Log filling up incessantly by clamonacc

[PauloSRodrigues]

Describe the bug

Users can upload files to a clamonacc protected directory, which are copied to another machine and then moved to an archive folder, not under clamonacc protection.
Clam however incessantly logs warnings about those "missing" files:
Mon Mar 21 10:39:04 2022 -> WARNING: File path check failure for: /tomcat/ficheiros/PES/2022/LNZON7O7YU/image0.jpg
Mon Mar 21 10:39:04 2022 -> WARNING: File path check failure on: /tomcat/ficheiros/PES/2022/LNZON7O7YU/image0.jpg
Mon Mar 21 10:39:04 2022 -> WARNING: File path check failure for: /tomcat/ficheiros/PES/2022/LNZON7O7YU/image0.jpg
Mon Mar 21 10:39:04 2022 -> WARNING: File path check failure on: /tomcat/ficheiros/PES/2022/LNZON7O7YU/image0.jpg
Mon Mar 21 10:39:04 2022 -> WARNING: File path check failure for: /tomcat/ficheiros/PES/2022/LNZON7O7YU/image0.jpg
Mon Mar 21 10:39:04 2022 -> WARNING: File path check failure on: /tomcat/ficheiros/PES/2022/LNZON7O7YU/image0.jpg
rapidly filling up the disk with scan.log files

Typically it's the same filename logged over and over.

How to reproduce the problem

Cannot reproduce on another machine.

Checking configuration files in /etc

Config file: clamd.d/scan.conf

AlertExceedsMax = "yes"
LogFile = "/var/log/clamd/scan.log"
LogTime = "yes"
ExtendedDetectionInfo = "yes"
PidFile = "/run/clamd.scan/clamd.pid"
LocalSocket = "/run/clamd.scan/clamd.sock"
SelfCheck = "86400"
DisableCache = "yes"
VirusEvent = "/usr/local/sbin/virusdetected.sh "%v" "%f""
ExitOnOOM = "yes"
HeuristicScanPrecedence = "yes"
AlertBrokenExecutables = "yes"
AlertBrokenMedia = "yes"
AlertEncrypted = "yes"
AlertEncryptedArchive = "yes"
AlertEncryptedDoc = "yes"
AlertOLE2Macros = "yes"
AlertPhishingSSLMismatch = "yes"
AlertPhishingCloak = "yes"
OnAccessIncludePath = "/tomcat/ficheiros/PES"
OnAccessExcludeRootUID = "yes"
OnAccessMaxFileSize = "10485760"
OnAccessExtraScanning = "yes"
OnAccessRetryAttempts = "3"

Config file: freshclam.conf

DatabaseMirror = "database.clamav.net"

mail/clamav-milter.conf not found

Software settings

Version: 0.103.5
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information

Database directory: /var/lib/clamav
[3rd Party] rfxn.ndb: 2039 sigs
[3rd Party] rfxn.hdb: 12946 sigs
[3rd Party] whitelist.fp: 3081 sigs
[3rd Party] interserver256.hdb: 28576 sigs
[3rd Party] interservertopline.db: 1139 sigs
bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 15:21:51 2021
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 13:32:42 2021
daily.cld: version 26488, sigs: 1976522, built on Mon Mar 21 08:28:19 2022
Total number of signatures: 8671822

Platform information

uname: Linux 3.10.0-1062.9.1.el7.x86_64 #1 SMP Thu Dec 5 14:56:20 PST 2019 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.7 (1.2.7), compile flags: a9
platform id: 0x0a217e7e0800000002040805

Build information

GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44.0.3) (4.8.5)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic
LDFLAGS: -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed -lprelude
Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 126, dconf: 126

[mko-x]

It seems that the file(s) are moved to early before scan of clamonacc is finished. How does the copy/movement routine work?

[PauloSRodrigues]

Thank you for the headsup, I checked that, it's a cron job running every minute, makes a list of files found, copies files from that list to another machine and to another directory (not under onaccess scrutiny) and finally removes them.
I added a sleep step between making the list and further processing but without success.
Is there an internal cache or is clam looking up a kernel cache or something like that?
This file was uploaded at 11:57, moved to it's final directory at 11:58 and clam starts complaining at 12:01:04

ls -la /tomcat/ficheiros/PES_archive/PES/2022/DHR35NP9VY/PESREPT20220329DHR35NP9VYF.pdf

-rw-r--r--. 1 wildflyB wildflyB 185693 Mar 29 11:58 /tomcat/ficheiros/PES_archive/PES/2022/DHR35NP9VY/PESREPT20220329DHR35NP9VYF.pdf

less /var/log/clamd/scan-20220329_120104.log

Tue Mar 29 12:01:04 2022 -> WARNING: File path check failure for: /tomcat/ficheiros/PES/2022/DHR35NP9VY/PESREPT20220329DHR35NP9VYP.pdf
Tue Mar 29 12:01:04 2022 -> WARNING: File path check failure on: /tomcat/ficheiros/PES/2022/DHR35NP9VY/PESREPT20220329DHR35NP9VYP.pdf