li...@truthisfreedom.org.uk wrote: > I guess my question is two-fold: > > a) Is this possible with ClamAV or do I need to look elsewhere? > b) What's the best way to achieve this.
Hi, It is certainly possible. As for the HOW, that mostly depends on how you interface with the ftp server. If your ftpd accepts only a YES/NO type of answer (which I presume), and can't take actions based on the reported virus name then you'll need to be a bit creative. For example you run a main clamd with the full db loaded which reports to the ftpd. This should keep away most of the known badware. Then you scan each uploaded file a second time but with only one or a few custom signatures (e.g. "base64_decode") and report the "suspect" file to yourself. How to trigger this second scan depends again on your ftpd. If it's got post-upload hooks, then you should probably use them. Otherwise you can setup a small cron job using "find -mtime" and clamscan to check the whole ftp space. HtH, -acab _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
