Hello again,
On Fri, 23 Oct 2020, Marcy Rogers via clamav-users wrote:
> ...
> I followed the instructions for installing Clamav for Windows and placed
> the clamd.conf file in the c:\program files\clamav.
> ...
> In the config file, you will see this.
> ...
> ExcludePath "C:\Windows"
There are two potential issues there. more below.
> ...
> SelfCheck 3600
>
> This was set at 600 before I changed it to 3600 minutes. Clamd.exe is
> reading to do a selfcheck every 3600 minutes but it is not reading to
> excludepath "c:\windows"
It's good to know that the selfcheck interval has indeed changed from
the default to what you have set in the config file. At least that
shows that you have had some effect on the daemon. I'd just like to
be sure that the config file that you think is having that effect is
actually the file that's doing that, and that you don't have another
file somewhere with the 3600 second self-check interval set but _not_
the ExcludePath line. If you change the interval to something like
1200 seconds and wait for twenty minutes you should be able to verify
that you're working with the right file. Alternatively you can give
the config file path explicitly on the command line to make sure.
A couple of other things:
1.
On Fri, 23 Oct 2020, Mark Fortescue wrote:
> Have you tried C:\\Windows or C:/Windows.
Mr. Fortescue makes good suggestions. The ExcludePath directive takes
as its argument a 'regular expression', not just a string of text.
Regular expressions are kinds of patterns which are _compared_ with a
string of text - in this case the regex will be compared with a path
name. It either matches (and so the path is excluded) or it doesn't
(so it isn't excluded). Think about the '*' character that's often
used when you want to list the files in a directory which all have
names beginning with the same few characters. A regex is like that
with bells on. This isn't the place to talk about regular expressions
(if you aren't familiar with them, search for tutorials about them)
but we do need to mention the backslash I'm afraid. In most regular
expression (regex) libraries, the backslash character is 'special'.
It does not behave literally in a string as ordinary characters do; it
escapes the following character, if that is another special character,
thus making the special character _not_ special. But if the following
character is _not_ a special character, the non-special character is
taken literally as if the backslash were not there. That means that
the regex
c:\Windows
actually matches
c:Windows
and if you want to have a literal backslash in a regex you generally
have to double it, as in Mr. Fortescue's first suggestion.
Linux, MacOS etc. pathnames use the forward slash character as the
directory separator. Windows has a quirk. On Windows, the directory
separator in the pathnames is the backslash character. Sometimes to
get around this quirk on Windows, tools which use regexes will accept
a forward slash instead of a backslash for the directory separator,
avoiding the need to double backslashes everywhere which can be messy
if there are many directories in the path.
2.
In the config file I notice that you have
ExcludePath "C:\Windows"
but you say it continues to scan "c:\windows". As I said I don't use
ClamAV on Windows so I don't know if clamd behaves differently there
from how it behaves on Linux etc., but on the operating systems that
I'm used to working with ClamAV tools are case sensitive. That means
that "C:\Windows" and "c:\windows" would be two different paths, and
excluding one would not exclude the other. You can have more than
one ExcludePath directive in the file so it won't hurt to try several
ExcludePath "C:\\Windows"
ExcludePath "C:\\WINDOWS"
ExcludePath "C:\\windows"
ExcludePath "C:\Windows"
ExcludePath "C:\WINDOWS"
ExcludePath "C:\windows"
ExcludePath "C:/Windows"
ExcludePath "C:/WINDOWS"
ExcludePath "C:/windows"
and see if that helps. I'm afraid that I'm guessing here. Also I
left out the nine lines with a lower case 'c' but I'd be surprised if
anything on Windows would treat the drive letter case sensitively.
And I suppose you could try it without a drive letter at all. :/
On Fri, 23 Oct 2020, Marcy Rogers via clamav-users wrote:
> ... I have been working on this for 4 months now. ...
Ouch! It really shouldn't be that difficult! If you don't get this
fixed in a couple of days from the other help you get here then I'll
spin up a Windows virtual machine and see what I find. What version
of Windows are you using?
> I am scanning but it is taking over 5 hours to scan and I would like
> to cut that down by not scanning the Window directory.
I understand that it takes time but I suspect that it isn't a good
idea to cut out the entire Windows directory as that might often be
where malicious files, if there are any, have installed themselves.
To get around that kind of issue people often set up scheduled scans
so that they take place for example out of office hours.
Incidentally if you're only ever using clamd by starting it from a
powershell window every time you want to scan the machine then you're
losing a lot of the value of having a clamd daemon. Generally it's
intended to have clamd running 24/365, so that you hardly ever have to
wait for the signature database(s) to be loaded if you decide to do a
scan from the command line at a moment's notice. The trade-off is the
memory used by clamd while ever it's running, typically around 1Gbyte
even if you only have the 'official' signatures loaded - and there are
several third-party signature databases available.
It's late. Good luck!
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml