clamav should notify user when a file has been quarantined, esp. for on-access scan

[bernstei]

clamav-server sets things up very nicely, but there's one thing that's apparently missing, and that's user notifications from anything except on-demand scans. /opt/local/bin/ClamavScanIt.sh uses osascript to notify the user when something is found. It would be very helpful if this also happened for on demand scans, which as far as I can tell it does not (and scheduled as well, which I assume have the same issue).

If it's supposed to happen, then maybe there's just a bug. If it is not, it would be great to add that feature. I've thought about how to do this, and the only approach I've found is for a VirusEvent to write to a file someplace, and then to create a LaunchAgent, which has access to the GUI, and monitor for the files created by the VirusEvent and turns them into notifications (using the same mechanism as ClamavScanIt.sh). This seems a bit cumbersome, so if anyone has any cleaner ideas, that'd be even better.

macports 2.10.0, macOS 14.5, clamav 1.3.1, clamav-server 1.2.1 (default variants)

[essandess (Steve Smith)]

The port clamav-server (which is simply a configuration and command wrapper for the clamav port) is configured so that quarantined files for both scheduled and on-access scans are reported in the clamav log files.

User notifications for on-demand scans do exist using the osascript command (link to code below).

I agree that it would be great to have user notifications, but I’ve never investigated a good macOS way to accomplish this from a shell script running as root under a launchctl daemon. The osascript approach sort-of works, but I suspect isn’t necessarily robust.

If someone can recommend a decent (and tested) bash-based approach to produce macOS notifications from root to all users it would be straightforward to add these to the bash code that’s already used to drive clamav-server.

​https://github.com/macports/macports-ports/blob/d1737e7fd5d65a58cb28c2d877cfb2bee95166f5/sysutils/clamav-server/files/ClamavScanIt.sh#L75

[bernstei]

I tried to add a VirusEvent-based osascript call, and it didn't work. I assumed that was because the osascript needs to run as the logged-in user, rather than as root. A LaunchAgent could monitor the logs and fire-off osascript scalls, the way the on-demand scan script does. That might or might not be easy to do robustly (in particular checking that it's only reporting on new quarantines), but the other issue is that normal users don't have access (by default) to the scheduled scan log - only the on-demand log.

I suppose I will check if the root process fired off by the VirusEven can run an osascript if it uses sudo (to the console user) to do it.

[bernstei]

It works if I'm logged in as an admin user and use sudo, but from a VirusEvent I get "osascript[56302:1027516] NSNotificationCenter connection invalid", so no luck.

[bernstei]

I've investigated various ways of doing monitoring of the quarantine, some of which might have been nice to include with this port, some independent. I do finally have code that will pop up notifications if any files are added to the Quarantine directory. In the process, I explored using a LaunchAgent, Automator workflow, and Folder Action Scripts.

My preference was for LaunchAgent, since that could be installed system-wide by macports (in /Library/LaunchAgents), and it works OK for what it is, but cannot get any information on what file was changed, and so has to parse the log (from scratch) each time, and presumably keep some sort of state so it doesn't duplicate notifications. The other two options need to be installed by the user (copy some sort of script/workflow into a particular directory under ~/Library, and configure which directory they're monitoring, i.e. /opt/Quarantine)

The Automator action is _supposed_ to get the changed files as an input, but if coded as a separate application launched by Automator, which is the only way to make the notifications controllable distinctly from other Automator actions, it doesn't actually get this info, so has the same log parsing issues, so no advantage over a LaunchAgent.

Folder Action Scripts is the nicest because it actually gets activated with info about which file was quarantined, so it's easy to parse the log for info on that file, but it always labels the notifications as coming from Script Editor, so they cannot be controlled separately. If I used a plain dialog Window instead of proper notifications, I could label them however I want, but then they'd just show up as random dialogs.

I'm still looking into whether there are any other viable approaches.

Also, for any of these options, it would be nice if both the on-access and scheduled scan logs were user readable, which right now is only true for the on-access. That would require a clamav-server configuration change to achieve, I guess, since presumably it sets the logs' permissions.