[clamav-users] Stop clamdscan from stepping on itself?

G.W. Haywood clamav at jubileegroup.co.uk
Sat Oct 19 08:25:09 EDT 2019


Hi Steve,

On Fri, 18 Oct 2019, Steve Basford wrote:
> On 18 October 2019 16:19:23 Ian via clamav-users wrote:
>
>> This doesn't seem like a difficult problem for clamav to solve -- clamd is 
>> asked to scan the file system and it creates temp files to accomplish this
>
> I know I'm mainly a win user... So sorry in advance... but if you created a 
> Linux ram drive... Pointed clamav temp files to the ram drive... Would that 
> get around the issue...

As I said in another reply on this subject I think this is probably
moot, but in a Linux box absolutely everything is under '/', which is
the root of the entire tree of, well, everything you can see in the
filesystem.  Devices, kernel data, files, pipes, sockets, everything.
And depending on the distribution, the administrator, and the stuff
installed on the system, the 'special files' can pop up in all sorts
of places.  Generally you do not want to scan them, things can break.

If you want to use some storage using the normal operating system
tools you have to 'mount' it.  You might for example 'mount' a disc
partition which is accessed in raw form as '/dev/sda1' onto a point in
the tree called '/mnt/scsi_disc_A_partiton_1'.  This point is a place
in the filesystem (it has to be created, and will normally be empty)
and after /dev/sda1 is mounted on it, all the files and directories in
the sda1 partition become visible as a kind of extension to the tree
which wasn't there before it was mounted.  If there did happen to be
any files in the directory _before_ the partition was mounted on it,
they will be inaccessible until the over-mounted device is unmounted.

So if you scan '/' recursively without some limits there's basically
no way to avoid scanning whatever temporary directory you've made, be
it a RAMdisk, SSD, USB stick, removeable hard drive, or whateveritis,
because you had to mount it somewhere in order to be able to use it.

On the other hand if you _don't_ scan '/' recursively, and start your
scan somewhere else in the tree, you can mount your temporary directory
in a part of the tree which won't be scanned.  This is the sort of thing
I meant when I said "don't do that" and "think about it first". :)

-- 

73,
Ged.


More information about the clamav-users mailing list