# dansguardian-dgav and clamav not playing nice [SOLVED]

## rev138

I have dansguardian-dgav-6.4.3-r1, squid-2.5.11,  and clamav-0.87.1 installed.

If I turn virus scanning OFF in the dansguardian config file, everything works fine, so I'm pretty sure that dansguardian and squid are ok.

If I turn virus scanning ON, my browser (konqueror) reports "Connection to host www.google.com is broken."

If I ssh to the server and set http_proxy to "http://127.0.0.1:8080" and then connect to www.google.com with lynx, I get this"

```

                                                                                                                           DansGuardian - Antivirus Error

                                                 DansGuardian Antivirus Patch - Error during scanning

                                                            Error message: 'Access denied.'
```

I'm guessing, that this is a problem with clamav.

Here's the relevant portion of my dansguardian.conf:

```
# ANTIVIRUS SETTINGS

# --------------------

# OPTION: virusscan

# If on, we scan all downloaded content using embedded virus engine.

# Supported engines of this version are ClamAV, ClamDScan, KAV, KAV5, Trophie, Sophie.

# If off, we don't scan any downloaded content.

# See http://sourceforge.net/projects/dgav/ for more details.

virusscan = on

# OPTION: virusengine

# Set the embedded virus scan engine to be used (clamav, clamdscan, kav, aveserver, trophie, sophie).

virusengine = 'clamdscan'

# OPTION: tricklelength

# With tricklelength you can choose between three different trickle modes:

# a) If set to -1, the scanner will send 1 byte per delay period

#    to the client to keep a download connection alive.

#    When the whole file is downloaded and scanned, the client will

#    receive all remaining bytes, if the file was clean.

# b) If set to less than -1 (eg. -1024) the scanner will send,

#    after firsttrickledelay seconds, a proportional amount of data

#    to the client (e.g 1024 bytes per downloaded megabyte); after

#    followingtrickledelay seconds again a proportional amount

#    of data is sent to the client and so on. When the whole file is

#    downloaded and scanned, the client will receive all remaining

#    bytes, if the file was clean.

#    Recommended value: -1024 (1024 bytes per downloaded megabyte)

# c) If set to a positive integer value it enables immediate delivery

#    to the client. The value set means minimum number of bytes of the

#    downloaded file that will be held and delivered after virus scan.

#    If clean, the remaining bytes will be sent to the client.

#    If infected, file downloaded will be incomplete and a warning message

#    will be sent to the postmaster and possibly the user.

#    Recommended minimum positive value: 32768 (32 kbytes)

#

# NOTE:

#    only trickle modes a) and b) allow for limited mime-header

#    rewriting; eg. if a zip file (application/zip) is downloaded

#    and contains a virus it's mime-type is rewritten to text/html

#    which in turn forces the browser to display the warning page;

#    be aware however, that this is only possible for downloads

#    that finish within firsttrickledelay seconds!

tricklelength = 32768

# OPTION: forkscanlength

# Specifies maximum file size, in bytes, that is scanned w/o parallel trickling.

# Files larger than 'forkscan_length' will be scanned in the background,

# while a foreground process trickles data to the client in order to keep

# connection alive.

# This heavily depends on the available CPU speed. Slow CPUs need smaller values.

# The size is in Kibibytes - eg 2048 = 2Mb

forkscanlength = 32768

# OPTION: firsttrickledelay

# Delay in seconds to deliver the first byte to the client.

# This option only applies if tricklelength is set to -1.

firsttrickledelay = 10

# OPTION: follwingtrickledelay

# Delay in seconds to deliver subsequent bytes to the client.

# This option only applies if tricklelength is set to -1.

followingtrickledelay = 10

# OPTION: maxcontentscansize

# Set the maximum size of a content to be virus scanned.

# Content size above this value will not be scanned against viruses.

# The size is in Kibibytes - eg 2048 = 2Mb

# To have no limit, use 0 (zero).

maxcontentscansize = 41904304

# OPTION: virusscanexceptions

# If off, antivirus scanner will ignore DG exception sites and urls.

virusscanexceptions = on

# OPTION: urlcachecleanonly

# If off, url cache will contain entries of text only urls.

# Keeping it off, preserves original Dansguardian feature and

# downloaded content will be always scanned by antivirus.

# When turned on, urlcache will be loaded only with content

# found to be good and that is virus free.

# Thus, content of urls found in urlcache WILL NOT BE SCANNED AGAIN.

urlcachecleanonly = on

# OPTION: virusscannertimeout

# The maximum length of time the commercial virus scanner is allowed to run

# for 1 batch of messages (in seconds).

virusscannertimeout = 60

# OPTION: notify

# Sets who receives email notification when a virus is found.

# Users must be authenticated to be able to receive messages.

# Email address for users will be formed by the authentication name received by DG

# plus @emaildomain (see option below)

# 0 = disabled

# 1 = user only

# 2 = postmaster only

# 3 = postmaster and users (default)

notify = 3

# OPTION: emaildomain

# Set email domain to use when notifying users of an infected file.

# This is just the domain name part, after the @

emaildomain = 'fne.com'

# OPTION: postmaster

# Set email address of who to notify about any infections found.

# Should put your full domain name here too.

postmaster = 'bodonnell@fne.com'

# OPTION: emailserver

# Set the address and port of the Mail Server to send notifications through.

#

emailserver = 'mailmax1:25'

# OPTION: downloaddir

# Set where the files are downloaded to before they are scanned.

# Since version 6.4.2 it is strongly recommended to define a directory path

# TO BE USED ONLY BY DGAV.

# YOU WILL LOOSE FILES inside this directory path if it is used for any other purpose.

downloaddir = '/tmp/dgvirus'

# CLAMAV SETTINGS

# --------------------

# OPTION: clmaxfiles

# Set maximum number of files inside a compressed file

# default: 1500 files

clmaxfiles = 1500

# OPTION: clmaxreclevel

# Set maximum recursion level to perform scan on a compressed file

# that is inside a compressed file

# default: 3 levels

clmaxreclevel = 3

# OPTION: clmaxfilesize

# Set maximum file size of a file inside a compressed file

# default: 10485760 = 10 Mbytes

clmaxfilesize = 10485760

# OPTION: clblockencryptedarchives

# Treat encrypted compressed file as virus infected content.

# default: off

clblockencryptedarchives = off

# OPTION: cldetectbroken

# Activate improved detection of broken executable files.

# default: off

cldetectbroken = off

# CLAMDSCAN SETTINGS

# --------------------

# OPTION: clamdsocket

# Set the name of a local clamd socket (file)

# or the hostname:port of a remote clamd server

# default: '/tmp/clamd'

clamdsocket = '/var/run/clamav/clamd.sock'

# KASPERSKY 5 SETTINGS

# --------------------

# OPTION: avesocket

# Set name of the local socket file

# default: '/var/run/aveserver'

avesocket = '/var/run/aveserver'

# TROPHIE SETTINGS

# --------------------

# OPTION: trophiesocket

# Set name of the local socket file

# default: '/var/run/trophie'

trophiesocket = '/var/run/trophie'

# SOPHIE SETTINGS

# --------------------

# OPTION: sophiesocket

# Set name of the local socket file

# default: '/var/run/sophie'

sophiesocket = '/var/run/sophie'

# ICAP SETTINGS (experimental)

# ----------------------------

# OPTION: icapsocket

# Set hostname:port of the icap server

# default: 'localhost:1344'

icapsocket = 'localhost:1344'

# OPTION: icapservice

# Set the icap service to be used

# default: 'icap://localhost/avscan'

icapservice = 'icap://localhost/avscan'
```

And here's my clamd.conf:

```
##

## Example config file for the Clam AV daemon

## Please read the clamd.conf(5) manual before editing this file.

##

# Comment or remove the line below.

# Example

# Uncomment this option to enable logging.

# LogFile must be writable for the user running daemon.

# A full path is required.

# Default: disabled

LogFile /var/log/clamav/clamd.log

# By default the log file is locked for writing - the lock protects against

# running clamd multiple times (if want to run another clamd, please

# copy the configuration file, change the LogFile variable, and run

# the daemon with --config-file option).

# This option disables log file locking.

# Default: disabled

#LogFileUnlock

# Maximal size of the log file.

# Value of 0 disables the limit.

# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)

# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size

# in bytes just don't use modifiers.

# Default: 1M

#LogFileMaxSize 2M

# Log time with each message.

# Default: disabled

LogTime

# Also log clean files. Useful in debugging but drastically increases the

# log size.

# Default: disabled

#LogClean

# Use system logger (can work together with LogFile).

# Default: disabled

#LogSyslog

# Specify the type of syslog messages - please refer to 'man syslog'

# for facility names.

# Default: LOG_LOCAL6

#LogFacility LOG_MAIL

# Enable verbose logging.

# Default: disabled

#LogVerbose

# This option allows you to save a process identifier of the listening

# daemon (main thread).

# Default: disabled

PidFile /var/run/clamav/clamd.pid

# Optional path to the global temporary directory.

# Default: system specific (usually /tmp or /var/tmp).

#TemporaryDirectory /var/tmp

# Path to the database directory.

# Default: hardcoded (depends on installation options)

#DatabaseDirectory /var/lib/clamav

# The daemon works in a local OR a network mode. Due to security reasons we

# recommend the local mode.

# Path to a local socket file the daemon will listen on.

# Default: disabled

LocalSocket /var/run/clamav/clamd.sock

# Remove stale socket after unclean shutdown.

# Default: disabled

FixStaleSocket

# TCP port address.

# Default: disabled

#TCPSocket 3310

# TCP address.

# By default we bind to INADDR_ANY, probably not wise.

# Enable the following to provide some degree of protection

# from the outside world.

# Default: disabled

#TCPAddr 127.0.0.1

# Maximum length the queue of pending connections may grow to.

# Default: 15

#MaxConnectionQueueLength 30

# Clamd uses FTP-like protocol to receive data from remote clients.

# If you are using clamav-milter to balance load between remote clamd daemons

# on firewall servers you may need to tune the options below.

# Close the connection when the data size limit is exceeded.

# The value should match your MTA's limit for a maximal attachment size.

# Default: 10M

#StreamMaxLength 20M

# Limit port range.

# Default: 1024

#StreamMinPort 30000

# Default: 2048

#StreamMaxPort 32000

# Maximal number of threads running at the same time.

# Default: 10

#MaxThreads 20

# Waiting for data from a client socket will timeout after this time (seconds).

# Value of 0 disables the timeout.

# Default: 120

#ReadTimeout 300

# Waiting for a new job will timeout after this time (seconds).

# Default: 30

#IdleTimeout 60

# Maximal depth directories are scanned at.

# Default: 15

#MaxDirectoryRecursion 20

# Follow directory symlinks.

# Default: disabled

#FollowDirectorySymlinks

# Follow regular file symlinks.

# Default: disabled

#FollowFileSymlinks

# Perform internal sanity check (database integrity and freshness).

# Default: 1800 (30 min)

#SelfCheck 600

# Execute a command when virus is found. In the command string %v will

# be replaced by a virus name.

# Default: disabled

#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

# Run as a selected user (clamd must be started by root).

# Default: disabled

User clamav

# Initialize supplementary group access (clamd must be started by root).

# Default: disabled

#AllowSupplementaryGroups

# Stop daemon when libclamav reports out of memory condition.

#ExitOnOOM

# Don't fork into background.

# Default: disabled

#Foreground

# Enable debug messages in libclamav.

# Default: disabled

#Debug

# Do not remove temporary files (for debug purposes).

# Default: disabled

#LeaveTemporaryFiles

# By default clamd uses scan options recommended by libclamav. This option

# disables recommended options and allows you to enable selected ones below.

# DO NOT TOUCH IT unless you know what you are doing.

# Default: disabled

#DisableDefaultScanOptions

##

## Executable files

##

# PE stands for Portable Executable - it's an executable file format used

# in all 32-bit versions of Windows operating systems. This option allows

# ClamAV to perform a deeper analysis of executable files and it's also

# required for decompression of popular executable packers such as UPX, FSG,

# and Petite.

# Default: enabled

#ScanPE

# With this option clamav will try to detect broken executables and mark

# them as Broken.Executable

# Default: disabled

#DetectBrokenExecutables

##

## Documents

##

# This option enables scanning of Microsoft Office document macros.

# Default: enabled

#ScanOLE2

##

## Mail files

##

# Enable internal e-mail scanner.

# Default: enabled

#ScanMail

# If an email contains URLs ClamAV can download and scan them.

# WARNING: This option may open your system to a DoS attack.

#          Never use it on loaded servers.

# Default: disabled

#MailFollowURLs

##

## HTML

##

# Perform HTML normalisation and decryption of MS Script Encoder code.

# Default: enabled

#ScanHTML

##

## Archives

##

# ClamAV can scan within archives and compressed files.

# Default: enabled

#ScanArchive

# Due to license issues libclamav does not support RAR 3.0 archives (only the

# old 2.0 format is supported). Because some users report stability problems

# with unrarlib it's disabled by default and you must uncomment the directive

# below to enable RAR 2.0 support.

# Default: disabled

#ScanRAR

# The options below protect your system against Denial of Service attacks

# using archive bombs.

# Files in archives larger than this limit won't be scanned.

# Value of 0 disables the limit.

# Default: 10M

#ArchiveMaxFileSize 15M

# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR

# file, all files within it will also be scanned. This options specifies how

# deep the process should be continued.

# Value of 0 disables the limit.

# Default: 8

#ArchiveMaxRecursion 9

# Number of files to be scanned within an archive.

# Value of 0 disables the limit.

# Default: 1000

#ArchiveMaxFiles 1500

# If a file in an archive is compressed more than ArchiveMaxCompressionRatio

# times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip)

# Value of 0 disables the limit.

# Default: 250

#ArchiveMaxCompressionRatio 300

# Use slower but memory efficient decompression algorithm.

# only affects the bzip2 decompressor.

# Default: disabled

#ArchiveLimitMemoryUsage

# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

# Default: disabled

#ArchiveBlockEncrypted

# Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit)

# if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is

# reached.

# Default: disabled

#ArchiveBlockMax

##

## Clamuko settings

## WARNING: This is experimental software. It is very likely it will hang

##          up your system!!!

##

# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.

# Default: disabled

#ClamukoScanOnAccess

# Set access mask for Clamuko.

# Default: disabled

#ClamukoScanOnOpen

#ClamukoScanOnClose

#ClamukoScanOnExec

# Set the include paths (all files in them will be scanned). You can have

# multiple ClamukoIncludePath directives but each directory must be added

# in a seperate line.

# Default: disabled

#ClamukoIncludePath /home

#ClamukoIncludePath /students

# Set the exclude paths. All subdirectories are also excluded.

# Default: disabled

#ClamukoExcludePath /home/guru

# Don't scan files larger than ClamukoMaxFileSize

# Value of 0 disables the limit.

# Default: 5M

#ClamukoMaxFileSize 10M

```

Any help would be appreciated.

Thanks!Last edited by rev138 on Thu Dec 22, 2005 8:09 pm; edited 1 time in total

----------

## steveb

If I remember right, you need to run ClamAV in TCP/IP mode and not in socket mode. You need to change this section here:

```
# CLAMDSCAN SETTINGS 

 # -------------------- 

 # OPTION: clamdsocket 

 # Set the name of a local clamd socket (file) 

 # or the hostname:port of a remote clamd server 

 # default: '/tmp/clamd' 

 clamdsocket = '/var/run/clamav/clamd.sock'
```

cheers

SteveB[/quote]

----------

## rev138

I figured it out with a little tinkering.

Commenting out the line

```
#User clamav
```

in /etc/clamd.conf did the trick.

----------

## pjp

Moved from Other Things Gentoo

----------

## MSc

I got the same problem here, and modifying the clamd.conf also solved the issue. But ... I don't like the idea of clam running as root, so I started playing with user/group settings regarding the files and folders used by this solution - no luck so far.

Can one help in identifying the source for the 'Access denied' error?

The /var/log/dansguardian/access.log for access denied looks like:

```
...http://forums.gentoo.org/viewtopic-t-415386-highlight-dgav.html *SCANNED*  GET 47413

...http://forums.gentoo.org/templates/gentoo/gentoo.css *SCANNED*  GET 0

...http://forums.gentoo.org/templates/gentoo/images/header_01.jpg *SCANNED*  GET 0

...http://forums.gentoo.org/templates/gentoo/images/header_02.jpg *SCANNED*  GET 0

...http://forums.gentoo.org/templates/gentoo/images/lang_english/reply.gif *SCANNED*  GET 0

...http://forums.gentoo.org/images/ranks/rank_rect_3.gif *SCANNED*  GET 0

...http://forums.gentoo.org/images/forumpointer.gif *SCANNED*  GET 0

...http://forums.gentoo.org/images/avatars/115186396341f6ff26dd887.gif *SCANNED*  GET 0

...http://forums.gentoo.org/templates/gentoo/images/icon_minipost.gif *SCANNED*  GET 0

...http://forums.gentoo.org/templates/gentoo/images/lang_english/icon_quote.gif *SCANNED*  GET 0

...http://forums.gentoo.org/templates/gentoo/images/lang_english/icon_profile.gif *SCANNED*  GET 0

...http://forums.gentoo.org/templates/gentoo/images/lang_english/icon_pm.gif *SCANNED*  GET 0

...http://forums.gentoo.org/templates/gentoo/images/spacer.gif *SCANNED*  GET 0

...http://forums.gentoo.org/images/ranks/rank_rect_5_vet.gif *SCANNED*  GET 0

...http://forums.gentoo.org/images/avatars/1198140199438f3db8ee800.gif *SCANNED*  GET 0

...http://forums.gentoo.org/images/ranks/rank_rect_5_site_admin.gif *SCANNED*  GET 0

...http://forums.gentoo.org/images/avatars/1154772887439692d88303b.jpg *SCANNED*  GET 0

...http://forums.gentoo.org/templates/gentoo/formIE.css *SCANNED*  GET 0

...http://forums.gentoo.org/templates/gentoo/images/cellpic1.gif *SCANNED*  GET 0

...http://forums.gentoo.org/templates/gentoo/images/cellpic3.gif *SCANNED*  GET 0
```

The /var/log/dansguardian/access.log after changing the clamd user looks like:

```
...http://forums.gentoo.org/posting.php *SCANNED*  POST 55117

...http://forums.gentoo.org/posting.php?mode=topicreview&t=415386 *CACHED*  GET 27768

...http://forums.gentoo.org/posting.php *SCANNED*  POST 55163

...http://forums.gentoo.org/posting.php?mode=topicreview&t=415386 *CACHED*  GET 27768
```

No clear picture for me, but perhaps I'm just looking at the wrong place ...

----------

## kronoman

After doing some source-code-ferreting, I discovered that the issue is that dansguardian and clamd have to run as the same user (or clamd has to run as root, a FAR worse idea). I'm not entirely clear as to why, though. I tried making them run as the same group and making /tmp/dgvirus group-writable, I tried using setfacl to give user clamav rwx on /tmp/dgvirus, as well as user dansguardian, neither approach worked. The clamd socket is set 777, so I'm not sure what the permissions clash is. Even doing an strace of a running dansguardian and clamd didn't reveal anything.

This is probably a bug, or at least a design thinko, in the DGAV patch. Docs for dansguardian suggest running as 'nobody', but I don't do that since dansguardian writes some files, and nothing should ever be owned (or setfacl'd writeable by) nobody. Ideally, both dansguardian and clamd should be able to run as different users, but... Maybe I can eventually solve this with grsecurity.

----------

