[clamav-users] OnAccessExcludePath being ignored.

Fri Sep 27 12:12:37 UTC 2019

Op Donderdag, 26-09-2019 om 20:14 schreef Franky Van Liedekerke:
> Op Donderdag, 26-09-2019 om 19:17 schreef G.W. Haywood via clamav-users:
> > Hello again,
> > 
> > On Thu, 26 Sep 2019, CROFT Ian via clamav-users wrote:
> > 
> > > ... making sure they are all strings looks better now in most cases.
> > >
> > > So I now have these :-
> > >
> > > OnAccessIncludePath /var/log
> > > ( Only added to include to get around the bug previously mentioned )
> > >
> > > OnAccessIncludePath /var
> > >
> > > OnAccessExcludePath /var/log
> > >
> > > However eicar test as /var/log/test.txt is still being picked up.
> > >
> > > Its working fine on other real sub directories ( not separate munts ),
> > > feels like this is falling foul of the fact /var/log is a sub mount
> > > point perhaps.
> > 
> > Hmmmm.  Bugs or no bugs it seems rather willful having both of these:
> > 
> > OnAccessIncludePath /var/log
> > OnAccessExcludePath /var/log
> > 
> > and I'm not surprised that things seem a bit insane if you do. :)
> > 
> > Unfortunately on bugzilla, issue 12306 itself is restricted access.
> > Because of that I didn't even know of its existence - I've trawled
> > through every issue listed in the components pages at
> > 
> > https://bugzilla.clamav.net/describecomponents.cgi?product=ClamAV
> > 
> > and AFAICT it doesn't appear in any of them.  So I don't think I can
> > add anything useful to what I've already said.  To repeat what I've
> > already said, I think scanning /var/log isn't a great idea.
> 
> Well, I reported the bug, so I can summarize it with this example:
> ======================================================
> This works to monitor /opt (assuming /opt/openv is a submount):
> 
> OnAccessIncludePath /opt/openv
> OnAccessIncludePath /opt
> 
> but this doesn't:
> OnAccessIncludePath /opt
> OnAccessIncludePath /opt/openv
> ======================================================
> 
> The thing is of course: what to do if you want to monitor /opt and not /opt/openv while /opt/openv is a submount?
> Maybe the new 0.102 version has a workaround for it (I do know that you still need this OnAccessIncludePath workaround, but maybe with the new onaccess method, the standard excludes also apply and that would help then ... something I need to test (but I need to compile clamav for that first).

Ok, good news: the new 0.102 version works as expected. While it still has the bug with the OnAccessIncludePath-part, you can just exclude /opt/openv in clamd itself using the standard ExcludePath-option. Reason why this works: clamonacc is a new client daemon in 0.102 which in fact is just being told what should be monitored in on-access mode and gives those files to clamd as a client. Clamd itself then checks al its regular options, so excludepath is validated too. This is very cool in the fact that you could now once again use the mount-option for onaccess too and let all the excludes be handled via regular clamd. This has an overhead of course (you should understand that OnAccessMountPath has less possibilities), but I like the choices now.

Franky