Topic: Customising the weekly anti-virus scan

[judgej]

Anyone know how to customise the automated ClamAV scan so that it excludes certain directories? I have several Gbyte of e-mail, which needs a regular scan.

Also on the server is 200Gbyte of images, music and video, which does not need a scan. It takes about 18 hours to scan that lot, with the processor working hard and the server fan blowing full speed.

I expect there is a template I can add some rules to. Just wondering if anyone has already done that?

-- JJ


Edit:

My last scan, started before I made this change, just finished:

Code: [Select]

Known viruses: 64166
Engine version: 0.88.2
Scanned directories: 48673
Scanned files: 286291
Infected files: 139
Data scanned: 69528.19 MB
Time: 51110.838 sec (851 m 50 s)

That is 14 hours, with CPU up at 95% most of the time. The 139 infected files are all e-mails in the junk and deleted folders. However, there were a few false positives on some legitimate e-mails from Paypal, reminding me my credit card is about to expire (which it is).

[judgej]

Doing some digging, the current excluded directories can be found here:

Code: [Select]

# db configuration getprop clamav FilesystemScanExclude

/proc,/sys,/usr/share,/var


So to exclude, say, an i-bay, the following (entered on a single line) should work:

Code: [Select]

# db configuration setprop clamav FilesystemScanExclude '/proc,/sys,/usr/share,/var,/home/e-smith/files/ibays/<my-ibay-name>'

with <my-ibay-name> replaced as appropropriate. I don't know if that will ever get overwritten through a future upgrade, but at least it should work for now. Unfortunately the 'db' command does not have the ability to add and remove individual items from a CSV list in a property, so you have to be careful when updating it to ensure you retain any existing paths.

Hope that helps someone else wishing to exclude directories from their weekly or daily filesystem AV scan.

-- JJ

[raem]

judgej

Thanks, that will be very useful. We have Gbs of unchanging GIS files that don't need to be scanned.
sme 7 just keeps getting better as you find out more about it, the developers have done a great job.

> I don't know if that will ever get overwritten through a future upgrade...

As it is an entry in the db, it should survive upgrades etc, unless you inadvertantly overwrite that entry with a new different one.

[judgej]

As more of the options get moved to the configuration databases, and the templates consquently become more generic, it certainly does get easier to reconfigure the server.

I've raised a feature request on exposing this particular setting in the administration panel. I've also hinted that the ability to access all the db settings in a more controlled fashion would be great - perhaps through the admin panel or a contribution. There are many hidden gems in there.

-- JJ

[judgej]

I've noticed that my last few scans have not been honouring the exclude file list. I suspect there may be a bug in /sbin/e-smith/smeserver-clamscan causing this: it passes the parameters to clamscan like this:

/usr/bin/clamscan  --recursive --infected --stdout --log /var/log/clamd/clamscan.log --exclude /proc --exclude /sys --exclude /usr/share --exclude /var --exclude /var/spool/clamav/quarantine /

Whereas I think it should be doing this:

/usr/bin/clamscan  --recursive --infected --stdout --log=/var/log/clamd/clamscan.log --exclude=/proc --exclude=/sys --exclude=/usr/share --exclude=/var  --exclude=/var/spool/clamav/quarantine /

Can anyone else confirm this as a problem?

I've raised a bug to track this, if it is indeed a real problem: http://bugs.contribs.org/show_bug.cgi?id=1889

[Jean-Philippe Pialasse]

by default it seems to ma that clamav scan all incoming and outgoing emails ...

how do theses emails managed to go to your junkmail files . Did you disable email scan ?

or is it a bug ..?

[judgej]

by default it seems to ma that clamav scan all incoming and outgoing emails ...

how do theses emails managed to go to your junkmail files . Did you disable email scan ?

or is it a bug ..?

Not so far as I know. I believe the server sorts out most of the viruses and spam, deleting where appropriate, and placing into the junkmail folders where there is some doubt. Thunderbird catches most of the remainder (viruses and spam) that get through, and I have set that up to go into the same junkmail folders.

I suspect that the e-mail scanning just picks off the main viruses on the incoming mail, but the full system scan does a more thorough job and highlights a lot of the SPAM that otherwises goes straight through. Between SME and Thunderbird, they get most of the stuff, and I still get a second chance to check over it and pull out any false positives (they do occasionally happen).

-- JJ

[Jean-Philippe Pialasse]

Have  you enable quarantine ?
if yes the mail with viruses should be in /var/spool/clamav/quarantine

[judgej]

Have  you enable quarantine ?
if yes the mail with viruses should be in /var/spool/clamav/quarantine

I hadn't, but I have enabled quarantine now. No point in keeping real viruses - I just didn't enable it, because I could not find an adaquate explanation of exactly what it did - what it put in there, how I would get any messages back out again etc.

[Jean-Philippe Pialasse]

it put messages and files founded with viruses or, suspected due to a big compression rate.

check :

Code: [Select]

db configuration show clamav

is there this  : ScanMail=yes ?

if no :

Code: [Select]

db configuration setprop clamav ScanMail yes