This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Antivirus for Linux Free Edition - Exclusion for gfvs

Hey,

I use the following command to scan an Ubuntu 14.04 regularly.

ionice -c 3 savscan / -sc -f -ndi -s -nc -nb -all -rec -nremove -ss -archive -loopback -mime -oe -pua -tnef -pua -suspicious --stay-on-machine --no-follow-symlinks --skip-special --examine-x-bit --no-reset-atime -exclude /var/run/user/1000/gvfs/ -exclude /run/user/1000/gvfs/

But I am getting the error "Could not open /run/user/1000/gvfs".

root@host:~# ls -lh /run/user/1000/
ls: cannot access /run/user/1000/gvfs: Permission denied
total 8,0K
drwx------ 2 user user  60 Jul 29 14:52 dconf
d????????? ? ?    ?      ?            ? gvfs
drwx------ 2 user user  80 Jul 24 22:03 pulse
drwx------ 3 user user  60 Jul 24 22:03 upstart

How do I properly use the exclude option?
-exclude file1,file2,/dir/
-exclude fil1 -exclude file2 -exclude /dir/

Or is there nothing wrong and it is a FUSE problem?

Cheers
Mark



This thread was automatically locked due to age.
  • Hello Mark,

    usually it's -exclude file1 file2 /dir/ (blanks, not commas). -include and -exclude can be specified in any order, can't test right now whether a second -exclude would be ignored.

    Christian

  • Thx for the explanation. But it can not handle wildcards, right?

    I do this.

    sudo savscan / -sc -f -ndi -s -nc -nb -all -rec -nremove -ss -archive -loopback -mime -oe -pua -tnef -pua -suspicious --stay-on-machine --no-follow-symlinks --skip-special --examine-x-bit --no-reset-atime -exclude /home/user/.gvfs/ /run/user/1000/gvfs/ /var/run/user/1000/gvfs/ /lib/firmware/vxge/X3fw.ncf /lib/firmware/vxge/X3fw-pxe.ncf  *X3fw-pxe.ncf *X3fw.ncf

    And I want to get rid of these messages:

    Password protected file /boot/initrd.img-3.13.0-155-generic/Gzip/X3fw-pxe.ncf/T1:X3_101115_1_8_1_expROM_FW_uni_template_rmt_cmd_line.txt
    Password protected file /boot/initrd.img-3.13.0-155-generic/Gzip/X3fw-pxe.ncf/T1:X3_101115_1_8_1_expROM_FW_uni_template_flash0.bin
    Password protected file /boot/initrd.img-3.13.0-155-generic/Gzip/X3fw-pxe.ncf/T1:X3_101115_1_8_1_expROM_FW_uni_template_eeprom0.bin
    Password protected file /boot/initrd.img-3.13.0-155-generic/Gzip/X3fw-pxe.ncf/T1A:X3_101115_1_8_1_expROM_FW_uni_template_rmt_cmd_line.txt
    Password protected file /boot/initrd.img-3.13.0-155-generic/Gzip/X3fw-pxe.ncf/T1A:X3_101115_1_8_1_expROM_FW_uni_template_flash0.bin
    Password protected file /boot/initrd.img-3.13.0-155-generic/Gzip/X3fw-pxe.ncf/T1A:X3_101115_1_8_1_expROM_FW_uni_template_eeprom0.bin
    Password protected file /boot/initrd.img-3.13.0-155-generic/Gzip/X3fw.ncf/T1:X3_101025_1_8_1_expROM_FW_uni_template_rmt_cmd_line.txt
    Password protected file /boot/initrd.img-3.13.0-155-generic/Gzip/X3fw.ncf/T1:X3_101025_1_8_1_expROM_FW_uni_template_flash0.bin
    Password protected file /boot/initrd.img-3.13.0-155-generic/Gzip/X3fw.ncf/T1:X3_101025_1_8_1_expROM_FW_uni_template_eeprom0.bin
    Password protected file /boot/initrd.img-3.13.0-155-generic/Gzip/X3fw.ncf/T1A:X3_101025_1_8_1_expROM_FW_uni_template_rmt_cmd_line.txt
    Password protected file /boot/initrd.img-3.13.0-155-generic/Gzip/X3fw.ncf/T1A:X3_101025_1_8_1_expROM_FW_uni_template_flash0.bin
    Password protected file /boot/initrd.img-3.13.0-155-generic/Gzip/X3fw.ncf/T1A:X3_101025_1_8_1_expROM_FW_uni_template_eeprom0.bin

     

    And especially this message:

    Could not open /run/user/1000/gvfs

    Cheers
    Mark

  • Hello Mark,

    AFAIK there's an --expand-wildcards option that might be off by default.

    Did you try to exclude /gvfs without the trailing slash?

    Christian

  • Hey, the --expand-wildcards worked for me.

    But the problem mit gvfs is still there. I even tried it already without the trailing slash as you recommended.

    Maybe it is a feature requestto exclude that by default because even root is not able to get infos via stat about that directory?!

    Cheers

  • Hello Mark,

    even root is not able
    gvfs is a userspace virtual filesystem, access isn't controlled by the kernel, and the behaviour is deliberate. 
    In this Could not open thread  made a short comment but did not say if it is possible to exclude specifically this gvfs directory.

    Christian

  • I'm afraid I don't know quite what option would be required to exclude gvfs from savscan - it isn't an area I'm particularly familiar. 

    I guess you might have to exclude the parent directory, since savscan/sweep can't even stat the directory.

  • Ja, unfortunately I did that. Maybe you can consider that as an feature request or sth else.

    Thx for the support.

  • Hello Mark,

    there's not much a product (any product, not only Sophos or AV) can do. Use you favorite search engine for, say, gvfs allow_root. You'll see that while things like gvfs and FUSE work there are lots of intricacies. It works fine from the user end but looking up from the system/kernel it a moving target. Applications on the system level (like AV scans or backup) struggle with it due to its nature.

    Christian

  • Just a side note. I disabled starting gvfs for a specific user with this.

    https://ubuntuforums.org/showthread.php?t=1340168

    I had another problem after stopping vpn. Thunar (file manager) wasn´t working because it couldn´t get stat about .gvfs in the users directory. -.-