[clamav-users] NFS clamscan

[Brad Scalio]

Greetings,

We are using a clamscan to recursively scan local filesystems on our
entry/exit points (jump boxes, DMZ servers) via a cronjob excluding certain
OS filesystems (proc, sysfs).  We don't have any network filesystems
mounted on these devices.

To satisfy guidelines for our system we need to run HBMC detection on all
devices.  That said an AOR (acceptance of risk) is allowed if a valid
technical argument can be made.

So what I'm looking for is any fodder as to why the following postulation
is valid:

"Scanning devices on the trusted network, both local and NFS shares, isn't
beneficial for our information system."

Some background to help:

(1) Homogeneous Linux network with monthly patching of security updates -
no windows devices anywhere.

(2) Private Network with no internet access or external access to
interconnected systems except from jump boxes and DMZ devices which are
behind a firewall and have clamscan running on them among other defensive
and offensive controls.

(3) NFS shares are local to each system segment and are over 7TB of flat
files and data files.

What I'm kinda looking for is information on efficacy of clamav signatures
on catching anything given our setup but also is clamav really meant to be
a file scanner as opposed to a mail server "interceptor" since how many
signatures will really be detected given our setup and workloads.

I can and have googled and found some fodder but wanted to post the
question here if anyone has written an AOR against using clamav or any HBMC
scanning in similar setups - our approved scanning software is only clamav
due to requirements also for FLOSS products.

Many thanks!