[clamav-users] clamav scan of changed files

[G.W. Haywood]

Hi there,

On Thu, 22 Oct 2020, Andrew C Aitchison via clamav-users wrote:
> On Wed, 21 Oct 2020, G.W. Haywood via clamav-users wrote:
>> On Wed, 21 Oct 2020, Andrew C Aitchison via clamav-users wrote:
>
>> > and that using clamav's on-access scanning has the advantage of catching the
>> > nasties before the file is used, unlike the inotify-bsed solutions, which
>> > avoid the latency that on-access scanning produces ...
>> 
>> Not sure that I follow all that, but the perceived advantage of having
>> a potential to catch any nasties must necessarily be discounted by the
>> probability that it will catch anything when it actually looks for it.
>> Rough order of magnitude I guess a one in three chance on a good day.
>
> I meant that on-access scanning may block the nasty before the vulnerable
> program parses/executes the exploit, but an inotify-based solution
> will give the nasty file to the vulnerable program at the same time as, if 
> not before, the scanner gets to check it.

Perhaps - you might have to be a bit more, er, creative with inotify
but it can generate an event on file create, which fanotify won't do.
The creativity would mostly mostly about preventing access to a newly
created file until it's been scanned and pronounced OK.  I don't know
how you'd handle modifications which turn benign files into malicious
ones, and that sort of thing seems to be more common lately.

-- 

73,
Ged.