Erez Epstein wrote: First of all I'd like to mirror the sentiment that ClamAV obviously isn't designed as a "general purpose" scanner. If that's your primary usage it may be advisable to find something more in line with your goals. That said, ClamAV does a smashing job when it's in its element. I use it and procmail to examine my own email here at home, and can only flag messages for later filtering by my client software because ClamAV hits on some of the exploit discussions on lists like Full Disclosure. If that's not a thorough job, nothing is. Kudos to the ClamAV team! ;)
> well, i'm not sure if thats the right solution, as smart virus or old
> file with new virus definiton will not be found.
Virus definitions are typically additive. Old viruses will be detected
unless software developers decide a particular virus is no longer a
threat, or drop support for some platform entirely. ClamAV still
detects Tequila, for example.
> also i know all other virus scanners do scan all files.
I don't believe this to be true either. I know at least one mainstream
scanner defaults to selective or "smart" scanning while doing scheduled
scans, and another that's "addaptive" in that it assumes certain groups
of files are clean if the first few are found to be clean. It also
starts scanning every single file if it happens to run across an
infection, FWIW. Either one can be commanded to look at every file, but
I believe in the second case it *still* ignores certain types of files.
In general I'd bet most virus scanners only examine every file if
forced to, and even then only do it reluctantly. It may be advisable at
certain times, like when addressing email attachments or on-access
scanning, but otherwise it's largely a waste of time. AV software
authors and users should realise this and limit scheduled, nightly scans
to only those files that deserve it. If they aren't already...
> On 11/26/06, Dennis Peterson <[EMAIL PROTECTED]> wrote:
> > Erez Epstein wrote:
> >
> > > and how can i shorten it while still scaning all files every
> > > night.
> >
> > Don't scan all of them every night. There is no need to scan a file
> > that has not been modified since the last scan. There is probably
> > no need to scan your
> > logs, /var, /usr, /opt, /proc, /dev, /bin, /sbin, or /devices (or
> > any root owned directory) unless you think you have been hacked and
> > had your root account compromised.
> >
> > You probably don't want to scan NFS mounts or Samba mounts as it is
> > rather expensive in terms of network traffic and speed, and
> > introduces all kinds of interesting permissions and connection
> > reliability issues.
> >
> > Clam is not a good intrusion detection tool so you might want to run
> > TripWire or some similar tool that will tell you which files have
> > been modified so you can limit your scan to those few files that
> > require scanning.
> >
> > dp
--
Hand crafted on 27 November, 2006 at 14:40:45 EST using
only the finest domestic and imported ASCII.
Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
-- Groucho Marx
signature.asc
Description: PGP signature
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
