Hi there,
On Thu, 24 Feb 2022, Eliya Voldman via clamav-users wrote:
> I did a test scan and decided to exclude some files from scanning
> Since files were located in a few directories I did not want to provide
> only file name hence I provided the absolute path for each file.
> The issue is that despite my action those file were not excluded from scan.
> Hence my question: what I did wrong? Is it wrong symantec or etc?
> This is my example:
>
> clamscan --recursive C:\ D:\ E:\ --log=%LOG% --quiet --exclude="C:\Program
> Files\rempl\osrrb.exe" --exclude="C:\Windows\SysWOW64\sechost.dll"
You found the documentation but you missed a bit. :)
The value given in the --exclude option is a regular expression, not a
literal string, and unfortunately the 'backslash' character which is
used as the path separator on Windows is the same character which is
used in a regular expression (regex) to 'quote' the character which
follows it in the regex.
When you need a literal backslash in a regex, use two. For example
--exclude="C:\\Windows\\SysWOW64\\sechost.dll"
The first '\' character is what we call a 'special character' and in
regular expression parlance we say it 'quotes' the character following
so that its meaning is *not* special. In your version of this regex,
the '\' characters quote the 'W', 'S' and 's' characters following the
'\' characters. You might think that those characters aren't special
anyway, and you'd be right, but the rules of regex contruction don't
care about that. If you quote a non-special character it doesn't make
any difference, it stays non-special; '\t\h\i\s' is the same as 'this'.
Incidentally in a regex the 'dot' character is special. It 'matches'
any character. It doesn't mean a literal 'dot' unless it's quoted, so
you would probably want to write that as
--exclude="C:\\Windows\\SysWOW64\\sechost\.dll"
Yes it's a little bewildering at first, but whatever kind they are,
regular expressions are fun. :)
There are lots of primers on the subject on the Internet, but take
care to distinguish between the different types of regex. People
aren't always very clear about it. We'll talk about 'POSIX' regular
expressions, 'Perl' regular expressions, and so on. Sometimes we say
carelessly things like 'PCRE' (Perl Compatible Regular Expressions) as
if everyone should know what we mean. :/
If in doubt, POSIX regular expressions are least likely to get you
into deep water and, if you want the bees' knees, look to PCRE - at
least IMHO. If you look into using Yara rules with the ClamAV engine,
do be aware that the regular expressions for Yara rules are feeble by
comparison with those of POSIX and Perl.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml