How to make `clamdscan` exclude folders and only log `--infected`？

Question

My server is centos 7.4, with clamav 0.101.1-1.el7.
When I run clamscan -r --infected --exclude-dir="^/sys" / through terminal, I always wait more than 6 hours to get output.
And if I close terminal, clamscan will stop.

Then I want to use clamdscan to scan in background.
My question are:
1.How to --exclude-dir="^/sys" / with clamdscan?
2.How to make clamdscan only log --infected?

score 10 · Accepted Answer · answered Jul 17 '19 at 16:06

clamdscan does not have as many options available via the command line as clamscan
clamdscan reads most of its options from it's config file /etc/clamav/clamd.conf You can add multiple ExcludePath options in /etc/clamav/clamd.conf file. These are in RegEx:

ExcludePath ^/dev/
ExcludePath ^/proc/
ExcludePath ^/sys/

Then you can run it with:

clamdscan --multiscan --fdpass --quiet /

--multiscan will speed up the processing because it uses multiple threads.
--fdpass will allow you to scan files as the clamd user that the clamav-daemon.service runs as.
--quiet should suppress all output except infected files. At least that's what it seems to do on my system but that isn't how it is described in the documentation.

If you want to save to file you can just redirect the output clamdscan <options> > /save/file.txt
Or save it to file with the --log=FILE option.

Put you command in a cron job an you are done.
If you are scripting something I would suggest checking the exit codes for clamdscan and then having your script email you when it detects a virus:

0 : No virus found.
1 : Virus(es) found.
2 : An error occurred.

clamdscan documentation: https://linux.die.net/man/1/clamdscan
clamd.conf documentation: https://linux.die.net/man/5/clamd.conf

score 0 · Answer 2 · answered Feb 11 '22 at 20:13

You can use this command to create a cron.daily script that will email only if infected>0.

echo -e '#!/usr/bin/env\nnice -n5 clamscan -ri / --exclude=/proc --exclude=/sys --exclude=/dev --exclude=/media --exclude=/mnt -l clamav.log && MALWARE=$(tail "clamav.log"|grep Infected|cut -d" " -f3) && if [ "$MALWARE" -ne "0" ]; then mail -s "Malware Found" $EMAIL <<< $(cat clamav.log); fi && rm -f clamav.log' > "/etc/cron.daily/clamscan_daily" && chmod +x /etc/cron.daily/clamscan_daily

echo -e 'service clamav-freshclam stop && freshclam && service clamav-freshclam start' >> "/etc/cron.daily/clamscan_daily"

MALWARE=$(tail "clamav.log"|grep Infected|cut -d" " -f3) 
if [ "$MALWARE" -ne "0" ]; then mail -s "Malware Found" $EMAIL <<< $(cat clamav.log); fi 
rm -f clamav.log' > "/etc/cron.daily/clamscan_daily" 
chmod +x /etc/cron.daily/clamscan_daily

score 0 · Answer 3 · answered May 06 '22 at 10:51

0

use this

clamscan --recursive --infected --exclude=/proc --exclude=/sys --exclude=/dev /path

answered May 06 '22 at 10:51

Myo Min Aung

1

The question was specifically about `clamdscan` and not about `clamscan`. – Nikita Kipriyanov May 25 '22 at 16:51

How to make `clamdscan` exclude folders and only log `--infected`？

3 Answers3