[clamav-users] Terminate clamscan after specific time
Paul Kosinski
clamav-users at iment.com
Wed Jan 6 17:53:48 UTC 2021
The problem with only scanning files that have changed since they were
last scanned is that there usually have been virus signature updates in
the meantime. So you could have an "old" file that contains what was a
zero-day virus at the time it was scanned, and now there is a signature
that would detect it.
On Wed, 06 Jan 2021 11:56:47 +0100
"Pierre Dehaen" <dehaenp at drever.be> wrote:
> Hi,
>
> On 6 Jan 2021 at 9:58, G.W. Haywood via clamav-users wrote:
>
> > > My goal is to terminate scan of big number of files like '/' on CPU busy hours.
> > Do not scan everything under the root directory.
>
> Use zfs, make regular snapshots, scan once, then use zfs diff to find the
> new/changed(/removed) files, scan these only.
>
> Or make a full scan every week if desired, then use a auditing program to regularly search for
> the files that were added/updated(/removed), scan these only. These auditing programs use
> hash signatures which are faster to compute than doing full virus scans, but they will anyway
> make a lot of i/o as they will read all files. If you are really constrained by the i/o you could run
> a less secure but lighter audit based on the file attributes (size, ownership, mode, dates...)
> and once a day/week a full audit...
>
> There are many options...
>
> HTH,
> Pierre
>
More information about the clamav-users
mailing list