[clamav-users] clamscan --disable-cache
Dave Sill
sillde at ornl.gov
Wed Sep 30 15:57:31 UTC 2020
Andrew C Aitchison via clamav-users <clamav-users at lists.clamav.net> wrote:
>
> No. clamD scans data passed to it by clamdscan, usually over a socket or
> pipe.
Ah... I missed INSTREAM in the clamd man page. Locally, though, surely
SCAN/CONTSCAN/etc, are nuch more efficient. And remotely, sending the
entire contents of the system over the net isn't practical at scale.
> That does mean that any malware which is missed in the first run
> will not be detected in subsequent runs.
True. I suppose we'd want to do monthly full scans.
> 3000 machines per week, gives you about 3.36 minutes for each machine to
> send all its local data to the scanning machine.
> Instead I would run a local, mirror, repository of the database
> and use freshclam on each machine to keep its database in sync with your
> mirror, then run clamd and a clamdscan cron? script on each machine.
We've already got a local mirror. Is there a way to get clamd/clamdscan
to work without permission problems beside running clamd as root? Does
--fdpass get around that?
> I would also look at on-access scanning.
I tried it but got permission errors on anything not world-accessible.
I suspect the overall performance hit would be too high.
> Scanning files as they are used might mean more or less work
> than scanning every file every week.
Except full dumps are going to cause everything to be scanned.
-Dave
More information about the clamav-users
mailing list