Exclusion takes more exclusions than specified in clamd.conf

Question

Exclusion takes more exclusions than specified in clamd.conf

landychev opened this issue 3 months ago · comments

Aleksei Landychev commented 3 months ago

Exclusion takes more exclusions than specified in clamd.conf file.
Verified in both version clamav-0.103 and version 1.3.0 running SUSE Linux 15.5
clamconf.txt
Clamconf is attached as txt file

The following are exluded

ExcludePath /proc/
ExcludePath /sys/
ExcludePath /dev/
ExcludePath /run/docker/
ExcludePath /run/user
ExcludePath /run/venv-salt-minion/
ExcludePath /run/systemd/
ExcludePath /var/spool/
ExcludePath /var/opt/thinlinc/sessions/
ExcludePath /var/lib/
ExcludePath /srv/docker/

When i start scaning using clamdscan with the following command:
clamdscan -v --fdpass --multiscan /srv/$username/

It reports that the following are excluded:

/srv/$username/dev: Excluded
/srv/$username/Pycharm/plugins/dev: Excluded

I don't know if it is supposed to react to the same name in other places or not.
But it is clear that if I have excluded /dev it will react to other directories named /dev or what is in the list of excluded directories in clamd.conf

ragusaa · Answer 1 · Wed Mar 13 2024 04:23:33 GMT+0800 (China Standard Time)

Hi,

Thank you for the submission, I am able to reproduce this. I'll put in a ticket and let you know when it is scheduled.

Thanks,
Andy

Micah Snyder · Answer 2 · Wed Mar 27 2024 07:26:44 GMT+0800 (China Standard Time)

@landychev @ragusaa This is not a bug. The ExcludePath option is a regex. if you only want to exclude /dev and not /home/user/dev, then use the ^ operator, like this:

ExcludePath ^/dev

Examples in our sample config use this ^ prefix for the same reason: https://github.com/Cisco-Talos/clamav/blob/main/etc/clamd.conf.sample#L182-L186