On Wed, 29 Nov 2006 at 12:37:35 -0800, Dennis Peterson wrote:
> Bill Landry wrote:
> >Dennis Peterson wrote the following on 11/29/2006 7:23 AM -0800:
>
> >One other option was to run a second instance of clamd pointed to a
> >different config file and run the second instance as root. Then
> >clamdscan should be able to scan all files in all directories without
> >permissions issues.
> >
> >Bill
>
> Recall that the initial requirement was to scan only files that have
> changed since the previous scan. That is a subset of the entire file
> system and can certainly involve multiple top level directories. The
> trick then is to create a means of identifying and scanning an arbitrary
> number of files in arbitrary locations (second requirement) with a
> single instance of the tool (third requirement). clamdscan requires the
> same workarounds as clamscan.
Possibly not - see below.
> While it wasn't a requirement, some kind
> of logging is essential IMO. It apparently has been accepted without
> comment that the --include and --exclude options are inadequate for this
> purpose.
>
> You are quite right though that it happens it is sometimes a good
> solution to create a short-lived root owned instance of clamd (one that
> uses a Unix socket written to a root-owned and read-only root directory
> along with other essential parameters). It doesn't provide any advantage
> in this situation where the real problem is to present one time an
> arbitrary length list of files with arbitrary paths to the scanner.
The advantage is that clamd can be configured to follow symlinks.
>From 'man clamd.conf':
FollowDirectorySymlinks
Follow directory symlinks.
Default: disabled
FollowFileSymlinks
Follow regular file symlinks.
Default: disabled
MaxDirectoryRecursion NUMBER
Maximal depth directories are scanned at.
Default: 15
A very basic, but real example:
$ clamscan /usr/share/clamav-testfiles/clam.exe
/usr/share/clamav-testfiles/clam.exe: ClamAV-Test-File FOUND
$ ln -s /usr/share/clamav-testfiles/clam.exe /tmp/clam.exe
$ ls /tmp/clam.exe
/tmp/clam.exe@
$ clamscan /tmp/clam.exe
/tmp/clam.exe: ClamAV-Test-File FOUND
$ clamscan /tmp
----------- SCAN SUMMARY -----------
[...]
Scanned directories: 1
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
[ As expected - the symlink wasn't scanned. But: ]
$ clamdscan /tmp
/tmp/clam.exe: ClamAV-Test-File FOUND
[ clamdscan _did_ find the "infected" file! Because: ]
$ grep -i sym /etc/clamav/clamd.conf
FollowFileSymlinks
So I believe (I haven't verified that empirically) that after creating
in a directory of choice, symlinks to files to scan, there should be no
need to split the list of symlinks into smaller parts. Plain launching
clamdscan on that directory should be sufficient.
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
