[clamav-users] Clamd vs clamscan

[Gene Heskett]

On Wednesday 10 February 2016 05:29:19 Brad Scalio wrote:

> I've seen a lot of fodder on clamd vs clamscan, running 0.99 on
> RHEL6.7 exit/entry points ... While it's easy enough to use clamscan
> via cron, is there any good stepwise SOP on getting clamd to work
> permission wise to scan all filesystem?  I like the ability to have it
> all controlled via the daemon, easier to enforce configurations via
> puppet, easier quick checking and tweaking of conf, etc ... Apologies
> if I missed the page or doc, but been googling for months to find a
> simple guide.
>
> If clamscan is the preferred way, I'm fine with that, just not sure
> why there's a daemon then?  Is it for on-access, more for other OS
> installs?
>
> Thanks!
> Brad

When doing a bulk scan. clamscan via cron seems to be the peferred usage.

When procmail asks for an incoming email scan, then clamd is used.

But, I do wish that clamd would send me a substitute email advising that 
it has stashed a suspect incoming email into the 
mailfile /var/spool/mail/virii.  I try to look that file over for FP's, 
but quickly get lost in the visual garbage because its probably a zip'd 
file. I just looked over 260kb of what clamd id'd as virii, but which in 
fact are 5 messages from my bank about a new CC they were sending me, 
and some 5 or 6 were propaganda from AARP. And 3 shipping notices 
regarding stuff I bought thru ebay. In this case, an FP rate in excess 
of 90%! That is so high that I am expunging the clamd recipe from 
my .procmailrc as the next thing I do.  Only two files 
containing .zip's, were real suspects, and I do have a delete button.

Also on my wishlist is a clamscan recipe that only sends me an email IF 
it finds something.  Those are useless noise IMO.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>