> On Fri, 28 Sep 2007, Jon Wagoner - Red Cheetah wrote: > > > It appears clamav just does a substring match on the exclude, so it > > would be easy to hide viruses. E.g. If I excluded .MYD, then you > could > > just have your virus named somevirus.MYD and it would not be caught. > If > > I would not exclude *.MYD globally. However: > > > I tried to exclude the mysql dir, then a user could have a virus > hidden > > in /home/someuser/var/lib/mysql/my-virus-here. > > Users should not be able to write to that directory at all, it should > be > owned/group mysql. If someone did put a virus there you would probably > have > a bigger problem - namely that mysql had been hacked.
Take a closer look, that's not the real mysql directory, just a subdirectory under the users home folder that would match the exclude for the real /var/lib/mysql. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
