This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

savscan -exclude not excluding directories

As the title says, when I try to exclude a directory from savscan it does not exclude it.

I have tried the following commands for a full-system scan, excluding a directory that cannot be accessed:

  • savscan / -exclude /var/lib/lxcfs/cgroup/
  • savscan / -exclude '/var/lib/lxcfs/cgroup/'
  • savscan / -exclude '/var/lib/lxcfs/cgroup/*'
  • savscan / -exclude "/var/lib/lxcfs/cgroup/*"

None of these commands seem to exclude the "var/lib/lxcfs/cgroup/" directory and I still receive multiple errors when it tries to scan it.

Some examples of these errors are:
Could not check /var/lib/lxcfs/cgroup/systemd/user.slice/user-0.slice/session-7389.scope/tasks (virus scan failed)
Could not check /var/lib/lxcfs/cgroup/cpuset/tasks (virus scan failed)

Could not check /var/lib/lxcfs/cgroup/cpuset/lxc/tasks (virus scan failed)
Among many other similar errors from this directory.

From what I have read, the lxcfs directory cannot be scanned by Sophos or accessed by many other processes, even as root, hence why I am trying to exclude it.

Am I doing something wrong or do I need to exclude every single subdirectory?



This thread was automatically locked due to age.
Parents
  • Hello Leah96xxx ,

    did you try -exclude /var/lib/lxcfs (no trailing slash)? Can't say if it will help though.

    Christian

  • That shouldn't work for a directory as it will treat the last part of the path as a filename rather than a directory name. I did try it accidentally by simply forgetting the trailing slash the first time I used the -exclude option but it didn't work either.

  • Hello  Leah96xxx,

    that shouldn't work for a directory
    with savscan it does, Try savscan /boot -ns -exclude /boot/grub .
    This information won't help you though. Excluding these user space filesystems from savscan is more than tricky (I think it's not really possible at all). I fear you don't have many options. Either ignore thse errors (grep is your friend) or exclude /var and include the directories that don't cuase errors.

    Christian

  • As I said, I tried it accidentally and it didn't work.....

  • Hello Leah96xxx,

    as said (Can't say if it will help though) thought as much.  What I suggested in my last post was not ab exclusion for /var/lib/lxcfs but for the grandparent (/var - that is supposed to work) or parent (/var/lib - should have the same effect but I couldn't test) and -include the paths that are to be scanned. You don't have to specify the list on the command line, you can load it from a file.

    Please note that while savscan has its use the preferred method for protection is on-access scanning. Just curious, what is your use case for savscan?

    Christian

Reply
  • Hello Leah96xxx,

    as said (Can't say if it will help though) thought as much.  What I suggested in my last post was not ab exclusion for /var/lib/lxcfs but for the grandparent (/var - that is supposed to work) or parent (/var/lib - should have the same effect but I couldn't test) and -include the paths that are to be scanned. You don't have to specify the list on the command line, you can load it from a file.

    Please note that while savscan has its use the preferred method for protection is on-access scanning. Just curious, what is your use case for savscan?

    Christian

Children
No Data