On Mar 11, 2008, at 10:19 AM, Jay Becker wrote: > >> On Fri, March 7, 2008 11:52 am, Jay Becker wrote: >> >>> Is there a way to force clamdscan to ignore network mounts (AFS, >>> NFS, >>> SMB)? For example, if several workstations use NFS to mount several >>> directories on a server and I want all shared files to be scanned by >>> only the server and each client responsible for scanning their local >>> files. I know I could do a recursive scan using the exclude >>> directory >>> option, but it seems fairly clumsy as the mounted directories vary >>> and >>> there are quite a few clients. An option such as >>> --restrict-to-local-filesystems would be great, but afaik it doesn't >>> exist and I can't find evidence of other solutions (except for >>> writing a >>> script to find all local files and pass them to clamdscan). Thanks! >>> >>> >> >> Using clamdscan for this is probably the wrong idea unless clamd is >> running as root and that's also a wrong idea generally speaking. >> Using >> clamscan run as root gets around the privileges problems that clamd >> has >> when it is running as an privileged user. >> >> So if you read the man page for clamscan you will find this option: >> >> --include=PATT, --include-dir=PATT >> Only scan file/directory names containing PATT. It may be used >> multiple >> times. >> >> It works fine for what you're trying to do. >> >> dp >> > > I know there are --include-dir and --exclude-dir options, which as I > mentioned in my question do not meet my needs. I would rather not log > in to a machine, check for where they have network mounts, and > manually > add them using --exclude-dir. This would be an alright option for a > handful of machines, but on a large scale it is cumbersome. > > I also think that *not* scanning network file systems should be the > default, simply due to the bandwidth use when scanning. It seems like > usually it would be better for the scanning (except for on-access > scans) > to be done by the machine that is sharing the files rather than the > ones > accessing files. Of course, a user should be able to choose if they > want to scan network fs as well. > > For the sake of another example, if a sysadmin has 1000 machines which > all mount back and forth on various directories and they want to scan > every file on every machine once a day, the most efficient way is to > have every machine scan all of their local files. This is a contrived > situation of course, but shows where a "local file system only" scan > would be incredibly useful as an admin could push install clamav on > every system and push the same config & cron job to every machine. > > If this simply doesn't exist as I suspect, just confirm and I will get > to work on a script. If I missed something in the docs you are > welcome > to play the "if you read the man page" card, but please read the whole > question before you do. Thanks! >
I think you will discover that clamav is much like tar (not Gnu tar) in that it has no internal means to avoid remote file systems. So just as with tar you must define what to include and what to exclude. The command line options are there to support this and there are other tools such as find and mount that can help build the include list and exclude list. This is not an uncommon problem for Unix admins to face. If you follow the conversation here for very long you will also discover the intent of clamav is to scan email, not file systems as such, and it is actually not the best tool in the box for this. It needs quite a bit of help in the way of preparation and wrappers to get it to do precisely what you wish. Clamdscan is the least likely tool to succeed in scanning file systems without additional effort - consider the default run-as user of the clamd daemon and you will realize that user does not have read authority everywhere it must for a full file system scan. The previous answer I provided is a correct answer - this product has no brain, use your own. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
