[clamav-users] Clamd.exe

Marcy Rogers owdeea at gmail.com
Tue Nov 17 14:26:13 UTC 2020 

Sorry it has taken so long to get back with everyone but I want to thank
everyone who replied to my e-mail.
The way to exclude a path in CalmAV is using this

ExcludePath "C:\\Windows"


That helped me so much with my CalmAV daily runs.

Thank you Again,

Marcy

On Fri, Oct 23, 2020 at 8:44 PM G.W. Haywood via clamav-users <
clamav-users at lists.clamav.net> wrote:

> Hello again,
>
> On Fri, 23 Oct 2020, Marcy Rogers via clamav-users wrote:
>
> > ...
> > I followed the instructions for installing Clamav for Windows and placed
> > the clamd.conf file in the c:\program files\clamav.
> > ...
> > In the config file, you will see this.
> > ...
> > ExcludePath "C:\Windows"
>
> There are two potential issues there. more below.
>
> > ...
> > SelfCheck 3600
> >
> > This was set at 600 before I changed it to 3600 minutes.  Clamd.exe is
> > reading to do a selfcheck every 3600 minutes but it is not reading to
> > excludepath "c:\windows"
>
> It's good to know that the selfcheck interval has indeed changed from
> the default to what you have set in the config file.  At least that
> shows that you have had some effect on the daemon.  I'd just like to
> be sure that the config file that you think is having that effect is
> actually the file that's doing that, and that you don't have another
> file somewhere with the 3600 second self-check interval set but _not_
> the ExcludePath line.  If you change the interval to something like
> 1200 seconds and wait for twenty minutes you should be able to verify
> that you're working with the right file.  Alternatively you can give
> the config file path explicitly on the command line to make sure.
>
> A couple of other things:
>
> 1.
>
> On Fri, 23 Oct 2020, Mark Fortescue wrote:
>
> > Have you tried C:\\Windows or C:/Windows.
>
> Mr. Fortescue makes good suggestions.  The ExcludePath directive takes
> as its argument a 'regular expression', not just a string of text.
> Regular expressions are kinds of patterns which are _compared_ with a
> string of text - in this case the regex will be compared with a path
> name.  It either matches (and so the path is excluded) or it doesn't
> (so it isn't excluded).  Think about the '*' character that's often
> used when you want to list the files in a directory which all have
> names beginning with the same few characters.  A regex is like that
> with bells on.  This isn't the place to talk about regular expressions
> (if you aren't familiar with them, search for tutorials about them)
> but we do need to mention the backslash I'm afraid.  In most regular
> expression (regex) libraries, the backslash character is 'special'.
> It does not behave literally in a string as ordinary characters do; it
> escapes the following character, if that is another special character,
> thus making the special character _not_ special.  But if the following
> character is _not_ a special character, the non-special character is
> taken literally as if the backslash were not there.  That means that
> the regex
>
> c:\Windows
>
> actually matches
>
> c:Windows
>
> and if you want to have a literal backslash in a regex you generally
> have to double it, as in Mr. Fortescue's first suggestion.
>
> Linux, MacOS etc. pathnames use the forward slash character as the
> directory separator.  Windows has a quirk.  On Windows, the directory
> separator in the pathnames is the backslash character.  Sometimes to
> get around this quirk on Windows, tools which use regexes will accept
> a forward slash instead of a backslash for the directory separator,
> avoiding the need to double backslashes everywhere which can be messy
> if there are many directories in the path.
>
> 2.
>
> In the config file I notice that you have
>
> ExcludePath "C:\Windows"
>
> but you say it continues to scan "c:\windows".  As I said I don't use
> ClamAV on Windows so I don't know if clamd behaves differently there
> from how it behaves on Linux etc., but on the operating systems that
> I'm used to working with ClamAV tools are case sensitive.  That means
> that "C:\Windows" and "c:\windows" would be two different paths, and
> excluding one would not exclude the other.  You can have more than
> one ExcludePath directive in the file so it won't hurt to try several
>
> ExcludePath "C:\\Windows"
> ExcludePath "C:\\WINDOWS"
> ExcludePath "C:\\windows"
> ExcludePath "C:\Windows"
> ExcludePath "C:\WINDOWS"
> ExcludePath "C:\windows"
> ExcludePath "C:/Windows"
> ExcludePath "C:/WINDOWS"
> ExcludePath "C:/windows"
>
> and see if that helps.  I'm afraid that I'm guessing here.  Also I
> left out the nine lines with a lower case 'c' but I'd be surprised if
> anything on Windows would treat the drive letter case sensitively.
> And I suppose you could try it without a drive letter at all. :/
>
> On Fri, 23 Oct 2020, Marcy Rogers via clamav-users wrote:
> > ... I have been working on this for 4 months now. ...
>
> Ouch!  It really shouldn't be that difficult!  If you don't get this
> fixed in a couple of days from the other help you get here then I'll
> spin up a Windows virtual machine and see what I find.  What version
> of Windows are you using?
>
> > I am scanning but it is taking over 5 hours to scan and I would like
> > to cut that down by not scanning the Window directory.
>
> I understand that it takes time but I suspect that it isn't a good
> idea to cut out the entire Windows directory as that might often be
> where malicious files, if there are any, have installed themselves.
> To get around that kind of issue people often set up scheduled scans
> so that they take place for example out of office hours.
>
> Incidentally if you're only ever using clamd by starting it from a
> powershell window every time you want to scan the machine then you're
> losing a lot of the value of having a clamd daemon.  Generally it's
> intended to have clamd running 24/365, so that you hardly ever have to
> wait for the signature database(s) to be loaded if you decide to do a
> scan from the command line at a moment's notice.  The trade-off is the
> memory used by clamd while ever it's running, typically around 1Gbyte
> even if you only have the 'official' signatures loaded - and there are
> several third-party signature databases available.
>
> It's late.  Good luck!
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20201117/0a3ed5d7/attachment.htm>

More information about the clamav-users mailing list