[clamav-users] Question about the clamdscan
Dennis Peterson
dennispe at inetnw.com
Wed Mar 21 23:56:06 UTC 2018
It is possible to integrate ClamAV and Tripwire to get to a scan-once
environment. Include puppet or CFEngine for a more complete tool.
dp
On 3/20/18 5:01 AM, Micah Snyder (micasnyd) wrote:
> Good morning Tsutomu,
>
> Al is quite correct. clamd and clamdscan maintain no memory of what has been scanned before.
>
> In your ordinary use case, you simply run clamdscan over whatever you want to scan. You can exclude specific directories in your configuration if you want to point clamdscan at a high level directory to scan many items.
>
> In truth, I've never tried accessing the files as they were scanned, but I do not believe that there any reason why the files would be locked by ClamAV except in the following case.
>
> On newer versions of Linux that have been built with CONFIG_FANOTIFY=y enabled, you can configure clamd to monitor directories. An additional option may be enabled that we call "OnAccessPrevention" can intentionally block access to the file until it has been scanned and will deny access if the file is flagged. OnAccessPrevention requires your kernel has been built with CONFIG_FANOTIFY_ACCESS_PERMISSION=y. If you're interested in trying this out, please read http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html
>
> Sadly, OnAccess scanning and prevention only exist for Linux at this time.
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
More information about the clamav-users
mailing list