Elsewhere, I've seen that AppArmor or SELinux can cause problems for clamdscan.
If you run sudo aa-complain clamd
and the re-scan works, that's probably your issue. (Be sure to re-enable it with sudo aa-enforce clamd
.)
To temporarily disable SELinux, which I haven't run on Ubuntu, you can try
echo 0 > /selinux/enforce
. We can follow up with that if you're running SELinux.
update: Here's a very interesting thread from launchpad: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/450250 .
I would follow Jamie Strandboge's comments there to eliminate AppArmor profiles as the culprit.
If these aren't applicable the hack that springs to mind is piping a directory to standard output via tar, and feeding that into clamdscan (which is a variation on what you've mentioned for a single file). I think that would look something like :
tar -cvf --to-stdout /somedirectory | clamdscan -
You should be able to get the most recent packaged version of clamav from the Ubuntu Clamav team from their ppa : https://launchpad.net/~ubuntu-clamav/+archive/ppa
Also, from the ClamAV site: "If you are going to submit a bug report, always check it against the latest development code ." (Assuming you haven't already done this) You'll have to pull that code manually from their Git repository and compile it.
For bug reporting on the Ubuntu packages, please see http://askubuntu.com...how-do-i-report-a-bug .
=======
One thing to note, is that as far as I can tell, it is clamscan
and not clamdscan
which is supposed to just work unproblematically in your home directory.
Ubuntu presents some possible complication (with the very desirable security increase) by having apparmor turned on by default.
(clamdscan requires the clamav daemon to be running -- clamscan, more of an ad-hoc user-oriented package, does not. With the additional features of clamdscan/clamd, there is added complexity overhead.)
Yet, against that, the bug for clamdscan
and apparmor mentioned in the bug from this post should have been corrected by the time of the current package.
Updated
attempts to reproduce and resolve
I don't think I can completely reproduce your environment or control for user error (definitely mine and possibly yours), however I've reproduced what I think is the same issue under the same version of clamav you have.
Additionally, I've downloaded the latest code from the git repository, compiled and installed it, and still have the issue.
I don't have SELinux, but I do have AppArmor. Have I correctly accounted for that? I'm not 100%. I still get the permission denied errors after turning off AppArmor though.
=======
- "PUA" means "Potential Unwanted Application"
- "Html" means a webpage
And it ends there. You should have far more notices otherwise this is a false positive. This (dutch) shows:
PUA.Win.Tool.Packed-177
PUA.Html.Trojan.Agent-37075
PUA.Win.Trojan.Xored-1
... pointing to Windows. What else do you see with that line containing 37075?
Example of a clear malware problem in the browser ...
PUA.Phishing.Bank Found
That shows a site that is considered a phishing.
I would ditch clamav for linux though. 99% are false positives. You are better off using firefox with noscript, ad aware and flashblock.
Best Answer
clamdscan
is configured in/etc/clamav/clamd.conf
. It allows faster scan by using parallelization with--multiscan
which is using more resources, of course.