We have separate filesystems on our servers under /var :-

 

/var

/var/log

/var/log/audit

 

And following this advice recently :-

 

While it is not recommended to scan everything under /var (or /var at all), the reason it fails is because you have /var submounts (/var/log, /var/tmp).
This is currently a known bug in clamav (I reported it: https://bugzilla.clamav.net/show_bug.cgi?id=12306 ), and the workaround in your case is:

OnAccessIncludePath /var/log/audit

OnAccessIncludePath /var/log

OnAccessIncludePath /var


and then, if you don't want /var/log add this in the exclude:

OnAccessExcludePath ^/var/log

But when I put an EICAR test txt file in /var/log/test.txt it is getting picked up by the OnAccess scanner.

 

I have tried ^/var/log/ and ^/var/log/* - same issue the test.txt is still picked up by the OnAccess scanner when it should in my mind be being ignored.

 

Any ideas ?

 

Cheers

 

Ian

Sopra Steria is the trading name of the following companies (all registered in England & Wales): (i) Sopra Steria Limited (No. 04077975) (ii) Sopra Group Ltd (No. 01643041) (iii) Sopra Group Holding Ltd (No. 01588948)