Mailing List Archive

[clamav-users] How to scan a single partition
Hi altogether,

My system is Linux/Lubuntu 20.04.2 LTS, 64 bit.

I have *three* partitions: root-, home- and a third (data-)partition
with 23 GB, 36 GB and 193 GB respectively plus 3 usb-sticks:

df -h
Dateisystem    Größe Benutzt Verf. Verw% Eingehängt auf
udev            1,9G       0  1,9G    0% /dev
tmpfs           386M    1,8M  384M    1% /run
/dev/sdc1        23G     13G  9,4G   58% /                            #
root partition
tmpfs           1,9G       0  1,9G    0% /dev/shm
tmpfs           5,0M    8,0K  5,0M    1% /run/lock
tmpfs           1,9G       0  1,9G    0% /sys/fs/cgroup
/dev/sdc2        36G     22G   12G   64% /home                       #
home partition
tmpfs           386M     12K  386M    1% /run/user/1000
/dev/sdf1       7,5G    2,1G  5,4G   29% /media/rosika/A492-CD29        
# usb-stick 1
/dev/sdd1        30G     26G  4,1G   87% /media/rosika/28BC-DAFC       
# usb-stick 2
/dev/sdc3       193G     99G   84G   55%
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1      # 3rd partition
(data-partition)
/dev/sdb         30G     26G  3,9G   87% /media/rosika/74C1-30C7        
  # usb-stick 3


What I want to do is: scan the _root-partition exclusively_, not the
other ones and not the sticks.

What command would I need for this?

Looking around on the web I found this command
(https://pikedom.com/clam-anti-virus-on-arch-linux/ ):

/clamscan --recursive --infected
--exclude-dir='^/sys|^/dev|^/proc|^/var/lib/clamav' --max-filesize=4000M
--max-scansize=4000M / -l ~/clamav-scan-results/201803261436/

As the starting point is / this would scan everything, right? Which is
not what I want to achieve.

Thanks for your help in advance.

Many greetings.
Rosika
Re: [clamav-users] How to scan a single partition [ In reply to ]
Hello,

You can use the --exclude-dir= option and indicate what you want to exclude from the scan process.

Regards.

Sorin Petrut Niculae
[cid:image009.jpg@01D4C7AC.7C1B4010]
P Please consider the environment before printing this e-mail.

De: clamav-users [mailto:clamav-users-bounces@lists.clamav.net] En nombre de Christian
Enviado el: lunes, 26 de abril de 2021 15:15
Para: clamav-users@lists.clamav.net
Asunto: [clamav-users] How to scan a single partition

Hi altogether,

My system is Linux/Lubuntu 20.04.2 LTS, 64 bit.

I have three partitions: root-, home- and a third (data-)partition with 23 GB, 36 GB and 193 GB respectively plus 3 usb-sticks:

df -h
Dateisystem Größe Benutzt Verf. Verw% Eingehängt auf
udev 1,9G 0 1,9G 0% /dev
tmpfs 386M 1,8M 384M 1% /run
/dev/sdc1 23G 13G 9,4G 58% / # root partition
tmpfs 1,9G 0 1,9G 0% /dev/shm
tmpfs 5,0M 8,0K 5,0M 1% /run/lock
tmpfs 1,9G 0 1,9G 0% /sys/fs/cgroup
/dev/sdc2 36G 22G 12G 64% /home # home partition
tmpfs 386M 12K 386M 1% /run/user/1000
/dev/sdf1 7,5G 2,1G 5,4G 29% /media/rosika/A492-CD29 # usb-stick 1
/dev/sdd1 30G 26G 4,1G 87% /media/rosika/28BC-DAFC # usb-stick 2
/dev/sdc3 193G 99G 84G 55% /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1 # 3rd partition (data-partition)
/dev/sdb 30G 26G 3,9G 87% /media/rosika/74C1-30C7 # usb-stick 3


What I want to do is: scan the root-partition exclusively, not the other ones and not the sticks.

What command would I need for this?

Looking around on the web I found this command (https://pikedom.com/clam-anti-virus-on-arch-linux/<https://urldefense.com/v3/__https:/pikedom.com/clam-anti-virus-on-arch-linux/__;!!MvyJQugb!UTh6PNfhWdejMB2D2RnSbIP71nosYbh3kI0IwKzHttlCCE8FeJ1WQN7iSW3K$> ):

clamscan --recursive --infected --exclude-dir='^/sys|^/dev|^/proc|^/var/lib/clamav' --max-filesize=4000M --max-scansize=4000M / -l ~/clamav-scan-results/201803261436

As the starting point is / this would scan everything, right? Which is not what I want to achieve.

Thanks for your help in advance.

Many greetings.
Rosika

P Please consider the environment before printing this e-mail.
Re: [clamav-users] How to scan a single partition [ In reply to ]
Hi there,

On Mon, 26 Apr 2021, Christian wrote:

> My system is Linux/Lubuntu 20.04.2 LTS, 64 bit.

Then you have 'man' pages. :)

> I have *three* partitions: root-, home- and a third (data-)partition with 23
> GB, 36 GB and 193 GB respectively plus 3 usb-sticks:
> ...
> What I want to do is: scan the _root-partition exclusively_, not the other
> ones and not the sticks.
>
> What command would I need for this?
>
> Looking around on the web I found this command
> (https://pikedom.com/clam-anti-virus-on-arch-linux/ ):
>
> /clamscan --recursive --infected --exclude-dir='^/sys|^/dev|^/proc|^/var/lib/clamav' --max-filesize=4000M --max-scansize=4000M / -l ~/clamav-scan-results/201803261436/
>
> As the starting point is / this would scan everything, right? Which is not
> what I want to achieve.

No it won't scan everything because it has exclusions, but you're much
better off looking at the ClamAV manual than scouring the Internet for
random shell commands which may or may not have been written by people
who know what they are doing; may or may not do what you want; and may
or may not even be safe.

In this case you're looking for the "cross filesystems" features, but
unfortunately they're named differently for the different ClamAV tools.

As you're using clamscan, the command-line option '--cross-fs=no' will
limit recursive scanning to the filesystem containing the starting
point of the scan.

If you were to use clamd, the configuration option 'CrossFilesystems'
can be set to 'no' (the default is 'yes') for the same purpose.

You may want to look at the symlink options too.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to scan a single partition [ In reply to ]
Hi all and thanks so much for your replies,

@Sorin Petrut Niculae:

So basically I´d have to exclude my home-partition, the 3rd
(data-)partition and the 3 sticks in the command.

Thanks for the advice.
Greetings.
Rosika


@G.W. Haywood:

Thanks for the suggestion.

Alas I couldn't gel hold of a ClamAV manual.
I also looked around to find some info regarding the "cross filesystem"
feature but curiously couldn´t find anything.

So I took a look at the man pages and found the following entry:

/??cross?fs=[yes(*)/no]//
//Scan files and directories on other filesystems.

/As  "df -h" says (shortened):

Filesystem      Size  Used Avail Use% Mounted on
/dev/sdc1        23G   13G  9,4G  58% /
/dev/sdc2        36G   22G   12G  65% /home
/dev/sdf1       7,5G  2,1G  5,4G  29% /media/rosika/A492-CD29
/dev/sdd1        30G   26G  4,1G  87% /media/rosika/28BC-DAFC
/dev/sdc3       193G   99G   84G  55%
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1
/dev/sdb         30G   26G  3,9G  87% /media/rosika/74C1-30C7/

/"filesystem/" /is denoted as//_/dev/sdc1_ .

I'm not sure about the *syntax* though. Should I use /  or /dev/sdc1 as 
a starting point:

clamscan --cross-fs=no --recursive --infected
--exclude-dir='^/sys|^/dev|^/proc|^/var/lib/clamav' --max-filesize=4000M
--max-scansize=4000M / -l ~/clamav-scan-results/log

OR:

<https://www.mail-archive.com/search?l=clamav-users@lists.clamav.net&q=from:%22G.W.+Haywood+via+clamav%5C-users%22>clamscan
--cross-fs=no --recursive --infected
--exclude-dir='^/sys|^/dev|^/proc|^/var/lib/clamav' --max-filesize=4000M
--max-scansize=4000M /dev/sdc1 -l ~/clamav-scan-results/log

Thanks in advance.
Greetings
Rosika
//<https://www.mail-archive.com/search?l=clamav-users@lists.clamav.net&q=from:%22Sorin+Petrut+Niculae+via+clamav%5C-users%22>
Re: [clamav-users] How to scan a single partition [ In reply to ]
Hi there,

On Mon, 26 Apr 2021, Christian wrote:

> ...
> Alas I couldn't gel hold of a ClamAV manual.

Try typing "ClamAV manual" into any search engine.

> I'm not sure about the *syntax* though. Should I use / or /dev/sdc1
> as a starting point:

Unless you really know what you're doing, you will never want to scan
anything in /dev. Much the same applies to /proc, /sys and similar.
So you will probably never want to use anything which starts with any
of those as the starting point (I'd call it the 'root') of a scan.

The option '--cross-fs=no' just tells the scanner that no matter what
links there are between directories in different filesystems, when it
scans something recursively it is not to cross a filesystem boundary.
The option does not care where the scan is rooted. With this option
set to 'no', you could mount your USB stick under /usr and it still
wouldn't be scanned, even if the root of the scan is /usr.

> clamscan --cross-fs=no --recursive --infected --exclude-dir='^/sys|^/dev|^/proc|^/var/lib/clamav' --max-filesize=4000M --max-scansize=4000M / -l ~/clamav-scan-results/log
>
> OR:
>
> clamscan --cross-fs=no --recursive --infected --exclude-dir='^/sys|^/dev|^/proc|^/var/lib/clamav' --max-filesize=4000M --max-scansize=4000M /dev/sdc1 -l ~/clamav-scan-results/log

The former, although '4000M' is fiction (search the list archives).

What's the risk of something nasty getting into your root filesystem?
Have you thought about ways to make it much less likely to happen?

Bear in mind that if ClamAV finds something, it's already too late to
stop it getting there, and it might already have done whatever nasty
things it's meant to do.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml