On Mar 16, 2011, at 1:31 PM, Russ Tyndall wrote: > > On Mar 15, 2011, at 7:10 PM, TR Shaw wrote: > >>> On Mar 15, 2011, at 4:48 PM, TR Shaw wrote: >>> >>>> Look at your config file. You don't need to scan all more than probably >>>> 200KB of a file. >>> >>> So you are suggesting I use the MaxScanSize directive to limit scans to the >>> first 200KB of each file? (i.e., add a line to clamd.conf: MaxScanSize >>> 200KB). >>> >>> I imagine that would speed things up nicely.... :-) >>> >> >> Yes. Pick a size you feel comfy with but I believe there are few signatures >> that span large file sizes. You might want to override this once a week to >> check large zip/gz files but in general this should be good. Let me know >> how it helps. > > A full scan with default settings (MaxScanSize = 20MB) takes about 2 hours to > scan a particular directory. > > A full scan with MaxScanSize = 1MB takes about 1 hour. > > A full scan with MaxScanSize = 200K takes about 18 minutes. > > *** > > So I now have two tactics to minimize scan time: 1) Partially scan ALL files > 2) Fully scan a set of recently modified files. > > Which is more likely?: That a partial scan (first 200K) misses a baddie? Or > that a baddie fakes a modification date?
You play craps?????? LOL Seriously, as for "faking" mod date... you don't have to fake it just uncompress a archive preserving creation and modification dates and viola. There are plenty of other approaches (save filenames and mod dates in a DB and only scan additions or changes to it; etc.) but all have diminishing returns. After all there is a window between the time malware is stored and the time you detect it as well and no AV is perfect. Just do the best you can do. If you feel uncomfortable run full scans on weekends and reduced during the week. Tom _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
