Exclusions and wildcard handling for Sophos Anti-Virus for UNIX/Linux

  • Article ID: 10470
  • Updated: 26 Mar 2013

The ability of UNIX and Linux to expand wildcard characters (e.g. * and ?) automatically on the command line is limited.

  • It is subject to the shell's limit for expansion. For example, if you use * to specify all the files in a large directory, the shell might be unable to expand the wildcard.
  • The shell only expands wildcards where it is able to match them to particular files or directories. For example, if you use a filename containing a wildcard, you must specify the path as well.

In Sophos Anti-Virus for UNIX/Linux, you can use the command line option --expand-wildcards to instruct Sophos Anti-Virus to expand wildcards, rather than to use the shell's built-in expansion.  NOTE: This option is applicable to on-demand scans executed with sweep (SAV4) or savscan (SAV7/9).

The wildcard '*' will exclude a variable number of characters. The wildcard '?' will exclude only one character.

What to do

Using the --expand-wildcards option

To use the command line option --expand-wildcards to make Sophos Anti-Virus expand wildcards itself, you must enclose anything containing wildcard characters in double quotation marks. Otherwise, the shell will process them first, and then expand them.

The option --expand-wildcards only applies to the filename part of a path. For example

sweep --expand-wildcards "/usr/fred/f*"

scans all files called f* in the directory /usr/fred (for example: f, f1, ftwo are scanned; e1 and /usr/fred/freda/frodo are not).

Wildcard handling using the shell is limited to patterns that match a path and filename. For example

sweep /usr -exclude /usr/fred/tomm*

scans all files in the directory /usr and its subdirectories except, for instance, /usr/fred/tommi, /usr/fred/tommy and /user/fred/tommi/harry.

Using --expand-wildcards enables more powerful wildcard handling. Extra features include truncation at the beginning of a word. For example

sweep /usr --expand-wildcards -exclude "*tom"

scans the directory /usr and its subdirectories, but excludes all files or directories whose names contain any number of characters and end in 'tom' (e.g. /usr/tom, /usr/local/fred/tom and /usr/local/fred/tom.tom are excluded; but /usr/local/fred/tom.txt is not).

sweep /usr --expand-wildcards -exclude "?tom"

scans the directory /usr excluding all files or directories whose names contain any single character followed by, and ending with, 'tom' (e.g. /usr/local/atom and /usr/local/fred/ktom are excluded; but /usr/tom and /usr/tomtom are not).

Combining wildcards

You can use more than one wildcard at a time. For example

sweep /usr --expand-wildcards -exclude "*fr?d*"

scans the directory /usr and excludes all files or directories whose names contain the letters 'fr', followed by any single character, followed by 'd' (for example, /usr/local/fred, /usr/local/afreddy, /usr/local/frodo are excluded; /usr/local/frica is not).

Speed considerations for wildcard handling

Although excluding certain files from scanning can save time, some time is spent matching the wildcards to names of files, directories or filesystems. Take this into consideration when planning your scan.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments