[Clamav-users] Clamscan bug/feature in Solaris
I have posted a few previous questions regarding clamscan and problems with /net on Solaris. After some further investigation I have found that it impossible to run an efficient full scan (clamscan -r /) of a Solaris file system if /net is activated in /etc/auto_master. This is down to the fact that Sun's automounter mounts /net/localhost as / so clamscan keeps rescanning the same files over and over again, first from / then through /net/localhost, then through /net/localhost/net/hostname.you get the idea. Using --exclude="^//net.*" helps but does not stop clamscan traversing down /net excluding every file over and over again as it only excludes files and not directories. I have found reference to other software that has the same problem http://la-samhna.de/samhain/manual/suidchk.html & http://www.lone-tar.com/index.php?p=faq&d=all&display=1126 But their way around it is to have a directory exclude that so that the software does not read any further down into that directory. My questions are, 1. Is it possible to stop clamscan traversing down /net with the current version of ClamAV? 2. If not, what are the chances of having an exclude directory switch or a switch to limit clamscan to local file system's, like the find command? 3. Are other people working around this problem some other way or am I the only one trying to do a full scan of an Solaris file system? Thanks for your help. Dean Plant ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamscan bug/feature in Solaris
Plant, Dean wrote: I have posted a few previous questions regarding clamscan and problems with /net on Solaris. After some further investigation I have found that it impossible to run an efficient full scan (clamscan -r /) of a Solaris file system if /net is activated in /etc/auto_master. This is down to the fact that Sun's automounter mounts /net/localhost as / so clamscan keeps rescanning the same files over and over again, first from / then through /net/localhost, then through /net/localhost/net/hostname.you get the idea. Using --exclude="^//net.*" helps but does not stop clamscan traversing down /net excluding every file over and over again as it only excludes files and not directories. I have found reference to other software that has the same problem Naturally it is going to follow NFS mount points. That is what you asked it to do so why wouldn't it? And what you are doing is a rather nutty thing to attempt, as well. This is a user problem, not a software problem. The solution is to scan selectively as in (examples only - this message requires you to think): clamscan -r /opt clamscan -r /var --exclude=sa?? --exclude=syslog* --exclude=sulog --exclude=messages* clamacan -r /export/home clamscan -r /usr clamscan -r /tmp --exclude=mysql.sock clamscan -r /etc --exclude=.name_service_door --exclude=.syslog_door clamscan -r /usr/local/apache --exclude=*log Avoid scanning /proc, /cdrom, /mnt, /vol, /xfn as you will be wasting your time. If you scan /home you may run into the same problem as with /net. Scan /dev, /devices, /kernel, and /platform at your peril. You will want to exclude door files, very likely sparse files, db tables and indices, and other special files such as Unix sockets and device files. dp ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Clamscan bug/feature in Solaris
Dennis Peterson wrote: > > Naturally it is going to follow NFS mount points. That is what you > asked it to > do so why wouldn't it? And what you are doing is a rather nutty thing > to > attempt, as well. This is a user problem, not a software problem. The > solution > is to scan selectively as in (examples only - this message requires > you to think): Nutty I may be :-) but scanning selectively is fine for a few machines but what if you have fifty machines with varying configurations. This approach would mean an extra administrative overhead to guarantee all machines do a correct full scan without scanning files multiple times because they are NFS mounted. Selectively scanning would also allow area's on file systems to be missed if someone creates a new directory that is not included on the scan list. Having the ability to exclude directories or limit to local file systems, you could run a simple common script with clamscan -r / --exclude-dir's, that would guarantee to scan all your files across all your machines while missing out problem directories. Dean ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamscan bug/feature in Solaris
On Mon, 28 Feb 2005 10:17:42 -, Plant, Dean <[EMAIL PROTECTED]> wrote: > Nutty I may be :-) but scanning selectively is fine for a few machines but > what if you have fifty machines with varying configurations. This approach > would mean an extra administrative overhead to guarantee all machines do a > correct full scan without scanning files multiple times because they are NFS > mounted. Selectively scanning would also allow area's on file systems to be > missed if someone creates a new directory that is not included on the scan > list. > > Having the ability to exclude directories or limit to local file systems, > you could run a simple common script with clamscan -r / --exclude-dir's, > that would guarantee to scan all your files across all your machines while > missing out problem directories. > > Dean This is a user problem. Write a script that looks at the config of the server being scanned eg: df -F ufs to get a list of ufs file sytems use find on the df-list to generate an exclude list (pipes, doors, etc) execute clamscan df-list -exclude=exclude-list Alberto ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Clamscan bug/feature in Solaris
Alberto da Silva wrote: > On Mon, 28 Feb 2005 10:17:42 -, Plant, Dean > <[EMAIL PROTECTED]> wrote: >> Nutty I may be :-) but scanning selectively is fine for a few >> machines but what if you have fifty machines with varying >> configurations. This approach would mean an extra administrative >> overhead to guarantee all machines do a correct full scan without >> scanning files multiple times because they are NFS mounted. >> Selectively scanning would also allow area's on file systems to be >> missed if someone creates a new directory that is not included on >> the scan list. >> >> Having the ability to exclude directories or limit to local file >> systems, you could run a simple common script with clamscan -r / >> --exclude-dir's, that would guarantee to scan all your files across >> all your machines while missing out problem directories. >> >> Dean > > This is a user problem. > > Write a script that looks at the config of the server being scanned > eg: > df -F ufs to get a list of ufs file sytems > use find on the df-list to generate an exclude list (pipes, doors, > etc) execute clamscan df-list -exclude=exclude-list > > Alberto Ok, fair point. I didn't think of doing it that way (simple really). Ill give that a go, taking in your and Dennis's suggestions. Thanks Dean ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Clamscan bug/feature in Solaris
Plant, Dean said: > Dennis Peterson wrote: >> >> Naturally it is going to follow NFS mount points. That is what you >> asked it to >> do so why wouldn't it? And what you are doing is a rather nutty thing >> to >> attempt, as well. This is a user problem, not a software problem. The >> solution >> is to scan selectively as in (examples only - this message requires >> you to think): > > > Nutty I may be :-) but scanning selectively is fine for a few machines but > what if you have fifty machines with varying configurations. This approach > would mean an extra administrative overhead to guarantee all machines do a > correct full scan without scanning files multiple times because they are > NFS > mounted. Selectively scanning would also allow area's on file systems to > be > missed if someone creates a new directory that is not included on the scan > list. > > Having the ability to exclude directories or limit to local file systems, > you could run a simple common script with clamscan -r / --exclude-dir's, > that would guarantee to scan all your files across all your machines while > missing out problem directories. You are a prime candidate for Cfengine. dp ___ http://lurker.clamav.net/list/clamav-users.html
