Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More options for exclusions #15

Open
wschlich opened this issue Feb 3, 2016 · 6 comments
Open

More options for exclusions #15

wschlich opened this issue Feb 3, 2016 · 6 comments

Comments

@wschlich
Copy link

wschlich commented Feb 3, 2016

Hi!

Currently, skyldav can only be configured to exclude certain paths, mountpoints or filesystems from scanning completely.

Running skyldav on my laptop every day slows it down horribly, as each and every file is being scanned on every read access (cache doesn't help, as results are invalidated on every clamav update)

Therefore, I have a suggestion to add functionality and configuration options for scanning files only:

  • that was opened for write was closed (FAN_CLOSE_WRITE) or that was modified (FAN_MODIFY)
  • that are being executed through known execution system calls (seems fanotify is not directly able to do that?)

It would be nice to be able to apply these scan filters on a per-directory, per-filesystem and per-mountpoint basis, like this:

/etc/skyldav.rules:
--8<--
/ wx
/home/*/Download rwx
/var/tmp rwx
/tmp rwx
/srv rwx
--8<--
The rule for / should be inherited for every path beneath it which does not have specific rules.

What are your thoughts?

Cheers,
Wolfram
@xypron
Copy link
Owner

xypron commented Feb 3, 2016

The fanotify API does not allow to identify that a file is opened for execution.

Would it help to have a customizing flag such that clamav updates should not invalidate the cache? Instead a maximum age could be used.

@wschlich
Copy link
Author

wschlich commented Feb 4, 2016

Hmm. That lack of support for execution detection in the fanotify API is really a bummer :(

What about implementing the r+w filters using the FAN_CLOSE_WRITE / FAN_MODIFY options, so we could (at least) include/exclude read + write accesses of certain paths or path regexes ?

@wschlich
Copy link
Author

wschlich commented Feb 4, 2016

Hmm. Seems there was a discussion about fanotify + FMODE_EXEC:

[Patch 1/1] fsnotify,fanotify: adding flag for execution
https://lkml.org/lkml/2011/3/24/202

Unfortunately, that did not lead to a final conclusion...

@xypron
Copy link
Owner

xypron commented Feb 4, 2016

Hello Wolfram (@wschlich)

We already have EXCLUDE_PATH in /etc/skyldav.conf.

So what do you really espect to be different in the r/w-filters you suggest?
What I have understood is that you do not want to have files rescanned when clamav loads a new definition set.

Best regards

Heinrich Schuchardt

@wschlich
Copy link
Author

wschlich commented Feb 5, 2016

Hey Heinrich!

Not really :) In the end, I'd like to have a usable computer with Skyld AV running and scanning the important things.

Technically, I'd like to be able to specify on a per-path(-regex) basis which files to scan on read or close-on-write/close-on-modified (and on execution, although that's currently unfortunately not possible with fanotify).

Cheers,
Wolfram

@xypron
Copy link
Owner

xypron commented Apr 20, 2016

Hello Wolfram,

in version 0.6 I added configuration flag CLEAN_CACHE_ON_UPDATE. Does this solve you original problem.

Best regards

Heinrich

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wschlich @xypron