linuxubuntuubuntu-serverclamav

Strange Behavior with clamd scan function


I have a simple python3 script running on ubuntu server 20.04 that tries to call clamd (clamav-daemon process) library to scan a file. The scan ping() and version() function all work correctly. However when I actually do a test write and scan, i get the following error:

{'/filedrop/test.doc': ('ERROR', "Can't open file or directory")}

This is the code that I used to call the test write and scan, and this is all standard sample from the clamd website:

open('/filedrop/test.doc','wb').write(clamd.EICAR)
print(cd.scan('/filedrop/test.doc'))

After the code is run, i get the following string in the test file which indicates that the python3 script was able to successfully write to the file, yet i keep getting the error that the file can't be opened when i use the clamd scan function.

This is the string that was written to the file:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

I am also able to run clamscan from command line on the folder and it successfully scans the files as well.

I'm running as root user while the service is using clamav:clamav. I did give read/write permission to the folder and the files to "other users", and also indicated by the fact that the file could be written by the python script.


Solution

  • I believe the solution to the problem here is that AppArmour is blocking clamd for that particular directory. I would look at the AppArmour profile for clamd. It should be called something like /etc/apparmor.d/clamav or similar. You can adjust that profile or alternatively disable it (according to Ubuntu):

    sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
    sudo apparmor_parser -R /etc/apparmor.d/profile.name
    

    More complete instructions available here: https://help.ubuntu.com/community/AppArmor

    You can also disable AppArmour, for the purposes of testing (I don't like to advise anyone to remove security features permanently), with:

    sudo systemctl stop apparmor
    sudo systemctl disable apparmor