Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67990

Increase the Antivirus default chunk size (ClamAV)

XMLWordPrintable

    • MOODLE_39_STABLE
    • MOODLE_39_STABLE
    • Hide

      TCP Socket test

      1. Run the clamav docker image in a new container

        docker run --name=clam --rm -p 3310:3310 mk0x/docker-clamav:alpine
        

      2. Wait a short while for it to state that it's ready
      3. Navigate to Site administration -> Plugins -> Antivirus plugins
      4. Enable ClamAV
      5. Open its settings
        1. Set the "Running method" to "TCP Socket"
        2. Set the hostname to 'localhost'
        3. Set the socket port to 3310
      6. Save changes
      7. Navigate to "Private files"
      8. Upload a file you happen to have handy nearby
        1. Confirm that it uploaded correctly
      9. Download one of the anti-virus test files from EICAR (https://www.eicar.org/?page_id=3950)
      10. Upload the eicar test file
        1. Confirm that you were shown a warning that the file contained a virus
      11. Stop the docker image

      Test antivirus in UNIX domain socket mode.

      1. Ensure that you have clamav installed. If it's not installed:

        sudo apt install clamav clamav-daemon clamav-freshclam
        

      2. Run freshclam and wait for it to finish:

        sudo freshclam
        

        Note: If you can't run freshclam because it's locked by another process, it's most likely running as a daemon, so no need to worry about this step.

      3. Add the "clamav" user to the Apache's group (e.g. "www-data")

        sudo usermod -a -G www-data clamav
        

      4. Log out and login or reboot your machine.
      5. Ensure that the clamav-daemon is running

        sudo systemctl status clamav-daemon.service
        

        If it's not running, start it manually

        sudo systemctl status clamav-daemon.service
        

      6. Check your clamd configuration file and find the LocalSocket setting and copy the value

        cat /etc/clamav/clamd.conf | grep LocalSocket
        

      7. Navigate to Site administration -> Plugins -> Antivirus plugins
      8. Enable ClamAV
      9. Open its settings
        1. Set the "Running method" to "Unix domain Socket"
        2. Set the "Unix domain socket" to the value that you copied
      10. Save changes
      11. Navigate to "Private files"
      12. Upload a file you happen to have handy nearby
        1. Confirm that it uploaded correctly
      13. Download one of the anti-virus test files from EICAR (https://www.eicar.org/?page_id=3950)
      14. Upload the eicar test file
        1. Confirm that you were shown a warning that the file contained a virus
      Show
      TCP Socket test Run the clamav docker image in a new container docker run --name=clam --rm -p 3310:3310 mk0x/docker-clamav:alpine Wait a short while for it to state that it's ready Navigate to Site administration -> Plugins -> Antivirus plugins Enable ClamAV Open its settings Set the "Running method" to "TCP Socket" Set the hostname to 'localhost' Set the socket port to 3310 Save changes Navigate to "Private files" Upload a file you happen to have handy nearby Confirm that it uploaded correctly Download one of the anti-virus test files from EICAR ( https://www.eicar.org/?page_id=3950 ) Upload the eicar test file Confirm that you were shown a warning that the file contained a virus Stop the docker image Test antivirus in UNIX domain socket mode. Ensure that you have clamav installed. If it's not installed: sudo apt install clamav clamav-daemon clamav-freshclam Run freshclam and wait for it to finish: sudo freshclam Note: If you can't run freshclam because it's locked by another process, it's most likely running as a daemon, so no need to worry about this step. Add the "clamav" user to the Apache's group (e.g. "www-data") sudo usermod -a -G www-data clamav Log out and login or reboot your machine. Ensure that the clamav-daemon is running sudo systemctl status clamav-daemon.service If it's not running, start it manually sudo systemctl status clamav-daemon.service Check your clamd configuration file and find the LocalSocket setting and copy the value cat /etc/clamav/clamd.conf | grep LocalSocket Navigate to Site administration -> Plugins -> Antivirus plugins Enable ClamAV Open its settings Set the "Running method" to "Unix domain Socket" Set the "Unix domain socket" to the value that you copied Save changes Navigate to "Private files" Upload a file you happen to have handy nearby Confirm that it uploaded correctly Download one of the anti-virus test files from EICAR ( https://www.eicar.org/?page_id=3950 ) Upload the eicar test file Confirm that you were shown a warning that the file contained a virus

      Back in MDL-50907, kabalin proposed a 1kb chunksize in lib/antivirus/clamav/scanner.php:

      /** Default socket data stream chunk size */
      define('ANTIVIRUS_CLAMAV_SOCKET_CHUNKSIZE', 1024);
      

      It turns out that for any reasonably large files, this will result in so many steps (1 million writes to the ClamAV socket for a 1Gb file) that the socket would die with a "fwrite(): send of \d bytes failed with errno=32 Broken pipe" error.

      For a somewhat reasonable memory consumption, I propose to raise this to 32Mb, statically.

      (Of course, it would be possible to make it configurable, but it's a lot more work. )

            odyx Didier Raboud
            odyx Didier Raboud
            Ruslan Kabalin Ruslan Kabalin
            Andrew Lyons Andrew Lyons
            Janelle Barcega Janelle Barcega
            Votes:
            6 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 hours, 35 minutes
                3h 35m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.