Elsewhere, I've seen that AppArmor or SELinux can cause problems for clamdscan.
If you run sudo aa-complain clamd
and the re-scan works, that's probably your issue. (Be sure to re-enable it with sudo aa-enforce clamd
.)
To temporarily disable SELinux, which I haven't run on Ubuntu, you can try
echo 0 > /selinux/enforce
. We can follow up with that if you're running SELinux.
update: Here's a very interesting thread from launchpad: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/450250 .
I would follow Jamie Strandboge's comments there to eliminate AppArmor profiles as the culprit.
If these aren't applicable the hack that springs to mind is piping a directory to standard output via tar, and feeding that into clamdscan (which is a variation on what you've mentioned for a single file). I think that would look something like :
tar -cvf --to-stdout /somedirectory | clamdscan -
You should be able to get the most recent packaged version of clamav from the Ubuntu Clamav team from their ppa : https://launchpad.net/~ubuntu-clamav/+archive/ppa
Also, from the ClamAV site: "If you are going to submit a bug report, always check it against the latest development code ." (Assuming you haven't already done this) You'll have to pull that code manually from their Git repository and compile it.
For bug reporting on the Ubuntu packages, please see http://askubuntu.com...how-do-i-report-a-bug .
=======
One thing to note, is that as far as I can tell, it is clamscan
and not clamdscan
which is supposed to just work unproblematically in your home directory.
Ubuntu presents some possible complication (with the very desirable security increase) by having apparmor turned on by default.
(clamdscan requires the clamav daemon to be running -- clamscan, more of an ad-hoc user-oriented package, does not. With the additional features of clamdscan/clamd, there is added complexity overhead.)
Yet, against that, the bug for clamdscan
and apparmor mentioned in the bug from this post should have been corrected by the time of the current package.
Updated
attempts to reproduce and resolve
I don't think I can completely reproduce your environment or control for user error (definitely mine and possibly yours), however I've reproduced what I think is the same issue under the same version of clamav you have.
Additionally, I've downloaded the latest code from the git repository, compiled and installed it, and still have the issue.
I don't have SELinux, but I do have AppArmor. Have I correctly accounted for that? I'm not 100%. I still get the permission denied errors after turning off AppArmor though.
=======
The PUA mean "Potentially Unwanted Application", so it's a fairly low priority alert anyway.
The rest of the definition suggests it has found a Windows binary format that is compressed in such a way that makes introspection difficult for antivirus applications. That makes it invaluable for malware authors because they can keep changing the signature on their malware to evade detection.
In this case, I think it's just symptomatic of how Mono is built and ClamAV being over-suspicious. I ran a copy of my mscorelib.dlls through VirusTotal and it came back clean. I suggest you do the same.
If this really is malware and I quarantine and remove these files would I break anything?
It'd break Mono but if it is infected, that wouldn't be awful. You'd just want to reinstall the Mono packages.
Best Answer
Although rare, Linux malware & viruses do exist. The strict layered structure of Linux makes it however less vulnarable, but not immune. It can also not be excluded that you make a mistake, and authorize a malicious piece of software to do harmfull things.
In practice however, you will mainly use a virusscanner to protect your Windows partners. ClamAV does scan for Windows viruses as well.