Topic: [SOLVED][ClamAV] suppress checking ibay?

[piran]

Summary:

Code: [Select]

[show the configuration of ClamAV]
# config show clamav


[query EXCLUSION areas for ClamAV]
# db configuration getprop clamav FilesystemScanExclude


[set the default EXCLUSION areas for ClamAV]
# db configuration setprop clamav FilesystemScanExclude /proc,/sys,/usr/share,/var


[set my own EXCLUSION areas for ClamAV]
[mounted network shares used in backups]
[very large ibay-mounted h/w RAID arrays]
# db configuration setprop clamav FilesystemScanExclude \ /proc,/sys,/usr/share,/var,/mnt,/home/e-smith/files/ibays/storage


[set the command line? EXCLUSION areas for ClamAV]
# mkdir -p /etc/e-smith/templates-custom/etc/clamd.conf
# cat > /etc/e-smith/templates/etc/clamd.conf/ClamukoExcludePath
{
# Set the exclude paths. All subdirectories are also excluded.
    "ClamukoExcludePath /home/e-smith/files/ibays/storage";
}
### use the key combo of Control-D to exit from the concatenation
# /sbin/e-smith/expand-template /etc/clamd.conf
# /sbin/e-smith/signal-event clamav-update

[command line simulation of the midnight ClamAV run]
[with those pre-set smeserver EXCLUSION areas]
# /sbin/e-smith/smeserver-clamscan

[command line raw use of ClamAV]
[does *NOT* use those pre-set smeserver EXCLUSION areas]
[--quiet switch avoids scrolling screenfulls of reports]
# clamscan -r /home


with thanks to Gaston94 and william_syd

[william_syd]

Piran,

Does the above work for you ?

Don't do it on a production SME.
As an experiment, at the command line try..

Code: [Select]

clamscan -r / \
 --exclude-dir=proc \
 --exclude-dir=sys \
 --exclude-dir=share \
 --exclude-dir=var \
 --exclude-dir=quarantine \
 --exclude-dir=mnt \
 --exclude-dir=ibays
Then try

Code: [Select]

clamscan -r / \
 --exclude /proc \
 --exclude /sys \
 --exclude /usr/share \
 --exclude /var \
 --exclude /var/spool/clamav/quarantine \
 --exclude /mnt \
 --exclude /home/e-smith/files/ibays

[piran]

Tomorrow... it's after 02:15hrs local;~)

Our works successfully configured the AV scan around disturbing
concurrent backups (ie didn't attempt to scan /mnt/) and avoided
trying to scan the main h/w RAID (which takes it over 5days).

AV scan report now back to 'normal':

Code: [Select]

LibClamAV Error: cli_untar: only standard TAR files are currently supported
LibClamAV Warning: Multipart MIME message contains no boundaries

----------- SCAN SUMMARY -----------
Known viruses: 71526
Engine version: 0.88.4
Scanned directories: 25314
Scanned files: 105851
Infected files: 0
Data scanned: 5951.30 MB
Time: 2058.589 sec (34 m 18 s)
Must now allow the backups to re-build.

Will try your experiment tomorrow.

[william_syd]

Tomorrow... it's after 02:15hrs local;~)

Our works successfully configured the AV scan around disturbing
concurrent backups (ie didn't attempt to scan /mnt/) and avoided
trying to scan the main h/w RAID (which takes it over 5days).

AV scan report now back to 'normal':

Code: [Select]

LibClamAV Error: cli_untar: only standard TAR files are currently supported
LibClamAV Warning: Multipart MIME message contains no boundaries

----------- SCAN SUMMARY -----------
Known viruses: 71526
Engine version: 0.88.4
Scanned directories: 25314
Scanned files: 105851
Infected files: 0
Data scanned: 5951.30 MB
Time: 2058.589 sec (34 m 18 s)
Must now allow the backups to re-build.

Will try your experiment tomorrow.

Ok.

How did you configure it? How did you run clamav?

It's in the bug tracker anyway..
http://bugs.contribs.org/show_bug.cgi?id=1671

[william_syd]

There is a Bug raised already about some of these issues.

http://bugs.contribs.org/show_bug.cgi?id=1889

and other comments...

http://forums.contribs.org/index.php?topic=33160.0

[piran]

Piran,

Does the above work for you ?

Don't do it on a production SME.
As an experiment, at the command line try..

Code: [Select]

clamscan -r / \
 --exclude-dir=proc \
 --exclude-dir=sys \
 --exclude-dir=share \
 --exclude-dir=var \
 --exclude-dir=quarantine \
 --exclude-dir=mnt \
 --exclude-dir=ibays
Then try

Code: [Select]

clamscan -r / \
 --exclude /proc \
 --exclude /sys \
 --exclude /usr/share \
 --exclude /var \
 --exclude /var/spool/clamav/quarantine \
 --exclude /mnt \
 --exclude /home/e-smith/files/ibays

It's the production box.

[william_syd]

Yeah.. it locked up my machne at home.

For a time trial, try

Code: [Select]

clamscan -r --exclude-dir=/home /home
and

Code: [Select]

clamscan -r --exclude=/home /home

[piran]

Code: [Select]

[root@teri smeserver-dar2]# clamscan -r --exclude-dir=/home /home
/home: Excluded

----------- SCAN SUMMARY -----------
Known viruses: 71845
Engine version: 0.88.4
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 1.355 sec (0 m 1 s)
[root@teri smeserver-dar2]#


Code: [Select]

[root@teri smeserver-dar2]# clamscan -r --exclude=/home /home
(...log snipped...)

----------- SCAN SUMMARY -----------
Known viruses: 71845
Engine version: 0.88.4
Scanned directories: 16089
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 65.680 sec (1 m 5 s)
[root@teri smeserver-dar2]#


[william_syd]

wow, just over a minutes difference.

BTW, /proc is never scanned by clamscan.

I'll leave it in the bug tracker and see what the developers say.

Thanks.