Menu

Troubleshooting_ClamAV

Allan Cunliffe

If any virus scanner errors are displayed during the Quarantine stage of DPR processing, close DPR and check the following:

  • all folders and sub-folders containing the files in the DPR Quarantine job have at least 755 permissions
  • all files in the DPR Quarantine job are readable by the group and others
  • clamd.conf and freshclam.conf have been modified according to the instructions in [Installing_ClamAV].
    [TOC]

Apparmor

Apparmor stops the ClamAV daemon from starting. To confirm that Apparmor is the cause, check the kern.log (at /var/log/kern.log) for something similar to the following: 

Sep 22 19:28:36 boris kernel: [ 4951.586024] type=1503 audit(1253611716.946:13): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=112 name="/home/al/Documents/" 
pid=6974 profile="/usr/sbin/clamd"

The presence of audit(....) confirms Apparmour problem.

If Apparmor is the problem, do one of the following:

1. Disable Apparmor: 

sudo /etc/init.d/apparmor stop
sudo update-rc.d -f apparmor remove
sudo /etc/init.d/clamav-daemon restart

OR

2. Set Apparmor to complain mode (where /path/to/bin is the path to the clamd binary, typically /usr/sbin/clamd): 

sudo aa-complain /path/to/bin

For more information about troubleshooting Apparmor, see: Debugging Apparmor.

SELinux

Security-Enhanced Linux (SELinux) is similar to Apparmor. To allow ClamAV to work properly, you can set the Current Enforcing Mode to Permissive.

Be aware that by disabling SELinux you will be removing a security mechanism on your system. For more information on SELinux, see Unofficial SELinux FAQ.

Configuration files

The Clam AV config files are located in: 

/etc/clamd.d/

Log files

The location of the clamav log file is specified in the Clam AV configuration file. It is usually located in: 

/var/log/

Related

Wiki: Installing_ClamAV
Wiki: Main_Page

MongoDB Logo MongoDB