I'm not a big Windows fan, but it sounds like ClamAV regexes are rather unfriendly to Windows since they don't seem to have an "ignore case" option (unlike most other regex-using programs).
Assuming that is the case (sic), you might try: ExcludePath "[Cc]:\\[Ww][Ii][Nn][Dd][Oo][Ww][Ss]" as a shorter way to exclude all possible spellings of "Windows". The same rather ugly approach should work in other situations where you want to ignore case in a ClamAV regex to accommodate Windows' filename interpretation (which it inherited from DOS). On Sat, 24 Oct 2020 01:44:06 +0100 (BST) "G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net> wrote: > Hello again, > > On Fri, 23 Oct 2020, Marcy Rogers via clamav-users wrote: > > > ... > > I followed the instructions for installing Clamav for Windows and placed > > the clamd.conf file in the c:\program files\clamav. > > ... > > In the config file, you will see this. > > ... > > ExcludePath "C:\Windows" > > There are two potential issues there. more below. > > > ... > > SelfCheck 3600 > > > > This was set at 600 before I changed it to 3600 minutes. Clamd.exe is > > reading to do a selfcheck every 3600 minutes but it is not reading to > > excludepath "c:\windows" > > It's good to know that the selfcheck interval has indeed changed from > the default to what you have set in the config file. At least that > shows that you have had some effect on the daemon. I'd just like to > be sure that the config file that you think is having that effect is > actually the file that's doing that, and that you don't have another > file somewhere with the 3600 second self-check interval set but _not_ > the ExcludePath line. If you change the interval to something like > 1200 seconds and wait for twenty minutes you should be able to verify > that you're working with the right file. Alternatively you can give > the config file path explicitly on the command line to make sure. > > A couple of other things: > > 1. > > On Fri, 23 Oct 2020, Mark Fortescue wrote: > > > Have you tried C:\\Windows or C:/Windows. > > Mr. Fortescue makes good suggestions. The ExcludePath directive takes > as its argument a 'regular expression', not just a string of text. > Regular expressions are kinds of patterns which are _compared_ with a > string of text - in this case the regex will be compared with a path > name. It either matches (and so the path is excluded) or it doesn't > (so it isn't excluded). Think about the '*' character that's often > used when you want to list the files in a directory which all have > names beginning with the same few characters. A regex is like that > with bells on. This isn't the place to talk about regular expressions > (if you aren't familiar with them, search for tutorials about them) > but we do need to mention the backslash I'm afraid. In most regular > expression (regex) libraries, the backslash character is 'special'. > It does not behave literally in a string as ordinary characters do; it > escapes the following character, if that is another special character, > thus making the special character _not_ special. But if the following > character is _not_ a special character, the non-special character is > taken literally as if the backslash were not there. That means that > the regex > > c:\Windows > > actually matches > > c:Windows > > and if you want to have a literal backslash in a regex you generally > have to double it, as in Mr. Fortescue's first suggestion. > > Linux, MacOS etc. pathnames use the forward slash character as the > directory separator. Windows has a quirk. On Windows, the directory > separator in the pathnames is the backslash character. Sometimes to > get around this quirk on Windows, tools which use regexes will accept > a forward slash instead of a backslash for the directory separator, > avoiding the need to double backslashes everywhere which can be messy > if there are many directories in the path. > > 2. > > In the config file I notice that you have > > ExcludePath "C:\Windows" > > but you say it continues to scan "c:\windows". As I said I don't use > ClamAV on Windows so I don't know if clamd behaves differently there > from how it behaves on Linux etc., but on the operating systems that > I'm used to working with ClamAV tools are case sensitive. That means > that "C:\Windows" and "c:\windows" would be two different paths, and > excluding one would not exclude the other. You can have more than > one ExcludePath directive in the file so it won't hurt to try several > > ExcludePath "C:\\Windows" > ExcludePath "C:\\WINDOWS" > ExcludePath "C:\\windows" > ExcludePath "C:\Windows" > ExcludePath "C:\WINDOWS" > ExcludePath "C:\windows" > ExcludePath "C:/Windows" > ExcludePath "C:/WINDOWS" > ExcludePath "C:/windows" > > and see if that helps. I'm afraid that I'm guessing here. Also I > left out the nine lines with a lower case 'c' but I'd be surprised if > anything on Windows would treat the drive letter case sensitively. > And I suppose you could try it without a drive letter at all. :/ > > On Fri, 23 Oct 2020, Marcy Rogers via clamav-users wrote: > > ... I have been working on this for 4 months now. ... > > Ouch! It really shouldn't be that difficult! If you don't get this > fixed in a couple of days from the other help you get here then I'll > spin up a Windows virtual machine and see what I find. What version > of Windows are you using? > > > I am scanning but it is taking over 5 hours to scan and I would like > > to cut that down by not scanning the Window directory. > > I understand that it takes time but I suspect that it isn't a good > idea to cut out the entire Windows directory as that might often be > where malicious files, if there are any, have installed themselves. > To get around that kind of issue people often set up scheduled scans > so that they take place for example out of office hours. > > Incidentally if you're only ever using clamd by starting it from a > powershell window every time you want to scan the machine then you're > losing a lot of the value of having a clamd daemon. Generally it's > intended to have clamd running 24/365, so that you hardly ever have to > wait for the signature database(s) to be loaded if you decide to do a > scan from the command line at a moment's notice. The trade-off is the > memory used by clamd while ever it's running, typically around 1Gbyte > even if you only have the 'official' signatures loaded - and there are > several third-party signature databases available. > > It's late. Good luck! > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
