KDE - clamscan, linux file structure

In my scanvirus script, it can scan windows only by using the partition type: vfat and ntfs

When I tried to use this to linux, using xfs, btrfs it choked(errored) and left out many files on the . I tried a bootable flash drive. It couldn’t handle that either.

I want to design to divide the logs up by device: (example)

SSD main drive (linux)
magnetic drive (windows)
flashdrive 1 (ntfs)
flashdrive 2 (bootable linux drive).
flashdrive 3 (linux file storage)

I understand some of Linux file structure. I need help understanding how these devices are structured. “blkid -o list”

I highly doubt that clamscan or your app should want to identify disks and partitions by blkid, that’s the next layer below how OS (including Linux) normally identify once the disk is set up. I’ve seen blkid used when first setting up the geometry of a disk, or when you can’t don’t want to use or can’t trust the file system info… like data recovery and fs block and partition alignment

So, the question might be… Should your virus scanning trust the file system or are you trying to do a deeper scan for files that might be hidden from the file system?

I would expect that if you’re doing regular file system scanning, you probably don’t want to use blockid, You’ll want to use methods that for instance you’ll find in fstab.

/dev/disk/by-id|by-label|by-path|by-uuid

TSU

You don’t want to try and scan the virtual directories that are created at run time. These include /proc /dev /dev they don’t exist on the disk. Some files can be huge since they represent the total address space of the processor.

Hi,

I think the previous post was meant to be


/proc
/dev
/sys

directories.

I checked fstab when put in a flash drive and nothing appeared. Does fstab need to be updated?

/etc/fstab is static ie does not change it is only the mounts used at boot. removable drives are handled by udev

In my previous post, I suggested <methods> used by fstab, for instance how disks and partitions are identified, the file system, etc.

Take a look at how existing AV work…
You’ll find for instance that most scan only specific locations, and start with standard places personal files are stored… And for various reasons are largely only fixed locations and often only on the first disk (it’s the only locations that are guaranteed to exist).

You’ll probably also find that no removable media is ordinarily scanned, but might be scanned as part of the device recognition and mounting procedure.

Otherwise, if you want to go down a path no one else has gone I guess you can use tools like fdisk and df to read all system mounted partitions… But you’d be on your own exactly how and what you’d be doing (It’s a good hint not to do something if no one before you is already doing it).

Good Luck,
TSU