Monday, September 14, 2015

ClamAV 0.99b2 On-Access Scanning - Now With 3D!!!

With ClamAV’s second 0.99 beta release comes a revamp of the on-access scanner for Linux. This is the first major update to on-access scanning following the move to fanotify from Dazuko back in the 0.98 release.  A quick overview of features and updates can be found in the table below.


on-access-table.png


The meatiest updates for 0.99 on-access scanning are the recursive directory watching and dynamic watchpoint determination features. Collectively these features make up 0.99’s new dynamic directory determination system (ddd or 3D for short), which allows users to recursively watch any directory and track it for changes, updating fanotify watchpoints on the fly. 


In previous versions, the on-access scanner would watch only immediate children of the specified directory, and recursive monitoring could only be accomplished with custom scripts or manually specified clamd.conf entries. This limitation was partially due to fanotify’s inability to recognize the creation of a subdirectory within a watched parent directory. As a result, potentially malicious files could be freely created and executed one level beneath the parent directory, leaving the on-access scanner none the wiser. What’s more, even if the on-access scanner caught a malicious file, it would fail to stop that file from being executed, read, or opened.


Now, the latest version of on-access scanning has recursive watchingon any directory built-in by default. Additionally, we leverage inotify (a kernel-provided API commonly used to help keep track of filesystem changes) to update fanotify watchpoints as changes occur to all watched directories and their subdirectories. But most critically of all, fanotify will correctly prevent read, open, and execute attempts for any virus found within the watched hierarchy.


Touching on the 3D system for a moment, it’s important to note that special care has been taken to ensure the new feature operates both quickly and efficiently. While there’s still room for improvement, the 3D system manages to preserve ClamAV’s tradition of speedy scanning. To put that into more tangible terms, it’s capable of processing watchpoint updates at a rough rate of 18,000 directories per second. Keep in mind, these metrics were gathered on a VM with decidedly modest hardware, so YMMV.


Of course, being able to watch thousands upon thousands of directories at all necessities dealing with inotify’s default limitations on active watchpoints. Typically, inotify limits users to setting watchpoints on a maximum of 8192 directories. The actual value can be located via /proc/sys/fs/inotify/max_user_watches. If you plan on pointing the on-access scanner at a directory with more than 8192 subdirectories, you’ll need to temporarily update this value as follows:


$ sysctl fs.inotify.max_user_watches=<n>


Where <n> should be replaced with your new max watch limit. If a more permanent solution is necessary, you can pipe an echo command with the new watch limit into tee and directly modify the max_user_watches entry under /proc. This would look something like:


$ echo <n> | sudo tee -a /proc/sys/fs/inotify/max_user_watches


As previously mentioned, this beta release also features changes to how fanotify handles infected files. Previous versions did not leverage fanotify’s ability to block access events. We’ve tweaked things such that fanotify now prevents any infected files from being read or opened, while allowing operations on clean files to continue unimpeded. Obviously, this may be problematic in an environment with one or more false positives, thus the final 0.99 release will allow users to configure the granularity of this feature via clamd.conf.

Along these same lines, those not keen on using the new 3D system will be able to toggle it off in the final release. Doing so will have the on-access scanner fall back to setting non-recursive watchpoints. However, this beta is focused on testing the new 3D system alongside the fanotify blocking features. So for now, on-access scanning will be using the 3D system exclusively. Luckily, the configuration options for these new features are unchanged from the previous release, meaning your current clamd.conf file shouldn’t need updating, so you might as well give it a try and let us know what you think!