Exclusion takes more exclusions than specified in clamd.conf
landychev opened this issue · comments
Exclusion takes more exclusions than specified in clamd.conf file.
Verified in both version clamav-0.103 and version 1.3.0 running SUSE Linux 15.5
clamconf.txt
Clamconf is attached as txt file
The following are exluded
ExcludePath /proc/
ExcludePath /sys/
ExcludePath /dev/
ExcludePath /run/docker/
ExcludePath /run/user
ExcludePath /run/venv-salt-minion/
ExcludePath /run/systemd/
ExcludePath /var/spool/
ExcludePath /var/opt/thinlinc/sessions/
ExcludePath /var/lib/
ExcludePath /srv/docker/
When i start scaning using clamdscan with the following command:
clamdscan -v --fdpass --multiscan /srv/$username/
It reports that the following are excluded:
/srv/$username/dev: Excluded
/srv/$username/Pycharm/plugins/dev: Excluded
I don't know if it is supposed to react to the same name in other places or not.
But it is clear that if I have excluded /dev it will react to other directories named /dev or what is in the list of excluded directories in clamd.conf
Hi,
Thank you for the submission, I am able to reproduce this. I'll put in a ticket and let you know when it is scheduled.
Thanks,
Andy
@landychev @ragusaa This is not a bug. The ExcludePath
option is a regex. if you only want to exclude /dev
and not /home/user/dev
, then use the ^
operator, like this:
ExcludePath ^/dev
Examples in our sample config use this ^
prefix for the same reason: https://github.com/Cisco-Talos/clamav/blob/main/etc/clamd.conf.sample#L182-L186