Mailing List Archive

Hi there,

On Tue, 1 Dec 2020, Pascal De Meerleer via clamav-users wrote:

> I have a question concerning the exclusion statement in clamd.conf
>
> # clamconf | grep Exclude
> ExcludePath = "^/run/", "^/dev/", "^/sys/", "^/proc/"
> ...
> When I issue the same command but starting at the root /, I see a
> lot of errors popping up in the log file and all of them are
> pointing to /sys. I am confused because /sys is excluded from
> scanning but errors are logged for that filesystem. What do I do
> wrong and/or how can I avoid this?

I'm assuming that the 'clamconf' output is hiding the fact that your
REGEXes are really on separate 'ExcludePath' lines (as per the docs),
and that they are not on a single line, enclosed by double quotes, and
comma separated. Please can you confirm that?

I don't recall that I've ever actually used the ExcludePath directive,
because I don't generally scan filesystems. I'm not sure that you're
doing anything wrong. I can imagine that the ExcludePath directive in
the config file might be overridden by the command line intentionally.
It's the sort of thing which tools do in general for flexibility. It
seems to me that the documentation isn't clear on the point but I may
have missed something.

There's a recent Bugzilla report here:

https://bugzilla.clamav.net/show_bug.cgi?id=12632

it might be relevant, although it's not specifically about paths. I
wonder if you try removing the '^' (caret character) from the regex,
does it make any difference? It might be a similar issue to 12632.
If that doesn't help I'd suggest scripting something which scans the
directories you want to scan, rather than relying on ExcludePath.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi,

"I'm assuming that the 'clamconf' output is hiding the fact that your
REGEXes are really on separate 'ExcludePath' lines (as per the docs)"
Yes they are.

ExcludePath /run/
ExcludePath /dev/
ExcludePath /sys/
ExcludePath /proc/

Tried all your suggestions but all with the same outcome or in other words nothing changed, errros are still reported.
I just wonder if all other excluded filesystems are scanned or not, anyway no trace of that.

So reversing the logic seems to be the best way forward but then again it would be nice if it worked as stated!


Pascal De Meerleer
System Engineer

Tel. +32 (0)2 448 21 03
server.os@kbc.be<mailto:server.os@kbc.be>

KBC Groep NV<https://www.kbc.com/bedrijfsgegevens-groep>, MECCCM1

________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of G.W. Haywood via clamav-users <clamav-users@lists.clamav.net>
Sent: Tuesday, 1 December 2020 13:26
To: Pascal De Meerleer via clamav-users <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: Re: [clamav-users] Filesystem scan exclusion returns errors

Hi there,

On Tue, 1 Dec 2020, Pascal De Meerleer via clamav-users wrote:

> I have a question concerning the exclusion statement in clamd.conf
>
> # clamconf | grep Exclude
> ExcludePath = "^/run/", "^/dev/", "^/sys/", "^/proc/"
> ...
> When I issue the same command but starting at the root /, I see a
> lot of errors popping up in the log file and all of them are
> pointing to /sys. I am confused because /sys is excluded from
> scanning but errors are logged for that filesystem. What do I do
> wrong and/or how can I avoid this?

I'm assuming that the 'clamconf' output is hiding the fact that your
REGEXes are really on separate 'ExcludePath' lines (as per the docs),
and that they are not on a single line, enclosed by double quotes, and
comma separated. Please can you confirm that?

I don't recall that I've ever actually used the ExcludePath directive,
because I don't generally scan filesystems. I'm not sure that you're
doing anything wrong. I can imagine that the ExcludePath directive in
the config file might be overridden by the command line intentionally.
It's the sort of thing which tools do in general for flexibility. It
seems to me that the documentation isn't clear on the point but I may
have missed something.

There's a recent Bugzilla report here:

https://bugzilla.clamav.net/show_bug.cgi?id=12632

it might be relevant, although it's not specifically about paths. I
wonder if you try removing the '^' (caret character) from the regex,
does it make any difference? It might be a similar issue to 12632.
If that doesn't help I'd suggest scripting something which scans the
directories you want to scan, rather than relying on ExcludePath.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Disclaimer <http://www.kbc.com/KBCmailDisclaimer>

Hi there,

On Tue, 1 Dec 2020, Pascal De Meerleer via clamav-users wrote:

> Tried all your suggestions but all with the same outcome ...

No great surprise I'm afraid.

> I just wonder if all other excluded filesystems are scanned or not,
> anyway no trace of that.

You can always put an EICAR test file in a few of the directories, and
there are the logging, debug and verbose options to play with.

> ... it would be nice if it worked as stated!

Quite so. Like a lot of Open Source projects unfortunately it's still
a work in progress.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml