[clamav-users] clamscan not obeying the --exclude-dir directives

Discussion:

(too old to reply)

Adam Lininger

2016-06-14 12:33:41 UTC

I run clamAV on my Mac Book (installed via clamXav). It seems to be not
entirely obeying the --exclude and --exclude-dir flags.

I have a directory (/media/binstore) which is an sshfs mount from another
server. I want to exclude scanning this directory to avoid excess network
traffic. While clamscan never reports a virus in that directory, it is
opening and reading the files in that directory. How can this be avoided?

Clamscan invocation (from ps):
/usr/local/clamXav/bin/clamscan -ri --quiet
--log=/Users/alininge/Library/Logs/clamXav-scan.log --scan-mail=no
--phishing-scan-urls=no --exclude="/opt/local/msf/"
--exclude-dir="/opt/local/msf/" --exclude="/media/" --exclude-dir="/media/"
--exclude="/media/binstore" --exclude-dir="/media/binstore"
--exclude=^/Volumes --exclude=^/dev --exclude-dir=^/Volumes
--exclude-dir=^/dev /

Thanks,
Adam Lininger
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Mark Allan

2016-06-14 15:16:15 UTC

Permalink

Hi Adam,

Are you producing that clamscan invocation yourself? If not, and it's coming from something produced by ClamXav, then you should direct your question to the official support channel for ClamXav which can be found at https://www.clamxav.com/contactus

Regards
Mark

Post by Adam Lininger
I run clamAV on my Mac Book (installed via clamXav). It seems to be not
entirely obeying the --exclude and --exclude-dir flags.
I have a directory (/media/binstore) which is an sshfs mount from another
server. I want to exclude scanning this directory to avoid excess network
traffic. While clamscan never reports a virus in that directory, it is
opening and reading the files in that directory. How can this be avoided?
/usr/local/clamXav/bin/clamscan -ri --quiet
--log=/Users/alininge/Library/Logs/clamXav-scan.log --scan-mail=no
--phishing-scan-urls=no --exclude="/opt/local/msf/"
--exclude-dir="/opt/local/msf/" --exclude="/media/" --exclude-dir="/media/"
--exclude="/media/binstore" --exclude-dir="/media/binstore"
--exclude=^/Volumes --exclude=^/dev --exclude-dir=^/Volumes
--exclude-dir=^/dev /
Thanks,
Adam Lininger
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Dennis Peterson

2016-06-14 16:46:46 UTC

Permalink

Modify the command to allow better logging. Replace -i with -v then view the log
to see what is and is not excluded.

It is assumed that your command is one long line of text or several lines where
the linefeed is escaped with a "\".

It should not be necessary to use exclude-dir and exclude for the same target.

dp

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

G.W. Haywood

2016-06-14 18:15:06 UTC

Permalink

Hi there,

Post by Adam Lininger
I run clamAV on my Mac Book (installed via clamXav). It seems to be not
entirely obeying the --exclude and --exclude-dir flags.

Mr. Allan makes a valid point.

You might try installing ClamAV without using clamXav, then you'll
know what you're getting. :)

These things often take a bit of experimentation. My approach would
be to use the 'verbose' option and look at the output. Here's a scan
by an unprivileged user - the last part of the command line (a *very*
long one, so I've broken it with backslash-escaped newlines here) was:

--log=/home/ged/clamscan-20160614.log / \

Post by Adam Lininger

/home/ged/clamscan-20160614.stdout \

2>>/home/ged/clamscan-20160614.stderr &

and some of the output:

...
/root: Excluded
/share: Excluded
/run: Excluded
/initrd.img.old: Symbolic link
/selinux: Excluded
/tmp: Excluded
/opt: Excluded
/sys: Excluded
/home: Excluded
/.rnd: Access denied
/usr: Excluded
/dev: Excluded
/bin: Excluded
/mnt: Excluded
/man: Excluded
/boot: Excluded
/sbin: Excluded
/etc: Excluded
/initrd.img: Symbolic link
/vmlinuz: Symbolic link
/lost+found: Can't open directory.
...

Are you sure that clamscan is actually the reading files that you
don't want to be read, and not just doing a 'stat' on them?

You're using 'exclude' options and giving the root directory as the
starting point for the scan. I would tend to prefer to specify the
scan with 'include' rather than exclude, just as a precaution - you
might find, later, on that new directories that you really don't
want to scan mysteriously appear. Things like /proc for example.
Are there not other directories which should also be excluded?

Are you sure that clamscan isn't following symlinks? The default in
'normal' installations is only to follow symlinks which are specified
to clamscan directly, but it has the ability to behave differently.
Is it possible that the clamXav version behaves differently?

I notice that some of the arguments to your 'exclude' directives
are quoted and some are not. I would quote them all. I notice
that your '/media/binstore' arguments don't have a trailing slash,
but some others do. I'd be consistent.

--
73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml