Topic: Dansguardian problem with contentscanner clamav

[uli334]

Hello,

I've installed dansguardian on "SME 9.1 i386" following the wiki (https://wiki.contribs.org/Dansguardian).
Then activated "ClamAV support" exactly as described.

Then, if I use HTTPS (i.e. "https://www.google.de/") in Firefox on a connected workstation, I can reach that site.

But if I try to reach site with HTTP (i.e. "http://pro-linux.de/'), the site is blocked with the reason "/tmp/tfMY2JuE: Access denied. ERROR" in the browser.

In "/var/log/messages" you can see:
"ClamD error: /tmp/tfMY2JuE: Access denied. ERROR"
"dansguardian[12337]: scanFile/Memory returned error: -1"

Has anybody installed dansguardian on SME 9.1 as I did? I use it on a couple of SME 8.2 servers without any problem...

Greetings,
Uli

[uli334]

I've looked in post https://forums.contribs.org/index.php?topic=42736.0 and changed to "clamdudsfile = '/var/run/clamav/clamd.socket'" in "clamdscan.conf". This results in the error: "Error connecting to ClamD socket" in the browser.

[Jean-Philippe Pialasse]

Code: [Select]

clamdudsfile = '/var/clamav/clamd.socket' is the correct value you should have.

just posted the link ( on your other topic) in case, so you can go back.

Then what I suspect more is a problem on the side of clamd.

I suggest you to take a look at the following and report any warnings:

/var/log/messages
/var/log/clamd/current

also the output of the following commands could help:

Code: [Select]

# config show clamd
# /sbin/e-smith/audittools/newrpms
# /sbin/e-smith/audittools/templates

[Jean-Philippe Pialasse]

In "/var/log/messages" you can see:
"ClamD error: /tmp/tfMY2JuE: Access denied. ERROR"
"dansguardian[12337]: scanFile/Memory returned error: -1"

last thought :
the access denied error ( maybe you will have more on this in the logfile of clamav) but could indicate that the tmp file created by dansguardiand is for user and group dansguardian:dansguardian with no read access to the file to other groups.

if this is the problem one workaround could be:
usermod -a -G dansguardian clamav

maybe your setting with sme8 gave higher allowance in file size for in memory scanning avoiding to have to scan a temp file.

[uli334]

Hello,

tried "usermod -a -G dansguardian clamav" restarted dansguardian and loaded a http- site in the Browser:

Result in "/var/log/messages":
 ClamD error: /tmp/tfV5M7Ab: Access denied. ERROR
Jun 18 13:26:37 <servername> dansguardian[14962]: scanFile/Memory returned error: -1
Jun 18 13:26:39 <servername> dansguardian[14964]: ClamD error: /tmp/tfd5v1pQ: Access denied. ERROR
Jun 18 13:26:39 <servername> dansguardian[14964]: scanFile/Memory returned error: -1
Jun 18 13:26:41 <servername> dansguardian[14966]: ClamD error: /tmp/tfce0ZEt: Access denied. ERROR
Jun 18 13:26:41 <servername> dansguardian[14966]: scanFile/Memory returned error: -1                                                     
Jun 18 13:26:45 <servername> dansguardian[14967]: ClamD error: /tmp/tfd9CtcU: Access denied. ERROR           

In "/var/log/clamd/current":
@400000005765300222622984 Access denied: /tmp/tfUXDO2o
@40000000576530312fc79334 Access denied: /tmp/tfZwlFjo

----------

Commands and output:
- config show clamd:
"clamd=service
    MemLimit=1400000000
    status=enabled"

----------

- /sbin/e-smith/audittools/newrpms
dansguardian.i386                 2.10.1.1-1.el6.sme  @smecontribs             
hddtemp.i686                      0.3-0.20.beta15.el6 @smecontribs             
perl-rrdtool.i686                 1.4.7-1.el6.rfx     @smecontribs             
rrdtool.i686                      1.4.7-1.el6.rfx     @smecontribs             
smeserver-crontab_manager.noarch  2.4-3.el6.sme       @smecontribs             
smeserver-dansguardian.noarch     2.10-1.el6.sme      @smecontribs             
smeserver-diskusage.noarch        0.2.0-2.el6.sme     @smecontribs             
smeserver-lazy_admin_tools.noarch 1.1-4.el6.sme       @smecontribs             
smeserver-sme9admin.noarch        1.5-15.el6.sme      @smecontribs             
unrar.i686                        5.0.3-1.el6.rf      @/unrar-5.0.3-1.el6.rf.i686

----------

- /sbin/e-smith/audittools/templates
/etc/e-smith/templates-custom/etc/squid/squid.conf/05refreshpattern: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/smb.conf/11logonScript: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/home/e-smith/ssl.crt: MANUALLY_ADDED, OVERRIDE

----------

[mmccarn]

I did this to get dansguardian to use clamav:

1) install dansguardian according to the wiki

Code: [Select]

yum --enablerepo=smecontribs install smeserver-dansguardian
2) enable clamav according to the wiki
edit /etc/dansguardian/dansguardian.conf and uncomment following line:
  contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'

at the end of the file, add following lines:

  # OPTION: virusscanexceptions
  # If off, antivirus scanner will ignore exception sites and urls.
  virusscanexceptions = on

edit /etc/dansguardian/contentscanners/clamdscan.conf and uncomment
  clamdudsfile = '/var/run/clamav/clamd.socket'


3. Correct settings for SME 9
I believe that the path to clamd.socket changed with SME 9 (the Dansguardian wiki page was last edited in 2009...).  I don't know if the two processes (dansguardian and clamav) have always needed to run as the same user, or if this is also new since 2009.

3a. The path to clamd.socket must match the path given in /etc/clamd.conf
edit /etc/dansguardian/contentscanners/clamdscan.conf and set clamdudsfile to:
  clamdudsfile = '/var/clamav/clamd.socket'

3b. Dansguardian and Clamav must run as the same user for clamav scanning to work.  Set Dansguardian to run as 'clamav' as follows:
edit /etc/dansguardian/dansguardian.conf , uncomment 'daemonuser' and 'daemongroup', and set 'daemonuser' to 'clamav':
  daemonuser = 'clamav'
  daemongroup = 'dansguardian'

3c. Correct the ownership problems you'll run into if you change the dansguardian daemonuser:
  chown clamav /var/log/dansguardian/access.log
  'rm' -rf /tmp/.dguardianipc
  'rm' -rf /dguardianurlipc


4. Restart dansguardian and test
/etc/init.d/dansguardian restart


That's it -- the dansguardian log now reports "*SCANNED*" instead of "*INFECTED* *DENIED*"

[uli334]

Hello mmccarn, hello Jean-Philippe,

the last post did it! Online scanning now works, I tested it with sone eicar- files.
Thank you for your help! The correctures shouldt appear in the wiki, how can this be done?

Best regards, Uli

[mmccarn]

Added to the wiki:
https://wiki.contribs.org/Dansguardian#ClamAV_.26_Dansguardian_on_SME_9.2B

If there is a maintainer for the contrib that should probably be updated, too...

[Jean-Philippe Pialasse]

If there is a maintainer for the contrib that should probably be updated, too...

He (myself)  will 


thanks for the debuging

[uli334]

Hello,heres something that still attracted my attention,

I'll close this here soon, but one detail shows up yesterday: dansguardian, running as "clamav:dansguardian" closed and archived the first "access.log" and then didn't succseed in creating a new. As consequence of this, dansguardian stopped.

I think the reason was that the rights, set on the directory "/var/log/dansguardian/" were still "dansguardian:dansguardian" and "755". I changed them now to "clamav:dansguardian" and "775". I'll close this here, when dansguardian successful archives the next "access.log" and creates a new...

Greetings, Uli

[Jean-Philippe Pialasse]

actually I am planning of patching this by removing group and user dansguardian and run dansguardian as clamav:clamav, I will provide all the migration fragment so it will be transparent for users

thanks for reporting this element.

[uli334]

Hello, and sorry, I've benn in holidays for three weeks...

it's really so, that after changing the rights of "/var/log/dansguardian/" as described, dansguardian does'nt succseed in creating a new "access.log". As consequence of this it stops working.
I can work around from week to week by creating the "access.log" by hand.

Actually it looks like this in "/var/log/dansguardian/":

-rw-rw-r-- 1 clamav dansguardian   132532 20. Jul 02:43 access.log.1.gz
-rw-rw-r-- 1 clamav dansguardian 39852709 26. Jun 03:20 access.log-20160626
-rw-rw-r-- 1 clamav dansguardian   424917  3. Jul 03:21 access.log-20160703
-rw-rw-r-- 1 clamav dansguardian  1972026 19. Jul 03:47 access.log-20160719
-rw-rw-r-- 1 clamav dansguardian    30388  6. Jul 03:01 access.log.3.gz
-rw-rw-r-- 1 clamav dansguardian   917036 29. Jun 03:21 access.log.4.gz

It seems, that dansguardian creates new logfiles, but not with the correct name, but with date in its name.
For a while it works with this, but anytime its stops...

Now I rename "access.log-20160719" to "access.log" and restart dansguardian.

Patching it would be nice, thanks Jean-Philippe.

Uli

[timn]

Hi
Just done a new server install and installed latest dansguardian

Had same problem with log file, after following post above and wiki to set up content scanning with clamav.

When access.log rotates, dansguardian can't create a new one. restarting dansguardian gives failure message that it is running as user clamav and can't create the access.log

I changed the ownership of all files in the /var/log/dansguardian directory to clamav:dansguardian.

Changing the ownership of the /var/log/dansguardian directory itself resolved the problem. Access.log created and dansguardian restarted OK