clamdscan should print "Excluded" instead of "OK" if attempting to scan files in excluded directory

[adoyle-h]

Describe the bug

clamdscan cannot detect the anti-malware testfiles, while clamscan can do.

How to reproduce the problem

mkdir eicar && cd eicar
curl -O https://secure.eicar.org/eicar.com \
 -O https://secure.eicar.org/eicar.com.txt \
 -O https://secure.eicar.org/eicar_com.zip \
 -O https://secure.eicar.org/eicarcom2.zip

clamdscan ./*
clamscan ./*

clamconf -n

Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
PreludeAnalyzerName = "ClamAV"
LogFile = "/var/log/clamav/clamav.log"
LogFileMaxSize = "209715200"
LogTime = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
MaxConnectionQueueLength = "15"
StreamMaxLength = "26214400"
MaxThreads = "12"
ReadTimeout = "180"
SendBufTimeout = "200"
ExcludePath = "/.git/", "lost+found", "^/run/", "^/sys/", "^/dev/", "^/proc/", "^/var/log/", "^/home/adoyle/", "^/ssd", "^/hdd", "^/mnt
"
SelfCheck = "3600"
User = "clamav"
BytecodeTimeout = "60000"
ScanHTML disabled
ScanOLE2 disabled
ScanPDF disabled
MaxScanTime = "120000"
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"
PCREMaxFileSize = "26214400"
OnAccessMountPath = "/"
OnAccessExcludePath = "/.git/", "lost+found", "/run", "/sys/", "/dev/", "/proc/", "/var/log/", "/home/adoyle/", "/ssd", "/hdd", "/mnt"
OnAccessExcludeRootUID = "yes"
OnAccessExcludeUname = "clamav"

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
UpdateLogFile = "/var/log/clamav/freshclam.log"
Checks = "24"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
MaxAttempts = "5"
ReceiveTimeout disabled

clamav-milter.conf not found

Software settings
-----------------
Version: 1.0.1
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information
--------------------
Database directory: /var/lib/clamav
daily.cld: version 26925, sigs: 2036167, built on Thu Jun  1 15:27:46 2023
bytecode.cvd: version 334, sigs: 91, built on Thu Feb 23 05:33:21 2023
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 20:32:42 2021
Total number of signatures: 8683685

Platform information
--------------------
uname: Linux 6.1.0-0.deb11.7-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.20-2~bpo11+1 (2023-04-23) x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
Full OS version: No LSB modules are available.
Debian GNU/Linux 12 (bookworm)
zlib version: 1.2.13 (1.2.13), compile flags: a9
platform id: 0x0a21a1a108000000000c0200

Build information
-----------------
GNU C: 12.2.0 (12.2.0)
sizeof(void*) = 8
Engine flevel: 161, dconf: 161

Attachments

[micahsnyder]

It worked fine for me in testing. I used the docker image and mounted a local directory with the databases:

docker run -it --mount type=bind,source=$HOME/.cvdupdate/database,target=/var/lib/clamav clamav/clamav:1.0.1_base
Unable to find image 'clamav/clamav:1.0.1_base' locally
1.0.1_base: Pulling from clamav/clamav
f56be85fc22e: Already exists
dbf453570b8f: Already exists
9600e2d9a9a4: Already exists
ed7d6473a3a8: Already exists
53e7d7374e54: Already exists
Digest: sha256:847bfbc0611dc481d468cf65d1cb276a78c7df0fff59581ec6e2b203379c4aea
Status: Downloaded newer image for clamav/clamav:1.0.1_base
Starting Freshclamd
Starting ClamAV
Socket for clamd not found yet, retrying (0/1800) ...ClamAV update process started at Fri Jun  2 16:34:39 2023
daily.cvd database is up-to-date (version: 26926, sigs: 2036340, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Socket for clamd not found yet, retrying (16/1800) ...Fri Jun  2 16:34:56 2023 -> Limits: Global time limit set to 120000 milliseconds.
Fri Jun  2 16:34:56 2023 -> Limits: Global size limit set to 419430400 bytes.
Fri Jun  2 16:34:56 2023 -> Limits: File size limit set to 104857600 bytes.
Fri Jun  2 16:34:56 2023 -> Limits: Recursion level limit set to 17.
Fri Jun  2 16:34:56 2023 -> Limits: Files limit set to 10000.
Fri Jun  2 16:34:56 2023 -> Limits: MaxEmbeddedPE limit set to 41943040 bytes.
Fri Jun  2 16:34:56 2023 -> Limits: MaxHTMLNormalize limit set to 41943040 bytes.
Fri Jun  2 16:34:56 2023 -> Limits: MaxHTMLNoTags limit set to 8388608 bytes.
Fri Jun  2 16:34:56 2023 -> Limits: MaxScriptNormalize limit set to 20971520 bytes.
Fri Jun  2 16:34:56 2023 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Fri Jun  2 16:34:56 2023 -> Limits: MaxPartitions limit set to 50.
Fri Jun  2 16:34:56 2023 -> Limits: MaxIconsPE limit set to 100.
Fri Jun  2 16:34:56 2023 -> Limits: MaxRecHWP3 limit set to 16.
Fri Jun  2 16:34:56 2023 -> Limits: PCREMatchLimit limit set to 100000.
Fri Jun  2 16:34:56 2023 -> Limits: PCRERecMatchLimit limit set to 2000.
Fri Jun  2 16:34:56 2023 -> Limits: PCREMaxFileSize limit set to 104857600.
Fri Jun  2 16:34:56 2023 -> Archive support enabled.
Fri Jun  2 16:34:56 2023 -> AlertExceedsMax heuristic detection disabled.
Fri Jun  2 16:34:56 2023 -> Heuristic alerts enabled.
Fri Jun  2 16:34:56 2023 -> Portable Executable support enabled.
Fri Jun  2 16:34:56 2023 -> ELF support enabled.
Fri Jun  2 16:34:56 2023 -> Mail files support enabled.
Fri Jun  2 16:34:56 2023 -> OLE2 support enabled.
Fri Jun  2 16:34:56 2023 -> PDF support enabled.
Fri Jun  2 16:34:56 2023 -> SWF support enabled.
Fri Jun  2 16:34:56 2023 -> HTML support enabled.
Fri Jun  2 16:34:56 2023 -> XMLDOCS support enabled.
Fri Jun  2 16:34:56 2023 -> HWP3 support enabled.
Fri Jun  2 16:34:56 2023 -> Self checking every 600 seconds.
Fri Jun  2 16:34:56 2023 -> Set stacksize to 1048576
socket found, clamd started.

Once running, I ran docker ps to find the name of the image ("goofy_jackson") and then ran:

❯ docker exec -it goofy_jackson /bin/ash
/ # apk add curl
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
(1/1) Installing curl (8.1.2-r0)
Executing busybox-1.35.0-r29.trigger
OK: 18 MiB in 33 packages

~ # cd /tmp
/tmp # mkdir eicar && cd eicar
://secure.eicar.org/eicar.com \
 -O https://secure.eicar.org/eicar.co/tmp/eicar # curl -O https://secure.eicar.org/eicar.com \
>  -O https://secure.eicar.org/eicar.com.txt \
>  -O https://secure.eicar.org/eicar_com.zip \
>  -O https://secure.eicar.org/eicarcom2.zip
amdscan ./*
clamscan ./*  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    68  100    68    0     0    112      0 --:--:-- --:--:-- --:--:--   112
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    68  100    68    0     0    371      0 --:--:-- --:--:-- --:--:--   373
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   184  100   184    0     0   1035      0 --:--:-- --:--:-- --:--:--  1039
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   308  100   308    0     0   1708      0 --:--:-- --:--:-- --:--:--  1701
/tmp/eicar #
/tmp/eicar # clamdscan ./*
/tmp/eicar/eicar.com: Win.Test.EICAR_HDB-1 FOUND
/tmp/eicar/eicar.com.txt: Win.Test.EICAR_HDB-1 FOUND
/tmp/eicar/eicar_com.zip: Win.Test.EICAR_HDB-1 FOUND
/tmp/eicar/eicarcom2.zip: Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Infected files: 4
Time: 0.006 sec (0 m 0 s)
Start Date: 2023:06:02 16:37:23
End Date:   2023:06:02 16:37:23
/tmp/eicar # clamscan ./*
Loading:    20s, ETA:   0s [========================>]    8.67M/8.67M sigs
Compiling:   4s, ETA:   0s [========================>]       41/41 tasks

/tmp/eicar/eicar.com: Win.Test.EICAR_HDB-1 FOUND
/tmp/eicar/eicar.com.txt: Win.Test.EICAR_HDB-1 FOUND
/tmp/eicar/eicar_com.zip: Win.Test.EICAR_HDB-1 FOUND
/tmp/eicar/eicarcom2.zip: Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8668243
Engine version: 1.0.1
Scanned directories: 0
Scanned files: 4
Infected files: 4
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 25.672 sec (0 m 25 s)
Start Date: 2023:06:02 16:37:33
End Date:   2023:06:02 16:37:59

I'm unsure what's going wrong on your side. How did you install clamav?

[adoyle-h]

I just install the clamav via apt in Debian.

[adoyle-h]

Oh. I find the reason by clamdscan -v. This directory is excluded by me.

I think it should print "/file: Excluded" rather other "/file: OK" when this file is excluded and scan without --verbose.

[micahsnyder]

I missed your final message. I agree that it would be better if it printed "Excluded" rather than "OK".