search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.43k stars 706 forks source link

Exclusion takes more exclusions than specified in clamd.conf #1201

Closed landychev closed 7 months ago

landychev commented 8 months ago

Exclusion takes more exclusions than specified in clamd.conf file. Verified in both version clamav-0.103 and version 1.3.0 running SUSE Linux 15.5 clamconf.txt Clamconf is attached as txt file

The following are exluded

ExcludePath /proc/
ExcludePath /sys/
ExcludePath /dev/
ExcludePath /run/docker/
ExcludePath /run/user
ExcludePath /run/venv-salt-minion/
ExcludePath /run/systemd/
ExcludePath /var/spool/
ExcludePath /var/opt/thinlinc/sessions/
ExcludePath /var/lib/
ExcludePath /srv/docker/

When i start scaning using clamdscan with the following command: clamdscan -v --fdpass --multiscan /srv/$username/

It reports that the following are excluded:

/srv/$username/dev: Excluded
/srv/$username/Pycharm/plugins/dev: Excluded

I don't know if it is supposed to react to the same name in other places or not. But it is clear that if I have excluded /dev it will react to other directories named /dev or what is in the list of excluded directories in clamd.conf

ragusaa commented 8 months ago

Hi,

Thank you for the submission, I am able to reproduce this. I'll put in a ticket and let you know when it is scheduled.

Thanks, Andy

micahsnyder commented 7 months ago

@landychev @ragusaa This is not a bug. The ExcludePath option is a regex. if you only want to exclude /dev and not /home/user/dev, then use the ^ operator, like this:

ExcludePath ^/dev

Examples in our sample config use this ^ prefix for the same reason: https://github.com/Cisco-Talos/clamav/blob/main/etc/clamd.conf.sample#L182-L186