just recently built me a Gentoo box.  I saw this post, and was overjoyed by it.
> 
> Just a quick question though.  I use this on my desktop (workstation + a game or two of tremulous), and I was wondering what would be good settings for Clamuko?  My system will obviously freeze (and has) when trying to run OnAccess, because when running workstation/games a lot of files are accessed, and that kinda causes me lots of lag =/  Is there any better settings I could use, or should I just keep clamuko off while running X? [just use it when I'm doing commandline stuff, since that won't be a lot of files at once.  Didn't mean X causes a lot of scans, just that I use a lot of files when X is run].

 I think gr0x0rd's suggestion is great if you have a game that is often writing to your home dir.  I think the best advice is to run Clamuko in only the directories that are necessary.  I personally haven't experienced any X lag while using this on a Pentium M 1.6 Ghz w/ 1 gig of ram, although I don't usually run any 3d games.

The most important places to run Clamuko monitoring is /home and /tmp.  If virii can access anywhere else, your system is probably already compromised.

Glad to hear you like the howto... It was a bit of a pain to initially figure out the set up, and it seemed that no where on the internet did it seem to say that ClamAV can work in realtime...  hence the howto to promote such ideas.   :Smile: 

----------

## gr0x0rd

I also wanted to add a tidbit regarding notification... all of this is great but since clamav has notification disabled by default

```
# Execute a command when virus is found. In the command string %v will

# be replaced with the virus name.

# Default: no

#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
```

you may not even notice a virus on your system until you manually check your logs! And if you're anything like me, you don't spend a lot of time observing your logs (pr0n is a much more productive use of most people's time).  :Smile: 

I opted for a different solution than the one above- most users have some sort of system monitor enabled. I (and probably many people here) use conky. A simple adjustment to your .conkyrc

```
${color}Antivirus Alerts

${color yourcolor}${tail /var/log/clamav/clamd.log x 20}
```

will show you the last x lines of your clamd.log once you've set the appropriate permissions. 

Of course, you can test this using the eicar example once you've set it up- if it's working, you should see 

Sun Dec 16 12:39:20 2007 -> Clamuko: /.../eicar.com.txt: Eicar-Test-Signature FOUND

displayed in conky almost immediately.  :Smile: 

----------

## fice

Hello.

And what about moving infected files to quarantine dir ?

----------

## mikegpitt

 *fice wrote:*   

> Hello.
> 
> And what about moving infected files to quarantine dir ?

 

There is the easy way and the right way to do this.  Take a look at your clamd.conf.  There should be a line like this:

```
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
```

%v is the virus name, and %f is for the actual filename.

The easy way would be to use this command to move the file to a quarantine dir, BUT it is warned at the following URL (halfway down the page) that this could be dangerous:

http://www.webservertalk.com/archive389-2006-7-1592284.html

They don't give a real reason why this is a security issue, but I will take it at face value.

This is my (untested) recommendation.  If it works let me know and I'll add it to the 1st post in this thread.

Step 1: Mark the virus file as read only and flag it:

```
VirusEvent /bin/chown nobody:nobody %f ; chmod 0400 %f ; touch "%f_infected"
```

Basically this command makes the file read-only and owned by nobody, then creates a new file in the same dir that we will use as a marker to denote the file is infected.

Step 2: Remove all the infected files

I don't have the time at the moment to write the script, but basically you will want a script that monitors the clamav scan directories and remove any _infected flag files, as well as the real infected file.

----------

## fice

I tried your solution for chown & chmod (step 1), but it not work fine for me. My Gentoo is not respond at all \=. But i found this url: http://lurker.clamav.net/message/20080104.224727.a3d99cc0.en.html , what says that

 *Quote:*   

> In clamd.conf you can only use %v.

 

So this way is not match.

----------

## mikegpitt

 *fice wrote:*   

> I tried your solution for chown & chmod (step 1), but it not work fine for me. My Gentoo is not respond at all \=. But i found this url: http://lurker.clamav.net/message/20080104.224727.a3d99cc0.en.html , what says that
> 
>  *Quote:*   In clamd.conf you can only use %v. 
> 
> So this way is not match.

 Ok... I read on a thread somewhere you could use %f.  It does however look like the environment variable $CLAM_VIRUSEVENT_FILENAME is set instead...  much better actually.

Call a small script like so (these are all untested):

clamd.conf

```
VirusEvent /usr/bin/clam_quarantine.sh
```

clam_quarantine.sh:

```

#!/bin/bash

/bin/chown nobody:nobody ${CLAM_VIRUSEVENT_FILENAME}

/bin/chmod 0400 ${CLAM_VIRUSEVENT_FILENAME}

/usr/bin/touch ${CLAM_VIRUSEVENT_FILENAME}'_infected'

```

As for the removal you could have a deamon that starts this script on each boot:

```

#!/bin/bash

while true; do

        # search for and delete all files tagged with _infected and delete both the _infected file and the actual file

        find /path/to/clamav/scan/dirs -name "*_infected" -print -exec rm {} \; | sed -e 's/_infected//' | xargs rm

        # sleep for 5 mins

        sleep 300

done

```

Please use caution with the above script, as it deletes files, and hasn't been throughly tested!

If you want to try the find and rm commands separately try these out:

```
#deletes _infected files in the current directory  (for example it will remove testvirus_infected)

find . -name "*_infected" -exec rm {} \;
```

```
#deletes the real file in the current directory  (for example it will remove testvirus)

find . -name "*_infected" -print | sed -e 's/_infected//' | xargs rm
```

----------

## fice

thanks for helping, but i don't know what's wrong: after finding virus, where must be "VirusEvent" action, my computer not responding. =( Rebooting saving situation.

----------

## mikegpitt

 *fice wrote:*   

> thanks for helping, but i don't know what's wrong: after finding virus, where must be "VirusEvent" action, my computer not responding. =( Rebooting saving situation.

 Sounds like the dazuko kernel module crashed and killed your machine.

I'm not sure what to say... Does it crash with any script called by VirusEvent?

What kernel are you using?  I think in new kernels dazuko is not even compiling (I saw a thread around here on it).  This makes me think that it might be getting phased out.  I'm not sure what I good replacement would be, and/or if clamav will support a replacement.

----------

## fice

 *mikegpitt wrote:*   

> Sounds like the dazuko kernel module crashed and killed your machine.
> 
> I'm not sure what to say... Does it crash with any script called by VirusEvent?
> 
> What kernel are you using?  I think in new kernels dazuko is not even compiling (I saw a thread around here on it).  This makes me think that it might be getting phased out.  I'm not sure what I good replacement would be, and/or if clamav will support a replacement.

 

Yes, it crashes with any script.

I'm using

2.6.23-gentoo-r3 on x86_64 Intel(R) Core(TM)2 Duo CPU E6550

----------

## mikegpitt

I updated the first post in this howto to reflect changes in getting dazuko to work with kernels 2.6.23/24.

----------

## mikegpitt

Since VirusEvent still seems to cause a kernel panic I decided to write a small shell script that will monitor the clamav logs and when it finds a virus, it will pull out the filename and do something with it.  Enjoy!

```

#!/bin/bash

CLAMLOG=/var/log/clamav/clamd.log

FOUNDPATTERN=FOUND

tail -f ${CLAMLOG} |

while read -r line

do

   [[ "$line" != *${FOUNDPATTERN}* ]] && continue

   # example line to parse

   #Thu Aug 7 14:34:49 2008 -> Clamuko: /home/username/eicar.com.txt: Eicar-Test-Signature FOUND

   file=$(echo $line | sed -e 's/^.*Clamuko:\s//' | sed -e 's/:.*//')

   echo "virus found: $file"

   # do something to the virus here

   # example: rm $file

   # example: mv $file /tmp/quarantine

done

exit 0

```

EDIT:  Script added to main howto in 1st post...

----------

## platojones

Bummer, patch doesn't work with gentoo-sources-2.6.25-r7 at this time.

----------

## mikegpitt

 *platojones wrote:*   

> Bummer, patch doesn't work with gentoo-sources-2.6.25-r7 at this time.

 Take a look at this page on the dazuko website:

http://dazuko.dnsalias.org/wiki/index.php/Downloads

It looks like they have a patch for the 2.6.25 & 26 kernels.  I haven't had a chance to test it.  If it works, post back and let us know   :Smile: 

----------

## platojones

Yep, compiled fine and seems to work..not exactly like the howto says...the eicar doesn't log in the file, but it doesn't download either.  seems pretty stable thus far.

----------

## platojones

Ok, I've decided that clamuko is not really running, in spite of all of the positive log messages I see in the clamav log.  One thing I've noticed that is different is that the 'default linux capabilities' in the kernel cannot be built as a module in the newest kernels.  I get the /dev/dazuko and clamav reports that everything is fine, but I can download the eicar tests without a problem.  Clamav does not even notice that they have been downloaded to my /home directory.  Anybody else having this problem?  I'm running kernel 2.6.25-gentoo-r7 with the dazuko 2.6.25 patch applied and compiled in.  It's obvious my kernel does have the patch since as soon as I rebooted, the /dev/dazuko device showed up and I am getting all of the appropriate log messages indicating that dazuko is up and running fine.

----------

## mikegpitt

 *platojones wrote:*   

> Ok, I've decided that clamuko is not really running, in spite of all of the positive log messages I see in the clamav log.  One thing I've noticed that is different is that the 'default linux capabilities' in the kernel cannot be built as a module in the newest kernels.  I get the /dev/dazuko and clamav reports that everything is fine, but I can download the eicar tests without a problem.  Clamav does not even notice that they have been downloaded to my /home directory.  Anybody else having this problem?  I'm running kernel 2.6.25-gentoo-r7 with the dazuko 2.6.25 patch applied and compiled in.  It's obvious my kernel does have the patch since as soon as I rebooted, the /dev/dazuko device showed up and I am getting all of the appropriate log messages indicating that dazuko is up and running fine.

 In the newer kernels capabilities isn't needed because dazuko can be built into the kernel.

I've also noticed that with the current dazuko and clamav, firefox can download eicar.  It shouldn't be a problem though, because you shouldn't be able to do anything with it once it's downloaded.  On access you will receive permission denied and it will be logged.

With clamav 0.92 I was able to rm eicar without notice.  One 0.93.3 rm is blocked, although mv isn't.  Any real type of access likr reading, writing, executing the virus is blocked and logged.

As you can see, things seem to change with various versions of clamav/dazuko, but in general it appears to work well.

----------

## platojones

Thanks for the response mikegpitt.  Sadly, no, it not only let's me download the file, but I can do anything I want to with any of the eicar files...read them, move them, copy them or remove them...not only does it not prevent those actions, it doesn't even register in the log file.  Something is wrong with this kernel version, I'm afraid.  Maybe all of this will be fixed in the next version...it's a very cool concept...I'd love to see it accepted into the offical kernel tree where it can be properly supported.

----------

## mikegpitt

 *platojones wrote:*   

> Thanks for the response mikegpitt.  Sadly, no, it not only let's me download the file, but I can do anything I want to with any of the eicar files...read them, move them, copy them or remove them...not only does it not prevent those actions, it doesn't even register in the log file.  Something is wrong with this kernel version, I'm afraid.  Maybe all of this will be fixed in the next version...it's a very cool concept...I'd love to see it accepted into the offical kernel tree where it can be properly supported.

 Darn, that sucks... If I get a chance in the next few days, I'll try to take a look with a newer kernel, although it sounds like I won't have much luck.

If you don't *need* the 2.6.25 kernel, you could always use 2.6.24.  I know it works well there.

----------

## platojones

Hi mikegpitt,

  Well, here's a strange update.  I woke up this morning, and my computer was locked up solid.  I think it might be that crash issue that was discussed earlier in this thread (I haven't had my system crash in over a year).  I rebooted, and when I did, clamuko came alive.  I think at some point, I should have rebooted during this process (though I did when I rebuilt the kernel).  In any event, I checked the clamd log file and it was finding stuff in my home directory (mostly old mail messages with viruses).  It does look like it works.  I need to look into that crash issue more, to see what the actual cause was.  I know you've posted a work around for that if it was, as I suspect, dazuko that cause it.  Thanks for the help, btw.

----------

## mikegpitt

 *platojones wrote:*   

> Hi mikegpitt,
> 
>   Well, here's a strange update.  I woke up this morning, and my computer was locked up solid.  I think it might be that crash issue that was discussed earlier in this thread (I haven't had my system crash in over a year).  I rebooted, and when I did, clamuko came alive.  I think at some point, I should have rebooted during this process (though I did when I rebuilt the kernel).  In any event, I checked the clamd log file and it was finding stuff in my home directory (mostly old mail messages with viruses).  It does look like it works.  I need to look into that crash issue more, to see what the actual cause was.  I know you've posted a work around for that if it was, as I suspect, dazuko that cause it.  Thanks for the help, btw.

 Good stuff! (I meant the part about it working, not the crash).  Yeah, you would have needed to reboot the machine to use the new kernel configuration.  I'm not sure how /dev/dazuko showed up without a reboot.

Dazuko is still experimental, I'd say, but I never had it lock up my machine if it's just doing nothing in the background.  The only hardlock's I've had was related to the VirusEvent option in clamav.  I haven't had any luck using it, hence the workaround.

----------

