[clamav-users] using clamdscan and clamd to do complete file system scan
Al Varnell
alvarnell at mac.com
Thu Apr 30 06:18:50 UTC 2015
A family of Linux malware that stayed under the radar for more than 5 years:
"Unboxing Linux/Mumblehard: Muttering spam from your servers"
<http://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/>
-Al-
On Wed, Apr 29, 2015 at 10:27AM, G.W. Haywood wrote:
>
> Hi there,
>
> On Wed, 29 Apr 2015, John McGowan wrote:
>
>> ...
>> I suspect that most people use clamdscan to do "one off" scanning,
>> (mail servers, etc)
>
> My suspicion is that most people don't do it at all on Linux boxes.
>
> There is absolutely no point in scanning the entire filesystem on a
> typical Linux box for millions of Windows viruses, since they won't be
> there. It would be a complete waste of effort and resources, and I
> certainly never do it on the dozens of Linux boxes that I run.
>
> There might be a case for scanning parts of a Linux filesystem if it's
> used for example as a file server for Windows clients. Amongst other
> scanners I use clamd via a Sendmail milter to scan both incoming and
> outgoing mail on my mail servers, but mainly because the third-party
> signatures catch lots of unwanted mail. And even now there are a few
> people Out There who are still using Windows boxes; it would be bad if
> any person in my employ unwittingly passed a virus-ridden message from
> one Windows user to another, even if the machines which my people use
> are completely immune to infection by practically all of the malware
> for which the mail systems are scanning. The mail is scanned on the
> fly and it never gets as far as being written to the filesystem if any
> of the scanners detects something which one might consider unpleasant.
>
>> ... I'm looking for more of a traditional daily "scan the entire
>> file system" solution.
>
> I'm not sure that there's anything 'traditional' about scanning Linux
> boxes for viruses. I've never found one in that way, but I've found
> literally many thousands by scanning Windows boxes in the same way.
>
> Incidentally if you do scan a Linux filesystem, don't scan things like
> /proc and /dev because you might not like the results.
More information about the clamav-users
mailing list