1.2.1-1: clamonacc: Getting "ERROR: ClamInotif: could not add element to hash table for /home/.../.cache/mozilla/firefox/....default-release/safebrowsing-backup"

[stephengtuggy]

Describe the bug

clamonacc (ClamAV On Access Scanner) reports an error trying to add one specific path to ClamAV's internal hashtable(s). The file/folder path in question is /home/user/.cache/mozilla/firefox/cnibxy8n.default-release/safebrowsing-backup on my system.

(This error was also reported as one of the errors listed in #1178 .)

I think this is a temporary folder that Firefox renames safebrowsing to while downloading/refreshing the Safe Browsing list from Google. This temporary folder only seems to exist momentarily, which may be why ClamAV reports the error it does. By the time it tries to add this (backup) folder to its internal data structures, the folder doesn't even exist anymore.

I tried excluding this path using ExcludePath and OnAccessExcludePath in clamd.conf. Didn't work. Is this because I was using the wrong path syntax in these rules? Is it correct to put a ^ before the initial slash, to indicate the very start of the path value?

For the moment, I have worked around this issue by setting OnAccessIncludePath to a much narrower scope: one particular subdirectory of my home directory. Specifically, /home/user/Tresorit/. I don't consider this ideal, however, for the obvious reason that lots of virus infections could be missed elsewhere on my system, if this is the only folder I am scanning.

How to reproduce the problem

1. Install Firefox on a Manjaro Linux system. (Probably any Linux system will work, really.)
2. Install ClamAV using the clamav package from pamac, the Manjaro package manager.
3. Edit /etc/clamav/clamd.conf to enable ClamAV's On Access file scanning, including only one folder, /home/<your user name>/ .
4. (Optional?) Add several ExcludePath and OnAccessExcludePath entries for the same set of paths, as follows:

ExcludePath ^/dev/
ExcludePath ^/run/
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/home/user/.cache/mozilla/firefox/cnibxy8n.default-release/safebrowsing-backup
ExcludePath ^/home/user/Downloads/*.part
ExcludePath ^/home/user/Downloads/*.gz.part
ExcludePath ^/home/user/Downloads/lightspd*/
ExcludePath ^/home/user/Downloads/snortrules-snapshot-*.tar.gz
ExcludePath ^/home/user/Downloads/Talos_LightSPD/
ExcludePath ^/home/user/Downloads/Talos_LightSPD.tar.gz
ExcludePath ^/home/user/TresoritDrive/
ExcludePath ^/home/user/.zhistory
OnAccessExcludePath ^/dev/
OnAccessExcludePath ^/run/
OnAccessExcludePath ^/proc/
OnAccessExcludePath ^/sys/
OnAccessExcludePath ^/home/user/.cache/mozilla/firefox/cnibxy8n.default-release/safebrowsing-backup
OnAccessExcludePath ^/home/user/Downloads/*.part
OnAccessExcludePath ^/home/user/Downloads/*.gz.part
OnAccessExcludePath ^/home/user/Downloads/lightspd**/
OnAccessExcludePath ^/home/user/Downloads/snortrules-snapshot-*.tar.gz
OnAccessExcludePath ^/home/user/Downloads/Talos_LightSPD/
OnAccessExcludePath ^/home/user/Downloads/Talos_LightSPD.tar.gz
OnAccessExcludePath ^/home/user/TresoritDrive/
OnAccessExcludePath ^/home/user/.zhistory

5. Run freshclam once from the command line, to initialize the virus signature databases, and allow future, automated freshclam runs to complete successfully.
6. Enable and start the ClamAV systemd services and timers, using commands such as:

sudo systemctl enable --now clamav-freshclam-once.timer
sudo systemctl enable --now clamav-freshclam-once.service
sudo systemctl enable --now clamav-daemon.service
sudo systemctl enable --now clamav-daemon.LocalSocket
sudo systemctl enable --now clamav-clamonacc.service

8. Check the status of each service using sudo systemctl status <name of service or unit>. Check for errors in the output of these commands, or in the system journal output viewable using tools such as journalctl.

Output from clamconf -n :
Checking configuration files in /etc/clamav

Config file: clamd.conf

LogFile = "/var/log/clamav/clamd.log"
LogTime = "yes"
LogSyslog = "yes"
ExtendedDetectionInfo = "yes"
PidFile = "/run/clamav/clamd.pid"
TemporaryDirectory = "/tmp"
LocalSocket = "/run/clamav/clamd.ctl"
ExcludePath = "/dev/", "/run/", "/proc/", "/sys/", "/home/user/.cache/mozilla/firefox/cnibxy8n.default-release/safebrowsing-backup", "/home/user/Downloads/*.part", "/home/user/Downloads/*.gz.part", "/home/user/Downloads/lightspd*/", "/home/user/Downloads/snortrules-snapshot-*.tar.gz", "/home/user/Downloads/Talos_LightSPD/", "/home/user/Downloads/Talos_LightSPD.tar.gz", "/home/user/Tresorit/", "/home/user/TresoritDrive/", "/home/user/.zhistory"
CrossFilesystems disabled
VirusEvent = "/usr/bin/notify-send -u critical "VIRUS ALERT: %v in %f""
ExitOnOOM = "yes"
User = "clamav"
DetectPUA = "yes"
IncludePUA = "Spy"
HeuristicScanPrecedence = "yes"
AlertBrokenExecutables = "yes"
AlertBrokenMedia = "yes"
MaxScanTime = "300000"
OnAccessIncludePath = "/home/user/Tresorit/"
OnAccessExcludePath = "/dev/", "/run/", "/proc/", "/sys/", "/home/user/.cache/mozilla/firefox/cnibxy8n.default-release/safebrowsing-backup", "/home/user/Downloads/*.part", "/home/user/Downloads/*.gz.part", "/home/user/Downloads/lightspd**/", "/home/user/Downloads/snortrules-snapshot-*.tar.gz", "/home/user/Downloads/Talos_LightSPD/", "/home/user/Downloads/Talos_LightSPD.tar.gz", "/home/user/TresoritDrive/", "/home/user/.zhistory"
OnAccessExcludeRootUID = "yes"
OnAccessExcludeUname = "clamav"
OnAccessMaxFileSize = "1048576000"
OnAccessPrevention = "yes"

Config file: freshclam.conf

PidFile = "/run/clamav/freshclam.pid"
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseMirror = "database.clamav.net"

Config file: clamav-milter.conf

LogFile = "/var/log/clamav/clamav-milter.log"
LogTime = "yes"
PidFile = "/run/clamav/clamav-milter.pid"
TemporaryDirectory = "/tmp"
User = "clamav"

Software settings

Version: 1.2.1
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR

Database information

Database directory: /var/lib/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 05:32:42 2021
bytecode.cvd: version 335, sigs: 86, built on Tue Feb 27 07:37:24 2024
daily.cld: version 27246, sigs: 2059292, built on Mon Apr 15 01:24:36 2024
Total number of signatures: 8706805

Platform information

uname: Linux 6.8.5-1-MANJARO #1 SMP PREEMPT_DYNAMIC Wed Apr 10 20:15:45 UTC 2024 x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
Full OS version: "Manjaro Linux"
WARNING: zlib version mismatch: 1.3 (1.3.1)
zlib version: 1.3 (1.3.1), compile flags: a9
platform id: 0x0a21bfbf08000000000d0201

Build information

GNU C: 13.2.1 20230801 (13.2.1)
sizeof(void*) = 8
Engine flevel: 191, dconf: 191

Attachments

If applicable, add screenshots to help explain your problem.

If the issue is reproducible only when scanning a specific file, attach it to the ticket.
N/A

[brebell]

Unlike the older ExcludePath option, the OnAccessExcludePath feature is, unfortunately, not a regex. So the ^ character will not work in the OnAccessExcludePath option. It would be nice to change this in the future, particularly if someone from the community is interested in working on it.

Please let me know if this help you solve the problem.

[stephengtuggy]

@brebell Thanks for the information. That is helpful. I will let you know if I find that it fixes my issue.

[stephengtuggy]

So I tried changing the path syntax I was using for the OnAccessExcludePath clauses. I was still having a ton of trouble with on-access scanning though. And implementing these changes didn't seem to help, unfortunately.

I think I may need to run without on-access scanning for a while. Or narrow the scope of what I'm including in scans, instead of trying to exclude files and folders so much.

Thanks again for the help, @brebell .

[brebell]

The trailing / may be an issue in the filenames as well.
For ExcludePath, if you want to use wildcard you have to use .*, not * because it is a regex.
For OnAccessExcludePath, it does not use a regex or evaluate * globs, so unfortunately they you use either.
You may want to try the following:

ExcludePath ^/dev
ExcludePath ^/run
ExcludePath ^/proc
ExcludePath ^/sys
ExcludePath ^/home/user/.cache/mozilla/firefox/cnibxy8n\.default-release/safebrowsing-backup
ExcludePath ^/home/user/Downloads/.*\.part
ExcludePath ^/home/user/Downloads/.*\.gz.part
ExcludePath ^/home/user/Downloads/lightspd.*
ExcludePath ^/home/user/Downloads/snortrules-snapshot-.*\.tar\.gz
ExcludePath ^/home/user/Downloads/Talos_LightSPD
ExcludePath ^/home/user/Downloads/Talos_LightSPD\.tar\.gz
ExcludePath ^/home/user/TresoritDrive
ExcludePath ^/home/user/\.zhistory
OnAccessExcludePath /dev
OnAccessExcludePath /run
OnAccessExcludePath /proc
OnAccessExcludePath /sys
OnAccessExcludePath /home/user/.cache/mozilla/firefox/cnibxy8n.default-release/safebrowsing-backup
OnAccessExcludePath /home/user/Downloads/Talos_LightSPD
OnAccessExcludePath /home/user/Downloads/Talos_LightSPD.tar.gz
OnAccessExcludePath /home/user/TresoritDrive
OnAccessExcludePath /home/user/.zhistory  

See if this works, but you may not be able to exclude as much as you had wanted.

[stephengtuggy]

OK, trying those changes now. Thanks.