On 3/16/2011 10:24 AM, Russ Tyndall wrote: > On Mar 15, 2011, at 4:51 PM, Chuck Swiger wrote: > >> One thing you might consider doing is using "find /location -mtime 1" to >> generate a list of which files have been modified over the past day, and >> only scanning these via clamdscan -f. > I experimented with this option last night (also suggested by Steve > Holdoway), and it works as expected. (Vastly decreases scan time by reducing > the number of files that need to be scanned to a mere pittance.) The risk is > obvious that a baddie could be overlooked because it might present a false > modification date or simply not be recognized by clamav for some period after > it gets dropped onto the computer. > > I *think* I ran into one gotcha that I had to work around: I had to filter > out directories from the Find results...otherwise, clamav would scan those > directories whose contents had already been scanned because those contents > were already listed elsewhere in the Find results. Users more experienced > with Find may have just thought that requirement was self-evident and didn't > need to be stated. > > My Find command looks something like this, and is supposed to filter out > directories and anything modified more than 60 minutes ago: > > find [path to directory] [path to second directory] ! -type d -mmin -60 > > [path to output file later read by clamav] > > I'm now going to do some testing with the MaxScanSize directive.
To minimize the risk of a signature being added after the file gets on the computer, you could continue to scan for a while, rather than using the 60 minute limit. Depending on your system usage, a limit of one or two days might still decrease your scan time far enough while still allowing files to be rescanned with newer signatures. -- Bowie _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
