[clamav-users] Terminate clamscan after specific time
Pierre Dehaen
dehaenp at drever.be
Thu Jan 7 08:40:06 UTC 2021
Right, that's why I suggested to make a full scan daily/weekly.
Scanning is not bulletproof neither, as the virus signature comes by definition after the virus
creation. If you have some trust in your OS provider then additional basic tools like rpm -qV,
dpkg -V or debsums (even if not perfect) could be used to verify the authenticity of the
package files in your reference snapshot. Elfsign could be used to check binaries, if they are
signed (on Solaris they are, not sure on Linux), and the kernel could enforce the check on
execution if desired (still on Solaris). Auditd is also available... but I stop here because,
questionning who we can trust, we could end up with the chain of trust and the TPM chip...
secured by God's signature as you know.
Anyway, as the initial idea was to stop scanning during work hours, I think my suggestions (to
scan changed files only during these hours) were still safer...
Pierre
On 6 Jan 2021 at 12:53, Paul Kosinski via clamav-users wrote:
The problem with only scanning files that have changed since they were
last scanned is that there usually have been virus signature updates in
the meantime. So you could have an "old" file that contains what was a
zero-day virus at the time it was scanned, and now there is a signature
that would detect it.
On Wed, 06 Jan 2021 11:56:47 +0100
"Pierre Dehaen" <dehaenp at drever.be> wrote:
> Hi,
>
> On 6 Jan 2021 at 9:58, G.W. Haywood via clamav-users wrote:
>
> > > My goal is to terminate scan of big number of files like '/' on CPU busy hours.
> > Do not scan everything under the root directory.
>
> Use zfs, make regular snapshots, scan once, then use zfs diff to find the
> new/changed(/removed) files, scan these only.
>
> Or make a full scan every week if desired, then use a auditing program to regularly search for
> the files that were added/updated(/removed), scan these only. These auditing programs use
> hash signatures which are faster to compute than doing full virus scans, but they will anyway
> make a lot of i/o as they will read all files. If you are really constrained by the i/o you could run
> a less secure but lighter audit based on the file attributes (size, ownership, mode, dates...)
> and once a day/week a full audit...
>
> There are many options...
>
> HTH,
> Pierre
>
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list