Hello again, On Fri, 23 Oct 2020, Marcy Rogers via clamav-users wrote:
... I followed the instructions for installing Clamav for Windows and placed the clamd.conf file in the c:\program files\clamav. ... In the config file, you will see this. ... ExcludePath "C:\Windows"
There are two potential issues there. more below.
... SelfCheck 3600 This was set at 600 before I changed it to 3600 minutes. Clamd.exe is reading to do a selfcheck every 3600 minutes but it is not reading to excludepath "c:\windows"
It's good to know that the selfcheck interval has indeed changed from the default to what you have set in the config file. At least that shows that you have had some effect on the daemon. I'd just like to be sure that the config file that you think is having that effect is actually the file that's doing that, and that you don't have another file somewhere with the 3600 second self-check interval set but _not_ the ExcludePath line. If you change the interval to something like 1200 seconds and wait for twenty minutes you should be able to verify that you're working with the right file. Alternatively you can give the config file path explicitly on the command line to make sure. A couple of other things: 1. On Fri, 23 Oct 2020, Mark Fortescue wrote:
Have you tried C:\\Windows or C:/Windows.
Mr. Fortescue makes good suggestions. The ExcludePath directive takes as its argument a 'regular expression', not just a string of text. Regular expressions are kinds of patterns which are _compared_ with a string of text - in this case the regex will be compared with a path name. It either matches (and so the path is excluded) or it doesn't (so it isn't excluded). Think about the '*' character that's often used when you want to list the files in a directory which all have names beginning with the same few characters. A regex is like that with bells on. This isn't the place to talk about regular expressions (if you aren't familiar with them, search for tutorials about them) but we do need to mention the backslash I'm afraid. In most regular expression (regex) libraries, the backslash character is 'special'. It does not behave literally in a string as ordinary characters do; it escapes the following character, if that is another special character, thus making the special character _not_ special. But if the following character is _not_ a special character, the non-special character is taken literally as if the backslash were not there. That means that the regex c:\Windows actually matches c:Windows and if you want to have a literal backslash in a regex you generally have to double it, as in Mr. Fortescue's first suggestion. Linux, MacOS etc. pathnames use the forward slash character as the directory separator. Windows has a quirk. On Windows, the directory separator in the pathnames is the backslash character. Sometimes to get around this quirk on Windows, tools which use regexes will accept a forward slash instead of a backslash for the directory separator, avoiding the need to double backslashes everywhere which can be messy if there are many directories in the path. 2. In the config file I notice that you have ExcludePath "C:\Windows" but you say it continues to scan "c:\windows". As I said I don't use ClamAV on Windows so I don't know if clamd behaves differently there from how it behaves on Linux etc., but on the operating systems that I'm used to working with ClamAV tools are case sensitive. That means that "C:\Windows" and "c:\windows" would be two different paths, and excluding one would not exclude the other. You can have more than one ExcludePath directive in the file so it won't hurt to try several ExcludePath "C:\\Windows" ExcludePath "C:\\WINDOWS" ExcludePath "C:\\windows" ExcludePath "C:\Windows" ExcludePath "C:\WINDOWS" ExcludePath "C:\windows" ExcludePath "C:/Windows" ExcludePath "C:/WINDOWS" ExcludePath "C:/windows" and see if that helps. I'm afraid that I'm guessing here. Also I left out the nine lines with a lower case 'c' but I'd be surprised if anything on Windows would treat the drive letter case sensitively. And I suppose you could try it without a drive letter at all. :/ On Fri, 23 Oct 2020, Marcy Rogers via clamav-users wrote:
... I have been working on this for 4 months now. ...
Ouch! It really shouldn't be that difficult! If you don't get this fixed in a couple of days from the other help you get here then I'll spin up a Windows virtual machine and see what I find. What version of Windows are you using?
I am scanning but it is taking over 5 hours to scan and I would like to cut that down by not scanning the Window directory.
I understand that it takes time but I suspect that it isn't a good idea to cut out the entire Windows directory as that might often be where malicious files, if there are any, have installed themselves. To get around that kind of issue people often set up scheduled scans so that they take place for example out of office hours. Incidentally if you're only ever using clamd by starting it from a powershell window every time you want to scan the machine then you're losing a lot of the value of having a clamd daemon. Generally it's intended to have clamd running 24/365, so that you hardly ever have to wait for the signature database(s) to be loaded if you decide to do a scan from the command line at a moment's notice. The trade-off is the memory used by clamd while ever it's running, typically around 1Gbyte even if you only have the 'official' signatures loaded - and there are several third-party signature databases available. It's late. Good luck! -- 73, Ged. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
