[clamav-users] clamav scan of changed files
G.W. Haywood
clamav at jubileegroup.co.uk
Wed Oct 21 13:30:11 UTC 2020
Hi there,
On Wed, 21 Oct 2020, Andrew C Aitchison via clamav-users wrote:
> I was assuming that clamav's on-access scanning used the same
> mechanism as inotify.
No need to assume anything:
https://www.clamav.net/documents/on-access-scanning
It's documented there that it uses fanotify, only works on Linux and
requires Linux kernel version >= 3.8 to work. The fanotify man page
has a comparison with the inotify API.
> I imagine that scan-on-write produces less load than scan-on-read (for most
> user files - obviously not for logfiles that are never read)
> - at the price of nissing the most recent virus definitions,
Well I _do_ read my log files(!) and if I ever scanned anything I'd
exclude logfiles from the scan as a matter of routine. I think your
cost assessment is about right, modulo the database update frequency.
> and that using clamav's on-access scanning has the advantage of catching the
> nasties before the file is used, unlike the inotify-bsed solutions, which
> avoid the latency that on-access scanning produces ...
Not sure that I follow all that, but the perceived advantage of having
a potential to catch any nasties must necessarily be discounted by the
probability that it will catch anything when it actually looks for it.
Rough order of magnitude I guess a one in three chance on a good day.
> My one piece of advice for anyone thinking of off-line scanning
> would be to work out what you will do when your scanner finds a nasty.
Excellent advice. :)
--
73,
Ged.
More information about the clamav-users
mailing list