[clamav-users] ClamAV - What does the “clamd at scan” service do by default?

[G.W. Haywood]

Hi there,

On Sun, 26 Jan 2020, Eduardo Lúcio Amorim Costa via clamav-users wrote:

> Is it correct to assume that the "clamd at scan" service, once started, can
> find threats that already exist on my server? ...

Your question says: "can find" - Strictly speaking, yes this is correct.
But the question and my answer need some qualification.

> ... Is it correct to assume that the "clamd at scan" service in its
> normal operation will eventually find that threat and notify me
> (log, mail, etc...)?

"will eventually find" - No, this is certainly not correct.  You need

(1) Something which will show it to clamd.  This is 'running a scan',
there is more than one way to do it.

Consider also the probability that ClamAV will find a threat even if
you know it is there somewhere.  This is not magic.  In the end it all
boils down to a comparison operation.  So you also need

(2) Something which causes clamd to detect the threat _if_ it sees it.

This is either a signature in a database, or some ClamAV code.

My estimate is that on a good day you have about a one in three chance
that ClamAV will find a random threat.  There are not-so-good days, we
call them "zero days", on which you have no chance at all; and unless
something is done to cause ClamAV to recognize that threat (either by
a change to a database, or to the code) ClamAV will never detect it -
no matter how many times it sees it.

Please spend some quality time with the documentation.

-- 

73,
Ged.