[clamav-users] clamav scan of changed files
Andrew C Aitchison
clamav at aitchison.me.uk
Thu Oct 22 13:39:37 UTC 2020
On Wed, 21 Oct 2020, G.W. Haywood via clamav-users wrote:
> On Wed, 21 Oct 2020, Andrew C Aitchison via clamav-users wrote:
> > and that using clamav's on-access scanning has the advantage of
catching the
> > nasties before the file is used, unlike the inotify-bsed solutions,
which
> > avoid the latency that on-access scanning produces ...
>
> Not sure that I follow all that, but the perceived advantage of having
> a potential to catch any nasties must necessarily be discounted by the
> probability that it will catch anything when it actually looks for it.
> Rough order of magnitude I guess a one in three chance on a good day.
I meant that on-access scanning may block the nasty before the vulnerable
program parses/executes the exploit, but an inotify-based solution
will give the nasty file to the vulnerable program at the same time as,
if not before, the scanner gets to check it.
--
Andrew C. Aitchison Kendal, UK
andrew at aitchison.me.uk
More information about the clamav-users
mailing list