On Mon, Jun 14, 2021 at 6:50 PM G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
Hi there,

On Mon, 14 Jun 2021, Lee, Raymond via clamav-users wrote:

> I've been having trouble with using clamdscan to scan my entire system ...

Then don't do it! 

There are lots of things in Unix-like filesystems (and Linux is a kind
of Unix) which should not be scanned with ClamAV.

I've already excluded /proc, /sys, and /dev from my scans.  I know I'll have other things to exclude, such as files that mission-critical apps are sensitive to, remote mounts, etc.  My goal at this point is just to try to create a baseline one-size-fits-all ClamAV config and then refine from there.
 

Unix exposes a lot of things to the file system which are not files.
You might cause problems by scanning them.

I'm not quarantining anything, and so far in my testing I've only been getting warning & error messages when scanning the whole system.  We'll also run scans on non-production test servers before rolling out to production.
 

For much of the filesystem, scanning it is completely pointless.  Much
of what is logged for example is simply harmless text, and it would be
far more useful to read it yourself than to scan it with ClamAV.

You'll find some discussion about it in the mailing list archives, and
also mention of things like SELinux and AppArmor.  Please look there.


I did search the archives for SELinux-related questions, but I didn't see anything that addressed my question about clamd being unable to scan certain context types.  I do have a workaround, so I can just continue with that if this is not a bug with clamd.
 
It's no use just throwing a scanner at a system and hoping for the
best.  You need to develop a reasoned approach and a plan.  If you
don't, you might be a bigger threat to the system than the threats
from which you think you're trying to protect it.


I still prefer to err on the side of caution and scan as much of the system as reasonably possible.  I know some people say it's good enough to scan just the common user-accessible areas like /home, /tmp, and /var/tmp, but bad actors already know that and would try to attack other areas.

Anyway, I don't want this thread to become a debate about whether or not to scan the entire system.  I was just looking for insight into my question about clamd and SELinux.
 
--
Best Regards,
Ray

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Notice: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy the message and attachments without retaining a copy.