[clamav-users] Question about the clamdscan
Dennis Peterson
dennispe at inetnw.com
Thu Mar 22 02:16:28 UTC 2018
Tripwire presumes a golden fileset at the outset, that is, scanned to the degree
possible before enabling Tripwire. The fear of zero-day loop is infinite.
dp
On 3/21/18 6:41 PM, Paul Kosinski wrote:
> A few years ago, when Tripwire was no longer free, I set up a "scan
> once" environment for ClamAV, identifying files using SHA1 hashing
> (with a few 'stat' results like inode and timestamp for good measure).
>
> I gave up when I realized that even if a file had already been scanned,
> it might have contained "0-day" malware when it was scanned. This could
> make it quite nasty, especially if ClamAV is behind in 0-day detection.
>
>
> On Wed, 21 Mar 2018 16:56:06 -0700
> Dennis Peterson <dennispe at inetnw.com> wrote:
>
>> It is possible to integrate ClamAV and Tripwire to get to a scan-once
>> environment. Include puppet or CFEngine for a more complete tool.
>>
>> dp
>>
More information about the clamav-users
mailing list