Mailing List Archive

[clamav-users] why is clamscan excluding home directory ?
[root@fedora bob]# uname -a
Linux fedora 5.16.18-200.fc35.x86_64 #1 SMP PREEMPT Mon Mar 28 14:10:07 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

[root@fedora bob]# clamscan -V
ClamAV 0.103.5/26504/Wed Apr  6 09:20:18 2022
[root@fedora bob]#


[root@fedora bob]# pwd/home/bob

[root@fedora bob]# cat clamscan.conf
    --stdout
    --recursive
    --cross-fs=no
    --exclude-dir='^/proc'
    --exclude-dir='^/sys'
    -z  

[root@fedora bob]#  xargs -a clamscan.conf clamscan / > clamscan.log 2>&1
[root@fedora bob]# head clamscan.log
/boot: Excluded
/dev: Excluded
/home: Excluded
/proc: Excluded
/run: Excluded
/sys: Excluded
/tmp: Excluded
/root/.bash_logout: OK
/root/.bash_profile: OK
/root/.bashrc: OK
[root@fedora bob]# lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
sr0     11:0    1  1024M  0 rom  
zram0  251:0    0   7.8G  0 disk [SWAP]
vda    252:0    0 931.5G  0 disk
??vda1 252:1    0     1G  0 part /boot
??vda2 252:2    0 930.5G  0 part /home                                 /

Output from df on excluded dirs:
Filesystem     1K-blocks    Used    Available Use% Mounted on
/dev/vda2      975712256    5701400 968353688   1% /
/dev/vda1         996780     270116    657852  30% /boot
devtmpfs            4096          0      4096   0% /dev
/dev/vda2      975712256    4757620 969293244   1% /home
tmpfs            1625920       1440   1624480   1% /run
tmpfs            4064792         68   4064724   1% /tmp
sunrpc                 0     0         0         - /var/lib/nfs/rpc_pipefs
-              975712256 4757620 969293244      1% /var/lib/machines 

This explains all the exclusions bar /home :
(fs = fileSystem)
/boot: Excluded                         - diff fs: OK
/dev: Excluded                          - diff fs: OK
/home: Excluded                         - SAME FS: ???
/proc: Excluded                         - exclude-dir: OK
/run: Excluded                          - diff fs: OK
/sys: Excluded                          - exclude-dir: OK
/tmp: Excluded                          - diff fs: OK
/var/lib/nfs/rpc_pipefs: Excluded       - diff fs: OK
/var/lib/machines: Excluded             - diff fs: OK

So why is /home excluded ?
I have tried investigating with the following options

    --stdout
    --recursive
    --cross-fs=no
    --exclude-dir='^/proc'
    --exclude-dir='^/sys'
    -z  
    --infected
    -v
    --debug

but the log generated is 1G, there were issues with characters in the file when I tried to open with gedit and I couldn't extract anything useful with grep.
So, any ideas why /home is being  excluded ?
Re: [clamav-users] why is clamscan excluding home directory ? [ In reply to ]
Hi there,

On Fri, 8 Apr 2022, Bob Power via clamav-users wrote:

> [root@fedora bob]# cat clamscan.conf
> ...
> [root@fedora bob]# xargs -a clamscan.conf clamscan / > ...

Kinda creative and unnecessary, I think, to use xargs in this way and
the result goes against the 'man' page for clamscan although I guess
you'll get away with it. Normally I'd prefer to show full pathnames
for something like this, and keep the commands as simple as possible.
You don't need quotes in your regexes in clamscan.conf, they'd only
be necessary if there were things like space characters in them.

> Output from df on excluded dirs:
> Filesystem 1K-blocks Used Available Use% Mounted on
> /dev/vda2 975712256 5701400 968353688 1% /
> /dev/vda1 996780 270116 657852 30% /boot
> devtmpfs 4096 0 4096 0% /dev
> /dev/vda2 975712256 4757620 969293244 1% /home

If we are to believe what you've pasted there then you have /dev/vda2
mounted twice, once on '/' and once on '/home'. Why it seems to think
that you have different amounts of space 'Used' and 'Available' on the
partition when it's mounted on different mount points I don't know but
it feels like something's badly messed up and you should sort that out
before you do anything else.

> ...
> /home: Excluded - SAME FS: ???
> ...
>
> So why is /home excluded ?

I think it's telling you - the partition is mounted twice and it's a
little concerned by that.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] why is clamscan excluding home directory ? [ In reply to ]
Hey Ged,
Thanks for getting back to me.
I'll overlook the sarcastic cynicism - it's probably healthy (and I'm partial myself). As to xargs, I wanted a config file rather than command line but clamd/clamdscan raises more complications around user and selinux permissions etc so xargs seemed, ironically, the simplest/quickest way forward.

Dunno why / and /home being on the same fs didn't spook me - I suppose I just accepted it as a Fedora thing as Fedora's not my usual distro - in any case thanks for highlighting it and prompting me to find https://unix.stackexchange.com/q/621771/295876 ... which says this is normal for Fedora now - not something to be concerned about.
It would seem that clamscan should be scanning /home but just doesn't take this Fedora/btrfs situation into account ( its a std Fedora 35 WS install albeit as a VM )
If this is the reason then that's technically a bug I'd say - there are 2 legitimate dirs to scan.
Any thoughts before I post on github ?
Bob.

On Friday, 8 April 2022, 18:12:09 BST, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:

Hi there,

On Fri, 8 Apr 2022, Bob Power via clamav-users wrote:

> [root@fedora bob]# cat clamscan.conf
> ...
> [root@fedora bob]# xargs -a clamscan.conf clamscan / > ...

Kinda creative and unnecessary, I think, to use xargs in this way and
the result goes against the 'man' page for clamscan although I guess
you'll get away with it.  Normally I'd prefer to show full pathnames
for something like this, and keep the commands as simple as possible.
You don't need quotes in your regexes in clamscan.conf, they'd only
be necessary if there were things like space characters in them.

> Output from df on excluded dirs:
> Filesystem    1K-blocks    Used    Available Use% Mounted on
> /dev/vda2      975712256    5701400 968353688  1% /
> /dev/vda1        996780    270116    657852  30% /boot
> devtmpfs            4096          0      4096  0% /dev
> /dev/vda2      975712256    4757620 969293244  1% /home

If we are to believe what you've pasted there then you have /dev/vda2
mounted twice, once on '/' and once on '/home'.  Why it seems to think
that you have different amounts of space 'Used' and 'Available' on the
partition when it's mounted on different mount points I don't know but
it feels like something's badly messed up and you should sort that out
before you do anything else.

> ...
> /home: Excluded                        - SAME FS: ???
> ...
>
> So why is /home excluded ?

I think it's telling you - the partition is mounted twice and it's a
little concerned by that.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] why is clamscan excluding home directory ? [ In reply to ]
As Ged pointed out, the fact that /home is mounted as a separate
mount-point (even though it's the same device), leads the system to see
them as different filesystems (you can umount /home without umount'ing /)

As a result, your use of cross-fs=no tells clamscan to not cross filesystem
boundaries and, in this case, it skips /home. If /home was NOT its own
mount, running clamscan on / would result in home being scanned.
Alternately, running clamscan against /home (and using the same
command-line arguments) would result in /home getting scanned, but
everything else getting excluded.

--Maarten

On Fri, Apr 8, 2022 at 1:44 PM Bob Power via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hey Ged,
>
> Thanks for getting back to me.
>
> I'll overlook the sarcastic cynicism - it's probably healthy (and I'm
> partial myself). As to xargs, I wanted a config file rather than command
> line but clamd/clamdscan raises more complications around user and selinux
> permissions etc so xargs seemed, ironically, the simplest/quickest way
> forward.
>
> Dunno why / and /home being on the same fs didn't spook me - I suppose I
> just accepted it as a Fedora thing as Fedora's not my usual distro - in any
> case thanks for highlighting it and prompting me to find
> https://unix.stackexchange.com/q/621771/295876 ... which says this is
> normal for Fedora now - not something to be concerned about.
>
> It would seem that clamscan should be scanning /home but just doesn't take
> this Fedora/btrfs situation into account ( its a std Fedora 35 WS install
> albeit as a VM )
>
> If this is the reason then that's technically a bug I'd say - there are 2
> legitimate dirs to scan.
>
> Any thoughts before I post on github ?
>
> Bob.
>
> On Friday, 8 April 2022, 18:12:09 BST, G.W. Haywood via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>
> Hi there,
>
> On Fri, 8 Apr 2022, Bob Power via clamav-users wrote:
>
> > [root@fedora bob]# cat clamscan.conf
> > ...
> > [root@fedora bob]# xargs -a clamscan.conf clamscan / > ...
>
> Kinda creative and unnecessary, I think, to use xargs in this way and
> the result goes against the 'man' page for clamscan although I guess
> you'll get away with it. Normally I'd prefer to show full pathnames
> for something like this, and keep the commands as simple as possible.
> You don't need quotes in your regexes in clamscan.conf, they'd only
> be necessary if there were things like space characters in them.
>
> > Output from df on excluded dirs:
> > Filesystem 1K-blocks Used Available Use% Mounted on
> > /dev/vda2 975712256 5701400 968353688 1% /
> > /dev/vda1 996780 270116 657852 30% /boot
> > devtmpfs 4096 0 4096 0% /dev
> > /dev/vda2 975712256 4757620 969293244 1% /home
>
> If we are to believe what you've pasted there then you have /dev/vda2
> mounted twice, once on '/' and once on '/home'. Why it seems to think
> that you have different amounts of space 'Used' and 'Available' on the
> partition when it's mounted on different mount points I don't know but
> it feels like something's badly messed up and you should sort that out
> before you do anything else.
>
>
> > ...
> > /home: Excluded - SAME FS: ???
> > ...
> >
> > So why is /home excluded ?
>
>
> I think it's telling you - the partition is mounted twice and it's a
> little concerned by that.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: [clamav-users] why is clamscan excluding home directory ? [ In reply to ]
If df is showing them separately, they are considered "separate"
filesystems by the OS even if the device is the same. This is a
'btrfs'-ism. It's one partition with multiple sub-volumes that are treated
as separate.

https://unix.stackexchange.com/questions/621771/fedora-shows-mounted-at-the-same-location-as-home

--Maarten

On Fri, Apr 8, 2022 at 2:11 PM Bob Power <b_power@yahoo.com> wrote:

> Hi Maarten,
>
> The system is reporting them as the *same* filesystem (confusing
> admittedly) and so, it seems to me, cross-fs=no shouldn't rule /home out as
> I'm starting at / and recursing so it should get to /home, see it is still
> on the same filesystem and scan it.
>
> No ?
>
>
> On Friday, 8 April 2022, 19:02:42 BST, Maarten Broekman <
> maarten.broekman@gmail.com> wrote:
>
>
> As Ged pointed out, the fact that /home is mounted as a separate
> mount-point (even though it's the same device), leads the system to see
> them as different filesystems (you can umount /home without umount'ing /)
>
> As a result, your use of cross-fs=no tells clamscan to not cross
> filesystem boundaries and, in this case, it skips /home. If /home was NOT
> its own mount, running clamscan on / would result in home being scanned.
> Alternately, running clamscan against /home (and using the same
> command-line arguments) would result in /home getting scanned, but
> everything else getting excluded.
>
> --Maarten
>
> On Fri, Apr 8, 2022 at 1:44 PM Bob Power via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> Hey Ged,
>
> Thanks for getting back to me.
>
> I'll overlook the sarcastic cynicism - it's probably healthy (and I'm
> partial myself). As to xargs, I wanted a config file rather than command
> line but clamd/clamdscan raises more complications around user and selinux
> permissions etc so xargs seemed, ironically, the simplest/quickest way
> forward.
>
> Dunno why / and /home being on the same fs didn't spook me - I suppose I
> just accepted it as a Fedora thing as Fedora's not my usual distro - in any
> case thanks for highlighting it and prompting me to find
> https://unix.stackexchange.com/q/621771/295876 ... which says this is
> normal for Fedora now - not something to be concerned about.
>
> It would seem that clamscan should be scanning /home but just doesn't take
> this Fedora/btrfs situation into account ( its a std Fedora 35 WS install
> albeit as a VM )
>
> If this is the reason then that's technically a bug I'd say - there are 2
> legitimate dirs to scan.
>
> Any thoughts before I post on github ?
>
> Bob.
>
> On Friday, 8 April 2022, 18:12:09 BST, G.W. Haywood via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>
> Hi there,
>
> On Fri, 8 Apr 2022, Bob Power via clamav-users wrote:
>
> > [root@fedora bob]# cat clamscan.conf
> > ...
> > [root@fedora bob]# xargs -a clamscan.conf clamscan / > ...
>
> Kinda creative and unnecessary, I think, to use xargs in this way and
> the result goes against the 'man' page for clamscan although I guess
> you'll get away with it. Normally I'd prefer to show full pathnames
> for something like this, and keep the commands as simple as possible.
> You don't need quotes in your regexes in clamscan.conf, they'd only
> be necessary if there were things like space characters in them.
>
> > Output from df on excluded dirs:
> > Filesystem 1K-blocks Used Available Use% Mounted on
> > /dev/vda2 975712256 5701400 968353688 1% /
> > /dev/vda1 996780 270116 657852 30% /boot
> > devtmpfs 4096 0 4096 0% /dev
> > /dev/vda2 975712256 4757620 969293244 1% /home
>
> If we are to believe what you've pasted there then you have /dev/vda2
> mounted twice, once on '/' and once on '/home'. Why it seems to think
> that you have different amounts of space 'Used' and 'Available' on the
> partition when it's mounted on different mount points I don't know but
> it feels like something's badly messed up and you should sort that out
> before you do anything else.
>
>
> > ...
> > /home: Excluded - SAME FS: ???
> > ...
> >
> > So why is /home excluded ?
>
>
> I think it's telling you - the partition is mounted twice and it's a
> little concerned by that.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>