Home / server / Questions / 957666
Accepted
kittygirl
Asked: 2019-03-11 20:00:01 +0800 CST

How to make `clamdscan` exclude folders and only log `--infected`?

  • 772

My server is centos 7.4, with clamav 0.101.1-1.el7.
When I run clamscan -r --infected --exclude-dir="^/sys" / through terminal, I always wait more than 6 hours to get output.
And if I close terminal, clamscan will stop.

Then I want to use clamdscan to scan in background.
My question are:
1.How to --exclude-dir="^/sys" / with clamdscan?
2.How to make clamdscan only log --infected?

clamav

3 Answers

  1. Best Answer

    clamdscan does not have as many options available via the command line as clamscan
    clamdscan reads most of its options from it's config file /etc/clamav/clamd.conf You can add multiple ExcludePath options in /etc/clamav/clamd.conf file. These are in RegEx:

    ExcludePath ^/dev/
ExcludePath ^/proc/
ExcludePath ^/sys/

    Then you can run it with:

    clamdscan --multiscan --fdpass --quiet /

    --multiscan will speed up the processing because it uses multiple threads.
    --fdpass will allow you to scan files as the clamd user that the clamav-daemon.service runs as.
    --quiet should suppress all output except infected files. At least that's what it seems to do on my system but that isn't how it is described in the documentation.

    If you want to save to file you can just redirect the output clamdscan <options> > /save/file.txt
    Or save it to file with the --log=FILE option.

    Put you command in a cron job an you are done.
    If you are scripting something I would suggest checking the exit codes for clamdscan and then having your script email you when it detects a virus:

    0 : No virus found.
    1 : Virus(es) found.
    2 : An error occurred.

    clamdscan documentation: https://linux.die.net/man/1/clamdscan
    clamd.conf documentation: https://linux.die.net/man/5/clamd.conf

    • 10

  2. You can use this command to create a cron.daily script that will email only if infected>0.

    echo -e '#!/usr/bin/env\nnice -n5 clamscan -ri / --exclude=/proc --exclude=/sys --exclude=/dev --exclude=/media --exclude=/mnt -l clamav.log && MALWARE=$(tail "clamav.log"|grep Infected|cut -d" " -f3) && if [ "$MALWARE" -ne "0" ]; then mail -s "Malware Found" $EMAIL <<< $(cat clamav.log); fi && rm -f clamav.log' > "/etc/cron.daily/clamscan_daily" && chmod +x /etc/cron.daily/clamscan_daily

    echo -e 'service clamav-freshclam stop && freshclam && service clamav-freshclam start' >> "/etc/cron.daily/clamscan_daily"

    MALWARE=$(tail "clamav.log"|grep Infected|cut -d" " -f3) 
if [ "$MALWARE" -ne "0" ]; then mail -s "Malware Found" $EMAIL <<< $(cat clamav.log); fi 
rm -f clamav.log' > "/etc/cron.daily/clamscan_daily" 
chmod +x /etc/cron.daily/clamscan_daily
    • 0

  3. use this

    clamscan --recursive --infected --exclude=/proc --exclude=/sys --exclude=/dev /path

    • 0