# Samba + ClamAV drives me nuts! Help (SOLVED)

## petrjanda

/var/log/everything/current

```

Oct 20 21:21:23 [smbd_vscan-clamav] samba-vscan (vscan-clamav 0.3.5) registered (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Oct 20 21:21:23 [smbd_vscan-clamav] samba-vscan (vscan-clamav 0.3.5) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Oct 20 21:21:23 [smbd_vscan-clamav] INFO: connect to service petrjanda by user petrjanda

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not connect to clamd (socket: '/var/run/clamd')!

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not communicate to daemon - access denied

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not connect to clamd (socket: '/var/run/clamd')!

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not communicate to daemon - access denied

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not connect to clamd (socket: '/var/run/clamd')!

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not communicate to daemon - access denied

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not connect to clamd (socket: '/var/run/clamd')!

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not communicate to daemon - access denied

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not connect to clamd (socket: '/var/run/clamd')!

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not communicate to daemon - access denied

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not connect to clamd (socket: '/var/run/clamd')!

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not communicate to daemon - access denied

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not connect to clamd (socket: '/var/run/clamd')!

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not communicate to daemon - access denied

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not connect to clamd (socket: '/var/run/clamd')!

Oct 20 21:21:23 [smbd_vscan-clamav] ERROR: can not communicate to daemon - access denied

```

/etc/clamd.conf

```

##

## Example config file for the Clam AV daemon

## Please read the clamd.conf(5) manual before editing this file.

##

# Comment or remove the line below.

#Example

# Uncomment this option to enable logging.

# LogFile must be writable for the user running daemon.

# A full path is required.

# Default: disabled

#LogFile /tmp/clamd.log

# By default the log file is locked for writing - the lock protects against

# running clamd multiple times (if want to run another clamd, please

# copy the configuration file, change the LogFile variable, and run

# the daemon with --config-file option).

# This option disables log file locking.

# Default: disabled

#LogFileUnlock

# Maximal size of the log file.

# Value of 0 disables the limit.

# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)

# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size

# in bytes just don't use modifiers.

# Default: 1M

#LogFileMaxSize 2M

# Log time with each message.

# Default: disabled

#LogTime

# Also log clean files. Useful in debugging but drastically increases the

# log size.

# Default: disabled

#LogClean

# Use system logger (can work together with LogFile).

# Default: disabled

#LogSyslog

# Specify the type of syslog messages - please refer to 'man syslog'

# for facility names.

# Default: LOG_LOCAL6

#LogFacility LOG_MAIL

# Enable verbose logging.

# Default: disabled

#LogVerbose

# This option allows you to save a process identifier of the listening

# daemon (main thread).

# Default: disabled

#PidFile /var/run/clamd.pid

# Optional path to the global temporary directory.

# Default: system specific (usually /tmp or /var/tmp).

#TemporaryDirectory /var/tmp

# Path to the database directory.

# Default: hardcoded (depends on installation options)

#DatabaseDirectory /var/lib/clamav

# The daemon works in a local OR a network mode. Due to security reasons we

# recommend the local mode.

# Path to a local socket file the daemon will listen on.

# Default: disabled

#LocalSocket /tmp/clamd

# Remove stale socket after unclean shutdown.

# Default: disabled

FixStaleSocket

# TCP port address.

# Default: disabled

TCPSocket 8127

# TCP address.

# By default we bind to INADDR_ANY, probably not wise.

# Enable the following to provide some degree of protection

# from the outside world.

# Default: disabled

TCPAddr 127.0.0.1

# Maximum length the queue of pending connections may grow to.

# Default: 15

#MaxConnectionQueueLength 30

# Close the connection if this limit is exceeded.

# Default: 10M

#StreamMaxLength 20M

# Maximal number of threads running at the same time.

# Default: 10

#MaxThreads 20

# Waiting for data from a client socket will timeout after this time (seconds).

# Value of 0 disables the timeout.

# Default: 120

#ReadTimeout 300

# Waiting for a new job will timeout after this time (seconds).

# Default: 30

#IdleTimeout 60

# Maximal depth directories are scanned at.

# Default: 15

#MaxDirectoryRecursion 20

# Follow directory symlinks.

# Default: disabled

#FollowDirectorySymlinks

# Follow regular file symlinks.

# Default: disabled

#FollowFileSymlinks

# Perform internal sanity check (database integrity and freshness).

# Default: 1800 (30 min)

#SelfCheck 600

# Execute a command when virus is found. In the command string %v will

# be replaced by a virus name.

# Default: disabled

VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

# Run as a selected user (clamd must be started by root).

# Default: disabled

#User clamav

# Initialize supplementary group access (clamd must be started by root).

# Default: disabled

#AllowSupplementaryGroups

# Don't fork into background.

# Default: disabled

#Foreground

# Enable debug messages in libclamav.

# Default: disabled

#Debug

# Do not remove temporary files (for debug purposes).

# Default: disabled

#LeaveTemporaryFiles

# By default clamd uses scan options recommended by libclamav. This option

# disables recommended options and allows you to enable selected ones below.

# DO NOT TOUCH IT unless you know what you are doing.

# Default: disabled

#DisableDefaultScanOptions

##

## Executable files

##

# PE stands for Portable Executable - it's an executable file format used

# in all 32-bit versions of Windows operating systems. This option allows

# ClamAV to perform a deeper analysis of executable files and it's also

# required for decompression of popular executable packers such as UPX, FSG,

# and Petite.

# Default: enabled

#ScanPE

# With this option clamav will try to detect broken executables and mark

# them as Broken.Executable

# Default: disabled

#DetectBrokenExecutables

##

## Documents

##

# This option enables scanning of Microsoft Office document macros.

# Default: enabled

#ScanOLE2

##

## Mail files

##

# Enable internal e-mail scanner.

# Default: enabled

#ScanMail

# If an email contains URLs ClamAV can download and scan them.

# WARNING: This option may open your system to a DoS attack.

#      Never use it on loaded servers.

# Default: disabled

#MailFollowURLs

##

## HTML

##

# Perform HTML normalisation and decryption of MS Script Encoder code.

# Default: enabled

#ScanHTML

##

## Archives

##

# ClamAV can scan within archives and compressed files.

# Default: enabled

#ScanArchive

# Due to license issues libclamav does not support RAR 3.0 archives (only the

# old 2.0 format is supported). Because some users report stability problems

# with unrarlib it's disabled by default and you must uncomment the directive

# below to enable RAR 2.0 support.

# Default: disabled

#ScanRAR

# The options below protect your system against Denial of Service attacks

# using archive bombs.

# Files in archives larger than this limit won't be scanned.

# Value of 0 disables the limit.

# Default: 10M

#ArchiveMaxFileSize 15M

# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR

# file, all files within it will also be scanned. This options specifies how

# deep the process should be continued.

# Value of 0 disables the limit.

# Default: 5

#ArchiveMaxRecursion 8

# Number of files to be scanned within an archive.

# Value of 0 disables the limit.

# Default: 1000

#ArchiveMaxFiles 1500

# If a file in an archive is compressed more than ArchiveMaxCompressionRatio

# times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip)

# Value of 0 disables the limit.

# Default: 250

#ArchiveMaxCompressionRatio 300

# Use slower but memory efficient decompression algorithm.

# only affects the bzip2 decompressor.

# Default: disabled

#ArchiveLimitMemoryUsage

# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

# Default: disabled

#ArchiveBlockEncrypted

# Mark archives as viruses if ArchiveMaxFiles, ArchiveMaxFileSize, or

# ArchiveMaxRecursion limit is reached.

# Default: disabled

#ArchiveBlockMax

##

## Clamuko settings

## WARNING: This is experimental software. It is very likely it will hang

##       up your system!!!

##

# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.

# Default: disabled

#ClamukoScanOnAccess

# Set access mask for Clamuko.

# Default: disabled

#ClamukoScanOnOpen

#ClamukoScanOnClose

#ClamukoScanOnExec

# Set the include paths (all files in them will be scanned). You can have

# multiple ClamukoIncludePath directives but each directory must be added

# in a seperate line.

# Default: disabled

#ClamukoIncludePath /home

#ClamukoIncludePath /students

# Set the exclude paths. All subdirectories are also excluded.

# Default: disabled

#ClamukoExcludePath /home/guru

# Don't scan files larger than ClamukoMaxFileSize

# Value of 0 disables the limit.

# Default: 5M

#ClamukoMaxFileSize 10M

```

/etc/samba/vscan-oav.conf

```

[samba-vscan]

; run-time configure options for vscan-samba using

; OpenAntiVirus ScannerDaemon

; all options set to default values

; do not scan files larger than X bytes. If set to 0 (default),

; this feature is disable (i.e. all files are scanned)

max file size = 0 

; log all file access (yes/no). If set to yes, every access will

; be logged. If set to no (default), only access to infected files

; will be logged

verbose file logging = no  

; if set to yes (default), a file will be scanned while opening

scan on open = yes

; if set to yes, a file will be scanned while closing (default is yes)

scan on close = yes 

; if communication to daemon fails, should access to file denied?

; (default: yes)

deny access on error = yes

; if daemon files with a minor error (corruption, etc.),

; should access to file denied?

; (default: yes)

deny access on minor error = no

; send a warning message via Windows Messenger service

; when virus is found?

; (default: yes)

send warning message = yes

; what to do with an infected file

; quarantine: try to move to quantine directory; delete it if moving fails

; delete:     delete infected file

; nothing:    do nothing (default)

infected file action = nothing

; where to put infected files - you really want to change this!

quarantine directory  = /tmp

; prefix for files in quarantine

quarantine prefix = vir-

; as Windows tries to open a file multiple time in a (very) short time

; of period, samba-vscan use a last recently used file mechanism to avoid

; multiple scans of a file. This setting specified the maximum number of

; elements of the last recently used file list. If set to 0, this

; mechanism is disabled completely (default: 100)

max lru files entries = 100

; an entry is invalidad after lru file entry lifetime (in seconds).

; (Default: 5)

lru file entry lifetime = 5

; exclude files from being scanned based on the MIME-type! Semi-colon

; seperated list (default: empty list). Use this with care!

exclude file types = 

; IP of ScannerDaemon

oav ip = 127.0.0.1

; port number ScannerDaemon listens on

oav port = 8127

clamd socket name = /var/run/clamd

```

/etc/clamav.conf

```

PidFile /var/run/clamav/clamd.pid

DatabaseDirectory /var/lib/clamav

LocalSocket /var/run/clamd

TCPAddr 127.0.0.1

Scanmail

```

/etc/conf.d/clamd

```

START_CLAMD=yes

CLAMD_OPTS=""

CLAMD_LOG=""

START_FRESHCLAM=yes

FRESHCLAM_OPTS="-d -c 2"

FRESHCLAM_LOG="/var/log/clam-update.log"

```

and /etc/samba/smb.conf

```

[global]

        workgroup = A216NETWORK

        netbios name = A216ACCESS

        server string = A216 Primary DC

        interfaces = eth1

        passdb backend = tdbsam, guest

        passwd program = /usr/bin/passwd %u

        username map = /etc/samba/smbusers

        log file = /var/log/samba3/log.%m

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        add user script = /usr/sbin/useradd -d /home/users/ -s /bin/false '%u'

        delete user script = /usr/sbin/userdel '%s'

        add group script = /usr/sbin/groupadd %g && getent group '%g'|awk -F: '{print $3}'

        delete group script = /usr/sbin/groupdel '%g'

        add user to group script = /usr/bin/gpasswd -a '%u' '%g'

        delete user from group script = /usr/bin/gpasswd -d '%u' '%g'

        set primary group script = /usr/sbin/usermod -g '%g' '%u'

        add machine script = /usr/sbin/useradd -d /dev/null -g smbmachines -c 'Machine Account' \ -s /bin/false %m\$

        logon script = logon.bat

        logon drive = Q:

        logon home = \\%L\%U

        domain logons = Yes

        os level = 99

        preferred master = Yes

        domain master = Yes

        vscan-clamav:config-file = /etc/samba/vscan-oav.conf

        map acl inherit = Yes

        fstype = XFS

        vfs object = vscan-clamav

```

Have you people got any idea why it doesn't work? Users cannot open any files within the shares.

----------

## petrjanda

has been solved today. The problem was having clamav.conf(old) and clamd.conf(new). I kept editing stuff mostly in clamav.conf which had no effect on the configuration.

----------

## tkhobbes

Hi, your posts are somewhat old, but I have similar problems. I have tweaked /etc/samba/vscan-clamav.conf so that it points to the correct socket (I think), but I still get error messages similar to these:

```
Jun 11 22:09:25 server smbd_vscan-clamav[3864]: ERROR: file /home/public/test.txt not found, not readable or an error occured

Jun 11 22:09:25 server smbd_vscan-clamav[3864]: ERROR: daemon failed with a minor error - access to file test.txt denied

```

Here's the relevant part of /etc/samba/smb.conf:

```
[public]

        valid users = @publicusers

        force directory mode = 0770

        force create mode = 0770

        writeable = yes

        force group = publicusers

        comment = Public-share

        path = /home/public

        vfs object = vscan-clamav

        vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

```

Here's /etc/samba/vscan-clamav.conf:

```
[samba-vscan]

max file size = 0

verbose file logging = no

scan on open = yes

scan on close = yes

deny access on error = yes

deny access on minor error = yes

send warning message = no

infected file action = quarantine

quarantine directory  = /home/quarantine

quarantine prefix = vir-

max lru files entries = 100

lru file entry lifetime = 5

clamd socket name = /var/run/clamav/clamd.sock

oav port = 8127

```

When I turn of the "deny access on..." entries, everything works perfect - but like this, I get the messages above and (of course) can't access the files (I get "permission denied" errors on the windows boxes).

The user who is connecting is in the correct group (i. e. he has a samba-password and is in the "publicusers" group, in this example).

In /var/run/clamav, there are these files:

* clamd.pid

* clamd.sock

* freshclam.pid

When I restart clamd and samba, I get these additional error messages:

```
Jun 11 22:15:40 server smbd_vscan-clamav[8267]: samba-vscan (vscan-clamav 0.3.6b) registered (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Jun 11 22:15:40 server smbd_vscan-clamav[8267]: samba-vscan (vscan-clamav 0.3.6b) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Jun 11 22:15:40 server smbd_vscan-clamav[8267]: INFO: connect to service public by user thomas

Jun 11 22:15:40 server smbd_vscan-clamav[8267]: ERROR: can not connect to clamd (socket: '/var/run/clamav/clamd.sock')!

Jun 11 22:15:40 server smbd_vscan-clamav[8267]: ERROR: can not communicate to daemon - access denied

```

What's wrong?

----------

## Darknight

On a post found around the net a guy says that it will work if clamd does NOT drop root privileges, haven't tried myself.

----------

## tkhobbes

OK - meaning what in terms of configuration what / where?   :Embarassed: 

----------

## Darknight

```
# Run as another user (clamd must be started by root to make this option

# working).

# Default: don't drop privileges

User clamav

```

Set in /etc/clamd.conf

Comment that line and report back   :Wink: 

----------

## tkhobbes

Seems to work.  :Smile: 

Thanks!

----------

