Hello,
I am running ClamAV on an air-gapped Ubuntu 20.04 LTS machine and I cannot seem to figure this issue out for the life of me. Currently, I run a full system virus scan every weekend I end up totally maxing out my logs in var/log/audit. I have auditd configured for a max of 10 log files 1gb each, so who knows how much logging this could actually generate if it was left unrestricted. I also have clamscan output logs to the /var/log/clamav directory, but those are not the offending logs in this case, only /var/log/audit.
Here's the full command I run for the current scan:
clamscan --exclude-dir="^/tmp/" -r / >> /var/log/clamav/clamav-$(date +\%Y\%m\%d).log
When I review the logs, it seems that ClamAV is scanning its own tmp files that are generated during the scan. The files appear as /tpm/clamav-#######.tmp and ClamAV decides it must scan those files too, thus generating more tmp files and the cycle continues..
My first thought to mitigate this would be to omit scanning the /tmp/ dir entirely but this has proven to be unsuccessful. First, I tried changing the config at /usr/local/clamd.conf and adding the directory exclusion there, but I found I am not using the daemonized version (clamdscan), I am using regular ol' clamscan. This led me to trying to use the --exclude-dir option in the following syntaxes after searching the different RegEx others are using (link below):
1. clamscan --exclude-dir=/tmp/
2. clamscan --exclude-dir=/tmp/*
3. clamscan --exclude-dir="^/tmp/"
None of the options above have worked so far, and every monday I still have 10gb of logs.
Can anyone spot something obvious I am missing? Is there perhaps a better way to solve this?
The other options I considered testing would be quiet/silent running modes or perhaps changing the permissions of /tmp/ such that clamav would not have access (similar to some areas of /sys/), but I am worried that could break something else.
Thank you in advance
I am running ClamAV on an air-gapped Ubuntu 20.04 LTS machine and I cannot seem to figure this issue out for the life of me. Currently, I run a full system virus scan every weekend I end up totally maxing out my logs in var/log/audit. I have auditd configured for a max of 10 log files 1gb each, so who knows how much logging this could actually generate if it was left unrestricted. I also have clamscan output logs to the /var/log/clamav directory, but those are not the offending logs in this case, only /var/log/audit.
Here's the full command I run for the current scan:
clamscan --exclude-dir="^/tmp/" -r / >> /var/log/clamav/clamav-$(date +\%Y\%m\%d).log
When I review the logs, it seems that ClamAV is scanning its own tmp files that are generated during the scan. The files appear as /tpm/clamav-#######.tmp and ClamAV decides it must scan those files too, thus generating more tmp files and the cycle continues..
My first thought to mitigate this would be to omit scanning the /tmp/ dir entirely but this has proven to be unsuccessful. First, I tried changing the config at /usr/local/clamd.conf and adding the directory exclusion there, but I found I am not using the daemonized version (clamdscan), I am using regular ol' clamscan. This led me to trying to use the --exclude-dir option in the following syntaxes after searching the different RegEx others are using (link below):
1. clamscan --exclude-dir=/tmp/
2. clamscan --exclude-dir=/tmp/*
3. clamscan --exclude-dir="^/tmp/"
None of the options above have worked so far, and every monday I still have 10gb of logs.
Can anyone spot something obvious I am missing? Is there perhaps a better way to solve this?
The other options I considered testing would be quiet/silent running modes or perhaps changing the permissions of /tmp/ such that clamav would not have access (similar to some areas of /sys/), but I am worried that could break something else.
Thank you in advance