Re: [Dazuko-help] Dazuko doesn't fire in cron job?

[Kevin Keane]

Thank you so much - that helped, my script now works as intended! One 
oddity remains (it really doesn't make a difference for me, but might 
indicate that Dazuko or ClamAV work differently from specified).

John Ogness wrote:
> On 2009-01-25, Kevin Keane <address@hidden> wrote:
>   
> > I've got an odd problem: I set up Clamuko to monitor some shared
> > directories on my server. Then I created a script to verify that
> > Clamuko works.
> >
> > This script works fine when invoked from the command line (as
> > root). When running the exact same identical script from a cron job
> > (also as root), it fails.
> >
> > The script simply writes the eicar.com test virus to a protected
> > location, and then tries to delete it again. Dazuko/ClamAV should of
> > course prevent that from happening.
> >     
>
> No, Dazuko/ClamAV would not prevent that. Neither creating the file
> nor deleting it involve "accessing" the contents.
>   
That surprises me a little, since I'm writing the exact 68 bytes to a 
file, so I am accessing - creating - the content. BTW, I did configure 
Clamuko to check on both open and close:
ClamukoScanOnOpen yes
ClamukoScanOnClose yes

OnOpen obviously couldn't catch the virus, but I would have thought that 
the OnClose would catch the virus.

But ok, I believe you on that since it agrees with my observation.
> > From the command line, I can create the eicar.com virus file (not
> > sure why, but I can live with that), but get an "Access denied"
> > error when trying to delete it - which is as expected.
> >     
>
> You should not be getting an "Access denied" message. The access is
> not being denied by Dazuko/ClamAV.
>   
Sorry, I gave you the wrong message. The actual message is "Operation 
not permitted".

When I stop the clamd daemon, deleting the file succeeds, so I'm fairly 
confident that it is indeed Dazuko that fires, and ClamAV that prevents 
the deletion.

I do have to agree with you that it is a bit odd, since, as you said, rm 
really shouldn't access the content.
> > From a cron job, creating the virus works, but deleting the file
> > also succeeds.
> >     
>
> This is correct behavior.
>
>   
> > Any suggestions what I may be doing wrong?
> >     
>
> Your test script should do the following:
>
> 1. copy the eicar.com file to a test directory
> 2. access the contents (cat /test/dir/eicar.com > /dev/null)
> 3. delete eicar.com
>   
Thanks for that suggestion! That indeed is a major improvement, and it 
fixed my specific problem.
> From the above, only step 2 will fail if Dazuko/ClamAV are active.
>   
See above - step 2 and 3 both fail. Interestingly, now it seems that 
step 3 also fails in the cron script. Odd.

In any case - for my purposes, it really doesn't matter much if deleting 
eicar.com succeeds or not, so - thank you very much!

Last minute update: I think the fog is lifting. rm -f DOES succeed. 
Maybe rm opens the file first for some reason. Maybe to test whether the 
file is in use.

Interesting...

--
Kevin Keane
Owner
The NetTech
Find the Uncommon: Expert Solutions for a Network You Never Have to Think About

Office: 866-642-7116
http://www.4nettech.com

This e-mail and attachments, if any, may contain confidential and/or 
proprietary information. Please be advised that the unauthorized use or 
disclosure of the information is strictly prohibited. The information herein is 
intended only for use by the intended recipient(s) named above. If you have 
received this transmission in error, please notify the sender immediately and 
permanently delete the e-mail and any copies, printouts or attachments thereof.