Hi there, On Tue, 14 Jun 2016, Adam Lininger wrote:
I run clamAV on my Mac Book (installed via clamXav). It seems to be not entirely obeying the --exclude and --exclude-dir flags.
Mr. Allan makes a valid point. You might try installing ClamAV without using clamXav, then you'll know what you're getting. :) These things often take a bit of experimentation. My approach would be to use the 'verbose' option and look at the output. Here's a scan by an unprivileged user - the last part of the command line (a *very* long one, so I've broken it with backslash-escaped newlines here) was: --log=/home/ged/clamscan-20160614.log / \ >> /home/ged/clamscan-20160614.stdout \ 2>>/home/ged/clamscan-20160614.stderr & and some of the output: ... /root: Excluded /share: Excluded /run: Excluded /initrd.img.old: Symbolic link /selinux: Excluded /tmp: Excluded /opt: Excluded /sys: Excluded /home: Excluded /.rnd: Access denied /usr: Excluded /dev: Excluded /bin: Excluded /mnt: Excluded /man: Excluded /boot: Excluded /sbin: Excluded /etc: Excluded /initrd.img: Symbolic link /vmlinuz: Symbolic link /lost+found: Can't open directory. ... Are you sure that clamscan is actually the reading files that you don't want to be read, and not just doing a 'stat' on them? You're using 'exclude' options and giving the root directory as the starting point for the scan. I would tend to prefer to specify the scan with 'include' rather than exclude, just as a precaution - you might find, later, on that new directories that you really don't want to scan mysteriously appear. Things like /proc for example. Are there not other directories which should also be excluded? Are you sure that clamscan isn't following symlinks? The default in 'normal' installations is only to follow symlinks which are specified to clamscan directly, but it has the ability to behave differently. Is it possible that the clamXav version behaves differently? I notice that some of the arguments to your 'exclude' directives are quoted and some are not. I would quote them all. I notice that your '/media/binstore' arguments don't have a trailing slash, but some others do. I'd be consistent. -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
